The Realization of WS-Security Related Specifications by WSE 3.0.

1. Web Services Security introduction.

Security is a very important aspect in everyday enterprise application. There are several solutions for securing Web Services applications, all of them were transport-protocol based such as IPSec or https through Public Key Infrastructure. Those protocols have the drawback they provide a point-point service.

As part of the evolution and stabilization of Web Services specifications, the WS-Security related specifications appears as a message-based security protocol, they allow providing an end-to-end service, regarding the intermediaries.

WS-Security related specifications cover well-known approaches to follow on the developing a Web Services security specification such as security at granularity level of the message, authentication (using authentication tokens to validate requester identity), authorization (assertion to control access to the provider service), non-repudiation (using digital signature to protect against altering transmitted information) and encryption (for protecting against seeing transmitted information).

In this article, we are going to learn the basic concepts of WS-Security related specifications and how they are implemented by Microsoft Web Service Enhancements 3.0 technology.

1.1 WS-Security specification.

WS-Security specification was established as an approved OASIS open standard in April, 2004.

Creating and managing a secure Web services environment involves dealing with various Internet, XML, and Web services security mechanisms.

The WS-Security specification describes how to incorporate security mechanisms on the Web Services protocol stack as extensions to the SOAP headers. The headers can include authentication, encryption, and signature so that the provider can validate the credentials (security tokens proving identity) of the requester before executing the service. Invalid credentials result return of a fault message to the requester.

The WS-Security specification provides a framework where other security technologies can be plugged for protecting messages. For example, it is not defined any authentication mechanism; instead, it is defined how to transmit a variety of different security tokens using the security header, such as user name/password, Kerberos, and X.509 credentials.

The WS-Security specification also defines how to use XML Signature (for message integrity), and XML Encryption (for message confidentiality). The message integrity is verified to ensure that the messages are being transmitted without any changes. This integrity mechanism allows multiple signatures included the one added by intermediaries. The signature also verifies the claim that the message comes from the right requester. The message encryption allows confidentiality.

1.2 Other related Web Services security specifications.

There are other Web services security specifications, such as WS-Trust, WS-Secure-Conversation, WS-Federation and WS-SecurityPolicy.

WS-Trust, WS-Secure-Conversation, WS-Federation define protocols for establishing agreements between services requesters and providers.

WS-SecurityPolicy specification is used to declare the provider's requirements for security support. It is a policy assertion language that can be used in conjunction to WS-Policy specification. It allows defining assertions associated to a Web Service endpoint. A service requester can discover the WS-SecurityPolicy association using the WS-MetadataExchange protocol or referencing the address of the XML file in which the WS-SecurityPolicy assertion is stored.

The WS-Trust specification defines a process of exchanging security tokens among the parties that participate in the secure communication. A requester may need to obtain the provider's public key for encryption before sending the message. It complements WS-Security with protocols for requesting, issuing, and brokering (delegation, forwarding) security tokens. Network and transport protection (IPSec and TLS/SSL) mechanisms can be used with WS-Trust for different requirements. Security token acquisition can be done directly by explicitly requesting one from an appropriate issuer, or indirectly by delegating the acquisition to a trusted third party. Tokens can also be acquired out-of-band. The specification also uses a mechanism to reference security tokens in those situations when it is advisable to return a security token as part of the security header defined by WS-Security.

The WS-Secure Conversation specification defines a shared context for exchanging messages among the communication parties.

The WS-Federation specification defines how to establish trust relationships across security domains accepting authentication credentials that come from a different security domain (realm).

2. WSE 3.0 Introduction.

Web Services Enhancement version 3.0 (WSE 3.0) is a framework for extending the basic SOAP messaging and supporting emerging new WS-* specifications. WSE 3.0 simplifies the creation of secure, interoperable and scalable Web services and it ships with a design time tool (WSE Settings 3.0) that fully integrates with Visual Studio 2005.

WSE 3.0 allows you to apply security at a higher level of end-to-end messages using policies which are a set of security rules applied to incoming and outgoing messages known as security assertions.

The policy implementation in WSE 3.0 is based on the WS-SecurityPolicy and WS-PolicyAssertion specifications. These policies are used to provide confidentiality, integrity and data origin authentication. It is possible to add capabilities using code or a policy file.

WES 3.0 actually implements the following Web Services specifications grouped by enterprise aspects: 

There are five common scenarios for message level security, and WSE 3.0 provides for them a set of defined security assertions that are called turnkey security assertions.

Turnkey security assertions are requirements and demands for the message exchange with an endpoint, and they allow the developer concentrating on the business logic. 

1. anonymousForCertificateSecurity. The client is anonymous but the service is authenticated using its X.509 certificate, and the client with the server´s public certificate can exchange messages with the service.
2. kerberosSecurity. The client and the service are living within on rot more Windows Domains and Kerberos is the security infrastructure. Kerberos tickets are used for authentication and message protection. Kerberos are single sign-on, provides good performance, and supports impersonalization and delegation.
3. mutualCertificate10Security and mutualCertificate11Security. The client and service exchange X.509 certificates that are used to secure the communication.
4. usernameOverTransportSecurity. The client is identified using a username and password and then authenticated against some credentials storage such as Active Directory or SQL Server. The security protection is done on the transport layer.
5. usernameForCertificateSecurity. The client is identified using a username and password and then authenticated against some credentials storage. The service is authenticated using an X.509 certificate.

You can apply one of these policies through the use of the PolicyAttribute for the service and the SetPolicy method for the generated client proxy. If you follow the declarative programming model, the policies are defined in a policy file which is an XML document consisting of a collection of named policies with the <policy> element, and within the <policy> element is the type of turnkey security assertion (anonymousForCertificateSecurity, kerberosSecurity, mutualCertificate10Security and mutualCertificate11Security, usernameOverTransportSecurity, usernameForCertificateSecurity) element which has several configurable attributes, such as whether to establish a secure session, the message protection, and so on. Depending of the turnkey security assertion, the file has a <serviceToken> element or <clientToken> element which describes where to get the security credentials, and finally the <protection> element indicates what parts of the messages are being signed and encrypted for the request, response and fault messages and the  <requireActionHeader> indicates that all messages must contain the WS-Addressing header; otherwise, the message is rejected.

3. An example using WSE 3.0.

Let's illustrate all the concepts with an example. Our simple project is composed by a Web Service application providing a financial service (debit and credit operations) and a client consuming this service. Because these operations are vulnerable to attacks, we must use WS-Security related specifications for protecting the information integrity.

3.1 Developing the WSE 3.0 Service application.

From Visual Studio 2005, run the Add New Web Site wizard; select the ASP.NET Web Service template, as shown in Figure 1 below, and select a location to save the project structure. By default, the project has a Web Service component defined by the endpoint Service.asmx and the underlying code behind in App_Code special folder.

Figure 1.

Now we are going to add the business objects representing the architectural model of our solution.

The solution uses two entities which represent the inbound and outbound messages of the systems. Listing 1 and listing 2 shows the classes which represent the instances of MessageRequest and MessageResponse respectively. Those classes specify the properties, in our case AccountId, Amount, Status and Balance; and behavior of the entities as well as the schema of XML document for persistence of their instance.

Listing 1.

Listing 2.

Other important business entity is represented by the Account class which classifies uniquely all the accounts inside a Finance and Account Information System, see Listing 3.

Listing 3.

And finally, the code definitions for the service object as shown in Listing 4. 

Listing 4.

Configuring the service for using the framework WSE 3.0 features.

We're going to configure the service project for using framework WSE 3.0.

• In Visual Studio, right-click the application project, and then click WSE Settings 3.0 add-on.
• Select both the Enable this project for Web Services Enhancements and the Enable Microsoft Web Services Enhancement SOAP Protocol Factory check boxes, which then ensure this project uses WSE when processing SOAP incoming and outgoing messages in ASP.NET runtime environment.
• On the Policy tab, select the Enable Policy check box. A policy cache file with the default name "wse3policyCache.config" is added to the project.
• On Edit Application Policy page, click Add, and then type a policy name for the new application policy, such as "KerberosTurnkeyServicePolicy".
• Click OK to start the WSE Security Settings Wizard, and then click Next.
• On the Authentication Settings page, it is provided a choice to secure a service or a client. Select the option for Secure a service application to configure the service.
• It is also provided a choice of authentication methods. Select the option for Windows authentication, and then click Next. See figure 2.
  
  
   
  Figure 2.
• On the Kerberos Token Claims page, it is presented the configuration authorization based on the user name or roles contained in the KerberosToken. Select the Perform Authorization check box for performing authorization through the policy assertion, and then add users and roles as appropriate in the following format domain\principal. In our case, we are going to grant permission to the domain administrator as shown in Figure 3.
  
  
   
  Figure 3.
• On the Message Protection page, it is provided the configuration options for message protection. Select the option for Sign, Encrypt, Encrypt Signature, and select the Enable WS-Security 1.1 Extensions checkbox. WS-Security 1.1 Extensions allows using signature confirmation to correlate a response message from the service with the request message. Clear the Establish a Secure Session checkbox, it will be explained later why? See Figure 4.
  
  
   
  Figure 4.
• On the Create Security Settings page, it is possible to see what the wizard is going to generate for your application security policy, as shown in Figure 5.
  
  
  
  Figure 5.

Now we're going to see why we cleared the Establish a Secure Session checkbox.

Listing 5.