Objectives

After completing this lab, you will be able to:

• Secure Web Services with UsernameToken.
  
• Secure Web Services with X.509 Certificates.
  
• Automate Security with Policies.
  
• Optimize Security with Secure Conversation.
  
• Route Secure Messages.
  
  Note: Because this lab focuses on concepts, it may not comply with Microsoft security recommendations.

Scenario  

This lab will help you understand how to use WSE 2.0 to secure SOAP messages with authentication, integrity and confidentiality. You’ll learn how to accomplish this manually using the WSE 2.0 security APIs as well declaratively through a policy.

This lab was designed for developers already familiar with .NET and basic Web services concepts. Specifically, you should have experience working with VB.NET, ASP.NET, Visual Studio .NET solutions, XML and basic security concepts (users, roles, etc.).

If you get stuck on a particular exercise you can self-diagnose the issue by looking at the solution in the after directory of each exercise.

By completing this lab, you will better understand WSE 2.0's overall security features including the support for WS-Security, WS-Trust, and WS-SecureConversation, and the WS-Policy specifications. You'll learn how to implement the most common security needs in your Web services applications, specifically how to handle authentication, integrity, and confidentiality concerns. First you'll implement these features manually in your code and then you'll automatically enable them through policy files. Then, you'll see the benefits of this message-oriented security model first hand when you configure your application to route messages through an intermediary.

Estimated time to complete this lab: 90 minutes

Exercise 1 Securing Web Services with UsernameToken

Scenario

Your first exercise involves securing a Web service. WS-Security defines a message-oriented framework for securing Web services. A message-oriented framework makes it possible to secure Web services in a transport-neutral way. Although Web services can be secured using SSL, such a solution is tied to HTTP for practical purposes.

Many Web services desire message-level access control, integrity and privacy. WS-Security facilitates achieving these goals by defining mechanisms for authenticating, signing, and encrypting SOAP messages respectively. Once a message has been authenticated, it's also possible to authorize access to specific operations based on the message's credentials.

WSE 2.0 provides an implementation of WS-Security in the Microsoft.Web.Services2.Security namespace. The WSE 2.0 implementation makes it possible to authenticate, sign, and encrypt the SOAP messages used in your WebMethods. It also makes it possible to authorize access to specific functionality based on the incoming message's credentials.

You'll be working in the ExercisesAbefore directory. If you get stuck along the way, feel free to check out the solution found in ExercisesAafter.

        Tasks              Detailed steps

Getting Started

1. Click in the virtual machine window. 
   
2. Click the Administrator icon.
   
3. Logon as Administrator with a password of password. 
   
4. Before you begin, run the setup script found in C:Microsoft Hands-on-LabDEV-HOL34VBExercisessetup.js.
   
5. Open Windows Explorer and navigate to C:Microsoft Hands-on-LabDEV-HOL34VBExercisesAbefore and double-click SecureInvoiceA.sln. This solution consists of two projects: SecureInvoiceClient and SecureInvoiceServiceA.
   
6. Familiarize yourself with the client and server code. These two projects constitute an invoice management system. Run SecureInvoiceClient and experiment with the different operations. Notice that any user (including no user) can perform any of the supported operations. If you run SecureInvoiceClient application and press View, you should see the following results:
     

   

   
   
7. Close the Invoice Manager application. 
   
8. The SecureInvoiceServiceA virtual directory is not performing any type of HTTP authentication when messages arrive. Go to Internet Information Services and verify this.
   
9. Click Start | Administrative Tools | Internet Information Services.
   
10. Open CLIENT1 | Web Sites | Default Web Site.
    
11. Right click on the SecureInvoiceServiceA virtual directory and select Properties.
    
12. Click the Directory Security tab.
    
13. Click Edit in the Anonymous access and authentication control area.
    
14. If the Anonymous access checkbox is not checked, check it. We're not going to use the built-in HTTP authentication provided by IIS. We're going to use WSE 2.0's WS-Security implementation instead.
    
15. Click OK. 
    
16. Click OK. 
    
17. Close Internet Information Services. 
    
18. Your goal is to add security features that control access to the various operations based on the credentials of the incoming message. Assume that the application supports the following groups of users and corresponding rights:
    
    Group             Rights
    
    User               View invoices
    
    Vendor           Submit invoices
    
    Manager         Approve invoices
    
    Accounting      Pay invoices
    

Next: Creating User Accounts and Groups >>
 

More Visual Basic.NET Articles
More By MSDN Virtual Labs

Comments On: Web Services Enhancements 2.0: Security and Policy (VB.NET)

· This lab is excerpted from a larger document titled "Web Services Enhancement 2.0:...    · I wonder that where I can find SecureInvoiceA.sln you mentioned in Web Services...    · Please check our link to the Microsoft Virtual Labs website, ...    · i havent got the SecureInvoiceA.sln...i checked in the link u provided...can u...    · Microsoft must have moved a few things around -- try this:...    · Web Services Enhancements 2.0: Security and Policy (VB.NET), The reason for going...    · Can you specify the location of SecureInvoiceClient project.Urgent reply soon   >>> Post your comment now!