Microsoft's WSE 3.0 is an add-on designed for Microsoft Visual Studio 2005 and the .NET Framework 2.0. It is provided to permit designers to up the security ante for Web services, with support for various Web services protocols and related specifications.
In a tight nutshell, WSE 3.0 delivers the following capabilities to developers:
- Improved digital signatures and encryption for Web services communication, using Kerberos tickets, X.509 certificates, or custom binary or XML-based security tokens (WS-Security)
- The use of username and password credentials for authentication
- The ability to handle digital signature confirmation, opaque security tokens, and creation of encrypted key tokens (based on WS-Security, WS-SecureConversation, and WS-Trust specifications)
- Support for policy-driven Web services security
- Support for a trust-issuing service that may be used to retrieve and validate security tokens
- Support for secure conversations to maintain longstanding secure communications links between communication peers
- Support for bulk binary data transfers using the W3C SOAP Message Transmission Optimization Mechanism (MTOM, which also works with WS-Security, and can reduce message size as transmitted to ease congestion on low bandwidth links)
This add-on works with all Microsoft operating systems from Windows 2000 forward (though the download description makes no mention of Vista, it should be compatible nevertheless). It also works with all versions of Visual Studio 2005, except the Express Editions, which lack the ability to handle control add-ins. For the Express editions, a standalone version of the WSE configuration tool is available; however, the standard WSE configuration tool installs and integrates directly with all other Visual Studio 2005 versions).
The biggest selling point for WSE 3.0 is what Microsoft calls Turnkey Security Assertions, which have been designed to match common practices employed when securing Web services. Each of these items may be invoked using the WSE wizard, after enabling Web Service Enhancements, the related SOAP Protocol Factory, and creating (or modifying) a Policy File.
After that, client authentication becomes simply a matter of choosing among available options: anonymous (based on certificates, where there is no need to identify those who access a server) username, certificate, or Windows, where each method is based on one of the Turnkey Security Assertions.
Overall, this is a power and useful add-on for Visual Studio and well worth digging into and using when enhanced security for Web services is desirable or required. Check it out, and I'm sure you'll agree!
Ed Tittel is a writer and trainer whose interests include XML and development topics, along with IT Certification and information security. E-mail email@example.com with comments, questions, or suggested topics or tools to review. Cool tools rule!
Dig Deeper on Web services and SOA implementations in the .NET Framework
Security interoperability with .NET/WSE and WebLogic Workshop 8.1
Using Microsoft's Visual Studio IDE for Web services
Web services security -- Chapter 8, OWASP Guide to Building Secure Web Applications and Web Services
OWASP Guide to Building Secure Web Applications and Web Services, Chapter 8: Web Services