的网络服务安全

WSE3.0的网络服务安全内容提要背景介绍ASPNETWSE(WebServicesEnhancements)WCF(WindowsCommunicationFoundation)WSE3.0应用较为广泛的功能块SecurityPolicyDiagnosticsTools从WSE到WCF互操作性Interoperability转换Migration背景介绍-攀登WebServices的阶梯ASP.NETWSEWCFASP.NET网络服务网络基础应用软件层传输层ConnectedApplicationsManagementBusinessProcess…SecurityMessagingXMLMetadataHTTPTCPCustom…ReliabilityTransactions.NETv2.0平台网络服务与WS-IBasicProfile兼容定义WebServiceBindingattribute[WebServiceBinding(ConformsTo=WsiProfiles.BasicProfile1_1,EmitConformanceClaims=true)][WebService(Namespace=Microsoft.TechEdChina.WebServices)]publicclassBPConformance_asmx{[WebMethod]publicstringHelloWorldBP(){stringmessage='HelloWorld'fromaBasicProfilecompliant(BP-compliant)WebService.;returnmessage;}}WebServicesEnhancements(WSE)网络基础应用软件层传输层ConnectedApplicationsManagementBusinessProcess…SecurityReliabilityTransactionsMessagingXMLMetadataHTTPTCPCustom…WSE3.0网络服务建立在.NET平台上定义Policyattribute[WebService(Namespace=Microsoft.TechEdChina.WebServices)][Microsoft.Web.Services3.Policy(“MyServerPolicy”)]publicclassWSE_asmx{[WebMethod]publicstringHelloWorld(){return“HelloWorld!”;}}WCF网络服务网络基础应用软件层传输层ConnectedApplications…SecurityReliabilityTransactionsMessagingXMLMetadataHTTPTCPCustom…ManagementBusinessProcessWCFWebServices全新的WebService界面ServiceContract,OperationContractattributes[ServiceContract]PublicinterfaceIHelloService{[OperationContract]stringHello();}publicclassHelloService:IHelloService{publicstringHello(){return“Hello”;}}为什么会有WSE?基本的ASPNET无法满足工业界对网络安全越来越多的需求WCF又需要有较长的时间来完成,至今仍未正式发行WS-*通信协议也需要有一个微软产品来支持WSE就这样诞生了2003年2月WSE1.02005年11月2004年7月时间WSE2.0WSE3.0WSE3.0–安全(Security)WSE=Security所支持的安全令牌Usernamex.509CertificateKerberostokenSecurityContextTokenDerivedKeyTokenIssuedToken(SAML)CustomTokenWSE3.0-安全(Security)WSE所支持的最常见的网络安全实例:UsernameForCertificateAnonymousForCertificateUsernameOverTransportKerberos(Windows)MutualCertificate10andMutualCertificate11生活实例-客户端的U/P+服务器的CertApplicationServerInternetIntranet验证username/Password用servercertificate来保护由用户提供的symmetrickey,然后再用这symmetrickey来保护request用先前的symmetrickey来保护responseUsername/Password用于身份验证演示-客户端的U/P+服务器的CertWSE3.0PolicyAssertion:UsernameForCertificateWSE3.0-PolicyPolicy定义了一系列PolicyAssertionsInputSoapMessageTracingSecurityCustomTracingSecurityCustom运行用户定义的程序OutputSoapMessage每个Policyassertion改变传输的信息…andanoutputPipelinePolicy文件是用于定义网络安全的anonymousForCertificateSecurityestablishSecurityContext=false…messageProtectionOrder=SignBeforeEncryptrequireDerivedKeys=truettlInSeconds=300serviceTokenx509…//serviceTokenprotectionrequestsignatureOptions=“…encryptBody=true/responsesignatureOptions=“…encryptBody=true/faultsignatureOptions=“…encryptBody=false//protection/anonymousForCertificateSecurity演示-PolicyWizard如何用policyWizard工具轻松地将网络安全加入到一个简单的ASMXWebService中WSE3.0-Diagnosticsdiagnosticstraceenabled=“true”input=“in.xml”output=“out.xml”//diagnostics如何看到最终被传输的信息:出错后如何看到stacktrace:diagnosticsstackTraceenabled=“true”//diagnosticsWSE3.0–工具(Tools)与VisualStudio2005紧密结合AddWebReference/UpdateWebReferenceWSESettingsbutton单独的工具(StandaloneTools)WseWsdl3.exeWseConfigEditor3.exeX509Certificate3.exe从WSE3.0到WCF-Interop怎样的WSE3.0App才容易和WCF相互操作呢?用容易与WCF相互操作的ASMXServices:简单的schemas与BasicProfile兼容的SOAP1.1用WSE所支持的policyassertionsHttp比TCP容易尽量不要用:rpc/encodedSOAPExtensions与WSE3.0interop的WCFbindingCustomBindingwithWSS1.0可与WSE3.0UsernameOverTransport,MutualCertificate10InteropWSE3.0turnkeyPolicySecurityAssertionsWCFcustombindingSecurityConfigurationUsernameOverTransportusernameOverTransportSecurity/securitymessageSecurityVersion=“WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10”authenticationMode=“UsernameOverTransport”/securitytextMessageEncodingmessageVersion=“Soap12WSAddressingAugust2004”/MutualCertificate10mutualCertificate10/securitymessageSecurityVersion=“WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10”authenticationMode=“MutualCertificate”/securitytextMessageEncodingmessageVersion=“Soap12WSAddressingAugust2004”/与WSE3.0interop的WCFbindingCustomBindingwithdefaultsecurityversion可与WSE3.0其余的PolicySecurityAssertionsInteropWSE3.0TurnkeyPolicySecurityAssertionsWCFcustomBindingSecurityConfigurationUsernameForCertificateusernameForCertificate/securityauthenticationMode=“UsernameForCertificate”/textMessageEncodingmessageVersion=“Soap12WSAddressingAugust2004”/AnonymousForCertificateanonymousForCertificate/securityauthenticationMode=“AnonymousForCertificate”/textMessageEncodingmessageVersion=“Soap12WSAddressingAugust2004”/Kerberoskerberos/securityauthenticationMode=“Kerberos”/textMessageEncodingmessageVersion=“Soap12WSAddressingAugust2004”/MutualCertificate11mutualCertificate11/securityauthenticationMode=“MutualCertificate”/textMessageEncodingmessageVersion=“Soap12WSAddressingAugust2004”/演示-Interop客户端:WSE3.0服务器:WCFAnonymousForCertificate从WSE3.0到WCF-Migration可将WSEpolicyassertions对应到WCFbindingcustomBindingbindingname=“MyBindingsecuritya