Automating Security with Policies in Web Services

(Page 1 of 4 )

Last week's exercise taught you how to install a sample X.509 certificate and configure your applications to take advantage of their improved security. This week's exercise gets into policies, which allow for greater automation of certain aspects of security. It is the third in a series of exercises that are part of a lab titled "Web Services Enhancements 2.0: Security and Policy," written by MSDN Virtual Labs.

Exercise 3 Automating Security with Policies

Scenario

In the last two exercises you were able to secure the SecureInvoiceService application by requiring UsernameToken authentication, message signatures, encryption, and implementing authorization checks in your WebMethod code. You also used X.509 certificates for signing and encrypting messages, which provided stronger security in the areas of integrity and privacy.

Implementing these security features was a manual process, meaning you had to write code to introduce the functionality. This can be tedious and error-prone. A better approach would allow developers to declaratively enable security features, without having to write any code, while relying on the infrastructure take care of the details.

WS-Policy is a Web services specification that allows Web services to describe policies. A policy describes the requirements, preferences, and capabilities of a service. A policy statement consists of one or more policy assertions (see WS-PolicyAssertions and WS-SecurityPolicy). Developers can read policy statements to learn how to deal with the service appropriately. Infrastructure can programmatically inspect policy statements in order to automate the code you wrote in the previous exercises. WSE 2.0 provides support for all of these specifications as you'll see below. In this exercise, you're going to secure SecureInvoiceService with minimal code.

You'll be working in the Exercises\C\before directory.

        Tasks              Detailed steps

 

You can write policies for receiving messages as well as for sending messages. In this exercise you're going to write a policy that describes messages received by the Web service. 

1. Return to Visual Studio .NET 2003.
    
2. Click File | Open | Project.
   
3. Navigate to C:\Microsoft Hands-on-Lab\DEV-HOL34\VB\Exercises\C\before. 
   
4. Select PolicyInvoice.sln and click Open. This solution consists of two projects: PolicyInvoiceClient and PolicyInvoiceService. 
   
5. The code in PolicyInvoiceClient is nearly identical to the SecureInvoiceClient project you started with before adding security features. The only difference is that WSE 2.0 has already been enabled. 
   
6. The code for PolicyInvoiceService is identical to the SecureInvoiceService project you started with before adding security features. The only difference is that WSE 2.0 has already been enabled.
   
   Note: it doesn't currently require any security features, such as security tokens, signatures, or encryption.
   
   
7. Build the solution. Run the client and verify that security is not currently in place.
   
   Note: now your goal is to provide the same security features you implemented in the previous exercises without writing a single line of code. You'll accomplish this with a policy.

Next: Requiring Security Features with a Policy >>
 

More Visual Basic.NET Articles
More By MSDN Virtual Labs

Comments On: Automating Security with Policies in Web Services

· We hope you found this exercise from MSDN Virtual Labs to be educational and...   >>> Post your comment now!