Web Services :
The idea of a Web service developed from the evolution of the Internet. The intent behind a Web service is to drive the Internet as a transactional tool rather than simply a visual tool. These application-to-application interactions are driven by, and built on, existing standards such as:
Extensible Markup Language (XML)
Hypertext Transfer Protocol (HTTP)
SOAP
Universal Description, Discovery, and Integration (UDDI)
Web Services Description Language (WSDL).
The idea of a Web service developed from the evolution of the Internet. The intent behind a Web service is to drive the Internet as a transactional tool rather than simply a visual tool. These application-to-application interactions are driven by, and built on, existing standards such as:
Extensible Markup Language (XML)
Hypertext Transfer Protocol (HTTP)
SOAP
Universal Description, Discovery, and Integration (UDDI)
Web Services Description Language (WSDL).
Important Components of WEB Service:
Web Services, SOAP, UDDI, and WSDL represent the roles mentioned in these steps.
SOAP (Simple Object Access Protocol) is the method by which you can send messages across different modules. This is similar to how you communicate with the search engine that contains an index with the Web sites registered in the index associated with the keywords. UDDI (Universal Description, Discovery, and Integration) is the global look up base for locating the services. In the example mentioned earlier, this is analogous to the index service for the search engine, in which all the Web sites register themselves associated with their keywords. It maintains a record of all the pharmacy store locations throughout the country.
WSDL (Web Services Definition Language) is the method through which different services are described in the
*** Web Service Security ***
Security is a prior consideration when using web-services in our application.
There are several techniques available to architect secure Web services.
* Secure Web Service using User Authentication:
It will accept the credentials from the user and validate their authority.
It’s a flexible way of securing web services with Method-Level authorization. Its a very simple process. The developer needs to pass two extra parameters in the method calls as Userid and Password, or can also pass a GUID .This technique allows users to access the Web service from any location and does not block unauthorized users from other resources in the Web site unlike SSL and IP Blocking.
Upsides:
1. A very traditional and flexible method
2. As the entire process is maintained at method level so it provides better Audit Tracking.
3. After authenticating the user we can check for the access permissions means we can authorize the user for a particular part of the web service.
Downsides:
1. It leads a high development and more costly process, as the user has to design a solution to store the sensitive data .and to take the risk of encoding and decoding the risk parameters.
Security is a prior consideration when using web-services in our application.
There are several techniques available to architect secure Web services.
* Secure Web Service using User Authentication:
It will accept the credentials from the user and validate their authority.
It’s a flexible way of securing web services with Method-Level authorization. Its a very simple process. The developer needs to pass two extra parameters in the method calls as Userid and Password, or can also pass a GUID .This technique allows users to access the Web service from any location and does not block unauthorized users from other resources in the Web site unlike SSL and IP Blocking.
Upsides:
1. A very traditional and flexible method
2. As the entire process is maintained at method level so it provides better Audit Tracking.
3. After authenticating the user we can check for the access permissions means we can authorize the user for a particular part of the web service.
Downsides:
1. It leads a high development and more costly process, as the user has to design a solution to store the sensitive data .and to take the risk of encoding and decoding the risk parameters.
* Secure Web Service by IP blocking:
It’s simple and easy to implement, no need of end user effort. it is the process of identifying those IP addresses from which Web requests will be accepted. This is usually achieved by specifying a list of acceptable IP addresses. Each time a Web request is received by the server, it compares the IP address sending the request to the list of acceptable IPs. If the IP is on the list, the request is fulfilled normally. If it is not on the list, the server returns an HTTP 403.6 error. Here the authentication and authorization occurs at server level. It works at website level so blocks the entire site with wrong IP address. Here detail audit tracking is not possible and it is easy for the hackers to spoof the IP address.
You can obtain the client IP address on your web service method simply by using
HttpContext.Current.Request.UserHostAddress;
Or
HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];
The above will retrieve the proxy server IP address
You can retrieve the actual IP address by using
HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
*Secure Web Service by Digital Certificates:
It’s a flexible technique and like as user authentication to verify the certification we need to write code in every web method. To achieve this technique a digital certificate must be installed in each client machine that verify the clients identity via a third party which creates a unique certificate for every client machine using industry standard encryption when the client requests for a web service the certificate goes with the request and verifies the authentications in case the certificate is not matching it will generate user friendly messages like as in user authentication technique. It comes under SSL (Secure Socket Layer) when a machine sends a request to the server the server will respond with a copy of the certificate and the public portion of its encryption key. The client verifies the public key against the Certification Authority if it’s matching the client prepares its request and encrypts it using the public key received from the server. The encrypted message is then sent to the server, which decrypts the message using the private portion of the key stored on the server. As it encrypts all communication on the client machine, hackers intercepting Web service calls will only be able to see the encrypted message. In this way it’s a very cost effective process. But having detail audit tracking facility. A digital certificate doesn’t occur until a Web method call is actually made. Thus, visitors can still view the WSDL pages for Web services and associated Web pages.
It’s simple and easy to implement, no need of end user effort. it is the process of identifying those IP addresses from which Web requests will be accepted. This is usually achieved by specifying a list of acceptable IP addresses. Each time a Web request is received by the server, it compares the IP address sending the request to the list of acceptable IPs. If the IP is on the list, the request is fulfilled normally. If it is not on the list, the server returns an HTTP 403.6 error. Here the authentication and authorization occurs at server level. It works at website level so blocks the entire site with wrong IP address. Here detail audit tracking is not possible and it is easy for the hackers to spoof the IP address.
You can obtain the client IP address on your web service method simply by using
HttpContext.Current.Request.UserHostAddress;
Or
HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"];
The above will retrieve the proxy server IP address
You can retrieve the actual IP address by using
HttpContext.Current.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
*Secure Web Service by Digital Certificates:
It’s a flexible technique and like as user authentication to verify the certification we need to write code in every web method. To achieve this technique a digital certificate must be installed in each client machine that verify the clients identity via a third party which creates a unique certificate for every client machine using industry standard encryption when the client requests for a web service the certificate goes with the request and verifies the authentications in case the certificate is not matching it will generate user friendly messages like as in user authentication technique. It comes under SSL (Secure Socket Layer) when a machine sends a request to the server the server will respond with a copy of the certificate and the public portion of its encryption key. The client verifies the public key against the Certification Authority if it’s matching the client prepares its request and encrypts it using the public key received from the server. The encrypted message is then sent to the server, which decrypts the message using the private portion of the key stored on the server. As it encrypts all communication on the client machine, hackers intercepting Web service calls will only be able to see the encrypted message. In this way it’s a very cost effective process. But having detail audit tracking facility. A digital certificate doesn’t occur until a Web method call is actually made. Thus, visitors can still view the WSDL pages for Web services and associated Web pages.
No comments:
Post a Comment