的網(wǎng)絡(luò)服務(wù)安全

1、WSE 3.0 的網(wǎng)絡(luò)效力平安 內(nèi)容提要背景引見ASPNETWSE ( Web Services Enhancements )WCF ( Windows Communication Foundation )WSE 3.0 運(yùn)用較為廣泛的功能塊SecurityPolicyDiagnosticsTools從 WSE 到 WCF互操作性 Interoperability轉(zhuǎn)換 Migration 背景引見 - 攀爬Web Services的階梯ASP.NETWSEWCFASP.NET網(wǎng)絡(luò)效力網(wǎng)絡(luò)根底運(yùn)用軟件層傳輸層Connected ApplicationsManagementBusinessProc

2、essSecurityMessagingXMLMetadataTCPCustomReliabilityTransactions.NET v2.0 平臺網(wǎng)絡(luò)效力與WS-I Basic Profile兼容定義WebServiceBinding attributeWebServiceBinding(ConformsTo=WsiProfiles.BasicProfile1_1, EmitConformanceClaims=true)WebService(Namespace=Microsoft.TechEdChina.WebServices)public class BPConformance_asmx

3、 WebMethod public string HelloWorldBP() string message = Hello World from a Basic Profile compliant (BP-compliant) Web Service.;return message; Web Services Enhancements (WSE) 網(wǎng)絡(luò)根底運(yùn)用軟件層傳輸層Connected ApplicationsManagementBusinessProcessSecurityReliabilityTransactionsMessagingXMLMetadataTCPCustomWSE 3

4、.0網(wǎng)絡(luò)效力建立在.NET平臺上定義Policy attributeWebService(Namespace=Microsoft.TechEdChina.WebServices)Microsoft.Web.Services3.Policy(“MyServerPolicy)public class WSE_asmx WebMethod public string HelloWorld () return “Hello World!; WCF網(wǎng)絡(luò)效力網(wǎng)絡(luò)根底運(yùn)用軟件層傳輸層Connected ApplicationsSecurityReliabilityTransactionsMessagingX

5、MLMetadataTCPCustomManagementBusiness ProcessWCF Web Services全新的 Web Service 界面ServiceContract, OperationContract attributesServiceContractPublic interface IHelloService OperationContractstring Hello();public class HelloService : IHelloService public string Hello () return “Hello; 為什么會(huì)有WSE?根本的 ASPNE

6、T 無法滿足工業(yè)界對網(wǎng)絡(luò)平安越來越多的需求WCF 又需求有較長的時(shí)間來完成, 至今仍未正式發(fā)行WS-* 通訊協(xié)議也需求有一個(gè)微軟產(chǎn)品來支持WSE 就這樣誕生了2003年2月WSE1.0 2005年11月2004年7月時(shí)間WSE2.0WSE3.0WSE 3.0 平安 (Security)WSE = Security所支持的平安令牌Username x. 509 Certificate Kerberos tokenSecurityContextToken DerivedKeyTokenIssued Token ( SAML )Custom TokenWSE 3.0 -平安 (Security)WS

7、E 所支持的最常見的網(wǎng)絡(luò)平安實(shí)例:UsernameForCertificate AnonymousForCertificate UsernameOverTransportKerberos (Windows)MutualCertificate10 andMutualCertificate11生活實(shí)例-客戶端的U/P+效力器的CertApplication ServerInternetIntranet驗(yàn)證 username/ Password用server certificate來維護(hù)由用戶提供的symmetric key,然后再用這symmetric key來維護(hù)request用先前的symme

8、tric key來維護(hù)responseUsername/Password 用于身份驗(yàn)證 演示-客戶端的U/P+效力器的CertWSE 3.0 Policy Assertion: UsernameForCertificate WSE 3.0 - PolicyPolicy 定義了一系列Policy AssertionsInput Soap MessageTracingSecurityCustomTraci ngSecurityCustom運(yùn)轉(zhuǎn)用戶定義的程序OutputSoap Message每個(gè)Policy assertion 改動(dòng)傳輸?shù)男畔?and an output PipelinePolic

9、y文件是用于定義網(wǎng)絡(luò)平安的 演示- Policy Wizard如何用policy Wizard工具輕松地將網(wǎng)絡(luò)平安參與到一個(gè)簡單的ASMX Web Service中WSE 3.0 - Diagnostics如何看到最終被傳輸?shù)男畔?出錯(cuò)后如何看到 stack trace:WSE 3.0 工具(Tools)與 Visual Studio 2005 嚴(yán)密結(jié)合Add Web Reference/Update Web ReferenceWSE Settings button單獨(dú)的工具(Standalone Tools)WseWsdl3.exeWseConfigEditor3.exeX509Certif

10、icate3.exe從 WSE 3.0 到 WCF - Interop怎樣的WSE 3.0 App才容易和WCF相互操作呢?用容易與WCF相互操作的ASMX Services:簡單的 schemas與Basic Profile兼容的SOAP 1.1用WSE所支持的policy assertionsHttp比TCP容易盡量不要用:rpc/encodedSOAP Extensions與WSE 3.0 interop的WCF bindingCustomBinding with WSS 1.0 可與 WSE 3.0 UsernameOverTransport, MutualCertificate10

11、InteropWSE 3.0 turnkey Policy Security AssertionsWCF custom binding Security ConfigurationUsernameOverTransportsecurity messageSecurityVersion=“WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10” authenticationMode=“UsernameOverTransport”MutualCer

12、tificate10security messageSecurityVersion=“WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10” authenticationMode=“MutualCertificate”與WSE 3.0 interop的WCF bindingCustomBinding with default security version 可與 WSE 3.0 其他的 Policy Security Assertions

13、InteropWSE 3.0 Turnkey Policy Security AssertionsWCF customBinding Security ConfigurationUsernameForCertificateAnonymousForCertificateKerberosMutualCertificate11演示- Interop客戶端: WSE 3.0效力器: WCFAnonymousForCertificate從 WSE 3.0 到 WCF - Migration可將WSE policy assertions 對應(yīng)到 WCF binding 演示- Migration客戶端:

14、WSE policy file WCF binding效力器: WSE policy file WCF bindingAnonymousForCertificate從 WSE 3.0 到 WCF - MTOMMTOM ( Message Transmission Optimization Mechanism ) 是一種傳輸附件的方式. 它便利, 高效，已為業(yè)界廣泛地運(yùn)用。WSE: MTOM 只是一個(gè)Config switch WCF: MTOM是binding的一部分從 WSE 3.0 到 WCF Secure ConversationSecure Conversation是一種加快傳輸平安信

15、息的手段. 它主要是采用了Symmetric Key技術(shù)，對傳送多條信息極為有利。WSE: SC是policy的一個(gè)attribute WCF: SC是binding的一個(gè)attribute從 WSE 3.0 到 WCF Custom Policy AssertionWSE:Custom Policy Assertion是Policy Extension WCF: custom binding element從 WSE 3.0 到 WCF Custom Security TokenWSE: Security Token ManagerseviceCredentials credentials

16、= new CustomCredetials();Host.Description.Behaviors.Remove(typeof(ServiceCredentials);Host.Description.Behaviors.Add(credentials); WCF: ServiceCredential / ClientCredential總結(jié)ASPNET為您奠定了Xml Web Services的根底; WSE 3.0為您提供了Secure Web Services良好的開端; WCF將最終協(xié)助您實(shí)現(xiàn)高效,便利及可靠的全新的Web Services在去年年底發(fā)行的WSE3.0, 有以下幾個(gè)主要功能:SecurityPolicyDiagnosticsTools假設(shè)您已采用了WSE 3.0來協(xié)助提高您的網(wǎng)絡(luò)平安, 那么它將與即將發(fā)行的WCF兼容 ( interop ) 假設(shè)您想在WCF發(fā)行后, 由WSE 3.0上升至WCF, 那么您也將很輕松地完成這個(gè)義務(wù)相關(guān)鏈接在此次大會(huì)期間您想更深化地了解W