News Stay informed about the latest enterprise technology news and product updates.

Discussion Day: Web services security

This discussion will focus on how to secure a Web service using a variety of options. We will discuss both authentication and authorization. The discussion on authorization will include ways to provide role-based security using both declarative and imperative code access.

What: Discussion Day in Best Practices Forums
Who: Lonnie Wall and Andrew Lader, Co-Authors of " Building Web Services and .NET Applications" and Principal Architects for RDA
Date: June 27, 2002
Time: 10:00 to 2:00 p.m. ET

Post your questions and be entered to win a free copy of "Building Web Services and .NET Applications."

ABSTRACT: Web security means many different things to different people and it can often be misinterpreted. The term is normally used as an umbrella that encompasses three issues: encryption of data transmitted between Web client and server, authentication, and authorization. In our discussion, we will focus on authentication and authorization. To avoid confusion, we will agree on terms. Authentication refers to the portion of the application that serves as gatekeeper. It determines who the user is that's accessing the Web application or service, and then either allows or denies that individual access to the site. When a user visits a Web site, there's always some form of authentication. This is done through the exchange of credentials, typically, a user ID and password. In open, public Web sites, the authentication is minimal, allowing all users to visit the site through the use of some sort of anonymous user. This is usually the default. But, for secure Web sites, authentication limits who can visit the site, allowing only specific users through and rejecting everyone else.

Once through, authorization takes over. Getting access to the site is one thing, but actually viewing and interacting with the site falls under the domain of authorization. Here, issues of permissions and roles define what an authenticated user is allowed to do with a particular Web site. Can the users see this menu item? Can they click that button? Are they allowed to navigate from this page to that page? Controlling what they can and can't do is what authorization is all about.

We will be focusing on the following items:

  • The various types of authentication
    - Windows authentication
    - Passport Authentication
    - Forms Authentication
  • Securing a Web service with Forms authentication in the web.config file
  • Allowing and deny specific users
  • Authorization using the web.config file
  • Code Access Security
    - Declarative access using the PrincipalPermissionAttribute
    - Imperative access using the IsInRole() method

BIO: Lonnie Wall is a Principal Architect for RDA with more than 16 years of software development experience. His primary area of expertise is designing and implementing large distributed applications using XML on various platforms. Qualifications include Microsoft Certified Systems Engineer, Microsoft Certified Solution Developer and Sun Certified Java 2 Programmer. Recently, Lonnie has been responsible for the design and implementation of several large Web-based business applications, which included a large .NET solution.

Andrew Lader has been in the software industry for over 12 years and is also a Principal Architect for RDA. His wide background of experience in software development includes expertise in C#, C++, C, XML, XSLT, XPath, Java, Visual Basic, SQL Server, MTS/COM+, ADO, and MSMQ. Most recently, Andrew has been working on projects for two clients, implementing Web applications and Web services using Microsoft's .NET Technology.

For More Information:

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.