Monday, September 8, 2008

Securing Your .NET Web Services

By Mike Best

Security has often been the neglected stepchild of software development, but it is increasingly coming under closer scrutiny. As Web Services are deployed in greater numbers, the security of these access points into an organizations business processes can no longer be relegated to backseat status.

Generally, you will have three general security scenarios for a Web Service:

Those that are open to the general population, with no authentication
Those that are open to the general population, but with authentication
Those that are open to a controlled sub-set of users, such as a companys employees
For this article, we'll assume that some sort of security is required. In addition, to simulate the scenario that will be common for many Web Services, we'll assume that the user base of our Web Services will not be confined to those users within our intranet.

At this point it is important to define several terms that are used in the context of IIS and ASP.NET security:

Authentication is the process of determining the identity of the requester, and whether that identity exists within the set of known users.
Authorization is the process of determining if a given identity has the rights to perform a requested action.
Impersonation is the process of accessing resources as another user. In this case, it would be an ASP.NET application or Web Service accessing resources using a users permissions, rather than the default user account under which ASP.NET runs.
Because .NET Web Services are based upon IIS and ASP.NET, the security model for Web Services is inherited from these technologies. However, Web Services will have different considerations than ASP.NET applications when developing a security strategy. Obviously, Web Services do not have user interfaces with which users can interact.

You can think of the available security services as layers (see Figure 1 below). These layers sit upon one another, can be used in various combinations, and are provided by either IIS or the ASP.NET runtime. These various security implementations will be discussed in the next section.


ASP.Net Feeds