Need Web services security? Dig into WSE 3.0 for Microsoft .NET

In a tight nutshell, WSE 3.0 delivers the following capabilities to developers:

• Improved digital signatures and encryption for Web services communication, using Kerberos tickets, X.509 certificates, or custom binary or XML-based security tokens (WS-Security)

More on .NET application security Best Practice: Enforcing password complexity DevPartner SecurityChecker 2.5 does just that for ASP.NET sites Handy CryptoTools offers many options for drop-in encryption/decryption

• The use of username and password credentials for authentication
• The ability to handle digital signature confirmation, opaque security tokens, and creation of encrypted key tokens (based on WS-Security, WS-SecureConversation, and WS-Trust specifications)
• Support for policy-driven Web services security
• Support for a trust-issuing service that may be used to retrieve and validate security tokens
• Support for secure conversations to maintain longstanding secure communications links between communication peers
• Support for bulk binary data transfers using the W3C SOAP Message Transmission Optimization Mechanism (MTOM, which also works with WS-Security, and can reduce message size as transmitted to ease congestion on low bandwidth links)

This add-on works with all Microsoft operating systems from Windows 2000 forward (though the download description makes no mention of Vista, it should be compatible nevertheless). It also works with all versions of Visual Studio 2005, except the Express Editions, which lack the ability to handle control add-ins. For the Express editions, a standalone version of the WSE configuration tool is available; however, the standard WSE configuration tool installs and integrates directly with all other Visual Studio 2005 versions).

The biggest selling point for WSE 3.0 is what Microsoft calls Turnkey Security Assertions, which have been designed to match common practices employed when securing Web services. Each of these items may be invoked using the WSE wizard, after enabling Web Service Enhancements, the related SOAP Protocol Factory, and creating (or modifying) a Policy File.

After that, client authentication becomes simply a matter of choosing among available options: anonymous (based on certificates, where there is no need to identify those who access a server) username, certificate, or Windows, where each method is based on one of the Turnkey Security Assertions.

Overall, this is a power and useful add-on for Visual Studio and well worth digging into and using when enhanced security for Web services is desirable or required. Check it out, and I'm sure you'll agree!

Ed Tittel is a writer and trainer whose interests include XML and development topics, along with IT Certification and information security. E-mail etittel@techtarget.com with comments, questions, or suggested topics or tools to review. Cool tools rule!

Rate this Tip To rate tips, you must be a member of SearchWinDevelopment.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Application Testing and Security Advanced Windows Debugging Book Chapter and Podcast Book excerpt: Advanced Windows Debugging Book excerpt: Pragmatic unit testing in C# with NUnit Security interoperability with .NET/WSE and WebLogic Workshop 8.1 How to avoid regression bugs while adding new features NDepends: How you look at code Ten ways to unit test your .NET code On ASP.NET AJAX testing and debugging tools Beginning Windows CardSpace development Generate RSA public and private keys, export to XML Web services and SOA implementations in the .NET Framework Outgoing Bill Gates says UML on tap in Oslo SOA modeler Podcast: Windows CardSpace authors speak Open XML SDK ready for the road Some of the Zen of Volta Scaling WCF applications can challenge development teams Security interoperability with .NET/WSE and WebLogic Workshop 8.1 Book excerpt: Hands-on Windows Communication Foundation A SOA versioning covenant .NET Framework 3.5: Communication, database improvements abound New JMS adaptors target .NET, BizTalk Server apps .NET Framework Web application security Security interoperability with .NET/WSE and WebLogic Workshop 8.1 On ASP.NET AJAX testing and debugging tools Ajax security holes and how to fill them DevPartner SecurityChecker 2.5 does just that for ASP.NET sites VSLive: Membership and security in ASP.NET apps Test and debug an ASP.NET app: Chp. 4 of Murach's ASP.NET 2.0 Web Programming with C# 2005 Compuware updates ASP.NET security tool Learning Guide: Top 10 most critical Web application security vulnerabilities How to build secure ASP.NET applications How to build secure ASP.NET applications RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary scripting language  (SearchWinDevelopment.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.