Академический Документы
Профессиональный Документы
Культура Документы
Expert Service-Oriented
Architecture in C#
Second Edition - Jeffrey Hasan with Mauricio Duran
Page 2 of 7
to protect the integrity and confidentiality of messages and to implement
authentication and authorization models in your Web services. The WS-
Security specification enables you to implement the following protections in
your Web service calls:
Authentication Models
The characteristics of your deployment environment will give you the
option to choose between different types of authentication
mechanisms. Your decision will depend upon several factors, such as
existing security infrastructure, interoperability requirements, and
organizational boundaries. Let’s review direct authentication and
discuss brokered authentication.
Direct Authentication
In this model, the client provides its credentials and the service is
responsible for the validation of the credentials against an identity
store, such as LDAP or a SQL Server database. In the majority of
Page 3 of 7
cases, these credentials will be passed as a username and password
and both the service and the client have the responsibility to maintain
these credentials as confidential. If the client and the service do not
manage these credentials appropriately the security of the information
is compromised. For example, relying on a service to manage its own
passwords using a SQL Server database leaves the door open for
possible mistakes. The developer implementing the solution could
choose to store the passwords in plain text format and someone who
gains access to the database could read those credentials.
This model is most frequently used when there is no security
infrastructure that can be used by both parties during the
authentication process. The diagram in Figure 1-1 shows how the
client, service, and identity store interact in order to validate a client
request.
Brokered Authentication
In this model, the client and the service do not attempt to authenticate
each other directly. They use an intermediary that validates the
client’s identity and then provides a security token as proof of
successful authentication. The client attaches this token to the request
and the service uses this token to authenticate the client. In the real
world this is equivalent to a passport or a driver’s license, which is
tamperproof and secure enough to be trusted. There are government
Page 4 of 7
agencies responsible for the validation of the person’s identity and, in
the case of the driver’s license, validation of the person’s driving skills.
These agencies require different documentation to validate the
person’s identity. Once the license or passport is issued, the person
can use it to identify himself at places such as banking institutions.
Similar to this analogy, authentication brokers, such as VeriSign or
Windows Active Directory, require the entity to provide enough
information to validate its identity. In the case of VeriSign, it requires
documentation to validate whether the organization is registered and
legitimate and still active.
Security tokens have a duration period; some of them, such as X.509
certificates, can last years, and some others, such as Kerberos tickets,
can last only minutes or hours.
The duration of an X.509 certificate depends on the criteria used by
the certificate authority when it extends the certificate. In the case of
VeriSign, it extends for a limited number of years, because with every
renewal it wants to reverify whether your corporation is in good
standing. An Active Directory Kerberos ticket has a default duration of
ten hours; this value can be modified using the Group Policy Object
Editor at the domain level.
The diagram in Figure 1-2 shows a client that requests a security
token and then uses it to communicate with two services. You can
notice that the client only needs to request the token once during this
session, which helps reduce the transaction time. Another important
aspect of the diagram is that two services are using the same
authentication broker. This is one of the main advantages of this
model, because it provides a centralized authentication authority and it
allows for easier management of the identity store.
Page 5 of 7
Figure 1-2. A brokered authentication model
Page 6 of 7
Venice Consulting Group
501 Milwood Ave.
Venice CA 90291
Summary
In this whitepaper we explained some important security concepts and we gave you
an overview about why WS-Security and WSE 3.0 play such an important role when
building .NET-based Web services or Web service consumers. We also discussed the
concepts of direct and brokered authentication and provided a list of the
implementation options provided by WSE 3.0.
To learn more about WSE 3.0 you can read the book Expert Service-Oriented
Architecture in C# 2005, 2nd Edition, published by Apress (ISBN: 1-59059-701-x).
This whitepaper is an extract from Chapters 6 and 7 of this book.
Page 7 of 7