Bibliography

  • Article

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Bibliography

patterns & practices Developer Center

Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0

Microsoft Corporation

patterns & practices Developer Center
Web Service Security: Home
December 2005

Download Download this guide in PDF format
Community Web Service Security Community Workspace [Content link no longer available, original URL:https://go.microsoft.com/fwlink/?LinkId=57044]

Contents

General Information
Chapter 1, Authentication Patterns
Chapter 2, Message Protection Patterns
Chapter 3, Implementing Transport and Message Layer Security
Chapter 4, Resource Access Patterns
Chapter 5, Service Boundary Protection Patterns
Chapter 6, Service Deployment Patterns
Chapter 7, Technical Supplements
Appendix
Community Workspace and Wiki

Summary: This section contains a consolidated list of referenced resources that appear in the Web Service Security guide.

General Information

The following references provide useful background information that will help you gain a better overall understanding of this guide.

Security Background

Brown, K. The .NET Developer's Guide to Windows Security, Reading, MA: Addison-Wesley Professional, 2005, ISBN: 0321228359.

Kaufman, C., Perlman, R., and Speciner, M. Network Security – PRIVATE Communication in a PUBLIC World. Upper Saddle River, NJ: Prentice Hall PTR., 2002, ISBN: 0130460192.

Improving Web Application Security: Threats and Countermeasures on MSDN.

Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication on MSDN.

"Threat Modeling Web Applications" on MSDN.

Security Challenges, Threats and Countermeasures Version 1.0 on the WS-I Web site.

OASIS Standards and Other Approved Work (including WS-Security) on the OASIS Web site.

Pattern Resources

Gamma, Eric, Richard Helm, Ralph Johnson, and John Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software, Reading, MA: Addison-Wesley Professional, 1995, ISBN: 0201633612.

Buschmann, Frank, Regine Meunier, Hans Rohnert, Peter Sommerlad, and Michael Stal, Pattern-Oriented Software Architecture, Volume 1: A System of Patterns, Hoboken, NJ: John Wiley & Sons, 1996, ISBN: 0471958697.

Hohpe, Gregor, and Bobby Woolf, Enterprise Integration Patterns: Designing, Building, and Deploying Messaging Solutions, Reading, MA: Addison-Wesley Professional, 2003, ISBN: 0321200683. Also available on MSDN.

Enterprise Solution Patterns Using Microsoft .NET, Redmond: Microsoft Press, 2003, ISBN: 0735618399. Also available on MSDN.

Integration Patterns, Redmond: Microsoft Press, 2004, ISBN: 073561850X. Also available on MSDN.

Chapter 1, Authentication Patterns

For more information about authorization on the .NET Framework, see "Authentication and Authorization" in Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication on MSDN.

For more information about the Kerberos protocol specifications, see RFC 1510: The Kerberos Network Authentication Service (V5).

For more information about Kerberos authentication in Windows Server 2003, see "Kerberos Authentication Technical Reference" on Microsoft TechNet.

For a general overview of PKI technologies, see "PKI Technologies" on Microsoft TechNet.

For more information about WS-Trust, see Web Services Trust Language (WS-Trust) on MSDN.

For more information about ADFS, see "Introduction to ADFS" on Microsoft TechNet.

For more information about Security Assertion Markup Language (SAML), go to the OASIS Web site.

For more information about WS-SecureConversation, see Web Services Secure Conversation Language (WS-SecureConversation) on MSDN.

For more information about SAML 1.1 core specification, go to the Oasis Web site.

For more information about SAML token profile 1.0, see Web Security Services: SAML Token Profile on the Oasis Web site.

Chapter 2, Message Protection Patterns

For more information on WS-Security version 1.0, see the OASIS Standards and Other Approved Work (including WS-Security) on the OASIS Web site.

For more information about HMAC, see RFC 2104 - HMAC: Keyed Hashing for Message Authentication.

Chapter 3, Implementing Transport and Message Layer Security

For information about Web Services Security, see "Web Services Security: SOAP Message Security 1.0 (WS-Security 2004)".

For information about derived key tokens, see "Web Services Secure Conversation Language (WS-SecureConversation)".

For information about how to configure a SqlMembershipProvider, see "How To: Use Membership in ASP.NET 2.0" on MSDN.

For information about creating a custom ASP.NET 2.0 membership provider, see "Building Custom Providers for ASP.NET 2.0 Membership" on MSDN.

For information about configuring WSE 3.0 to prevent replay attacks, see "Web Services Enhancements 3.0 <replayDetection> Element" on MSDN.

For more information about performance objectives, see "Improving .NET Performance and Scalability" on MSDN.

For information about WSE 3.0 policy, see "Securing a Web Service" on MSDN.

For information about Kerberos assertion policy settings, see "<kerberosSecurity> Element" on MSDN.

For more information about performance objectives see, "Improving .NET Performance and Scalability" on MSDN.

For information about installing X.509 certificates in the local certificate store, see "How to: Use the X.509 Certificate Management Tools" on MSDN.

For information about how to install X.509 certificates in the local machine certificate store, see "Certificates How To" on Microsoft TechNet.

For more information on configuring the behavior of X.509 security in WSE 3.0, see "<x509> Element" on MSDN.

For information about how to set the findType and findValue attributes for the <x509> element, see "<x509> Element (Policy)" in the WSE 3.0 documentation on MSDN.

For information about configuring other settings for this policy assertion, see "<mutualCertificate10> Element" in the WSE 3.0 documentation on MSDN.

To learn more about Windows Integrated Security, see the "Authentication and Authorization Strategies" section in "Web Services Security" on MSDN.

To call a Web service configured to use Windows Integrated Authentication, see the "Specifying Client Credentials for Windows Authentication" section in "Web Services Security" on MSDN.

To learn how to configure IIS for HTTP basic authentication, see "Basic Authentication in IIS 6.0" on Microsoft TechNet.

To learn how an SSL session is established between two parties, see "Description of the Secure Sockets Layer (SSL) Handshake" on Microsoft Help and Support.

To learn about how a client authenticating to a service using SSL operates, see "Description of the Client Authentication Process During the SSL Handshake" on Microsoft Help and Support.

To learn how to implement SSL, see:

To learn how to call a Web service that requires credentials, see the "Passing Credentials for Authentication to Web Services" section in "Web Services Security" on MSDN.

For more information about implementing transport layer security with Kerberos and IPSec on Windows Server 2003, see "IPSec" on Microsoft.com.

For more information about XML performance guidance in the .NET Framework, see Chapter 9, "Improving XML Performance," in Improving .NET Application Performance and Scalability on MSDN.

Chapter 4, Resource Access Patterns

For more information about Web services security, see "Web Services Security" in Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication on MSDN.

For more information about using impersonation and delegation in ASP.NET 2.0, see "How To: Use Impersonation and Delegation in ASP.NET 2.0" on MSDN.

For more information about designing the authentication and authorization mechanisms for a distributed ASP.NET Web application, see "Authentication and Authorization" on MSDN.

For more information about developing identity-aware applications, see "Developing Identity-Aware ASP.NET Applications, Identity and Access Management Services" on MSDN.

Chapter 5, Service Boundary Protection Patterns

For more information about idempotent methods, see "9 Method Definitions".

For more information about idempotent, see "Idempotent" on the Wikipedia Web site.

For more information about idempotent Web services, see "Idempotent Receiver" on the Enterprise Integration Patterns Web site.

For more information about SOAP Message Security, see OASIS: "Web Services Security: SOAP Message Security 1.0 (WS Security 2004)".

For more information about SQL Server performance optimization, see "Optimizing Database Performance Overview" on MSDN.

For more information about security best practices for SQL Server 2000, see "SQL Server 2000 SP3 Security Features and Best Practices" on Microsoft TechNet.

Chapter 4, "Design Guidelines for Secure Web Applications," in Improving Web Application Security: Threats and Countermeasures on MSDN.

For more information about <httpRuntime>, see "<httpRuntime> Element" in the .NET Framework General Reference on MSDN.

For more information about WSE 3.0 policy assertions, see "Policy Assertions" on MSDN.

For more information about using the SoapClient/SoapService classes for messaging, see "How To: Send and Receive a SOAP Message by Using the SoapClient and SoapService Classes," in the WSE 3.0 documentation on MSDN.

For more information about adding a schema to a resource file see "Resolving the Unknown: Building Custom XmlResolvers in the .NET Framework," on MSDN.

For more information about implementing regular expressions, see "How To: Use Regular Expressions to Constrain Input in ASP.NET" on MSDN.

For more information about using regular expressions in XML Schemas, see "XML Schema Regular Expressions" on MSDN.

For more information about XML performance guidance in the .NET Framework, see Chapter 9, "Improving XML Performance," in Improving .NET Application Performance and Scalability on MSDN.

For more information about how to create the event source that the Web service uses, see the "Creating a New Event Source at Install Time" section of "How To: Use the Network Service Account to Access Resources in ASP.NET" on MSDN.

For more information about creating custom Policy Assertions in WSE 3.0, see "Custom Policy Assertions" in the WSE 3.0 product documentation on MSDN.

Chapter 6, Service Deployment Patterns

"Service Interface Pattern" in Enterprise Solution Patterns Using Microsoft .NET on MSDN.

For more information about using the WseWsdl3.exe utility, see the "WSDL to Proxy Class Tool" on MSDN.

For more information on referral cache syntax, see "How to: Configure the WSE SOAP Router" on MSDN.

For more information about implementing SOAP routers in WSE 3.0, see: "Routing SOAP Messages with WSE" on MSDN.

For more information about XML performance guidance in the .NET Framework, see Chapter 9, "Improving XML Performance," in Improving .NET Application Performance and Scalability on MSDN.

Chapter 7, Technical Supplements

For information about compatibility issues between GSSAPI and the Kerberos SSP, see "SSPI/Kerberos Interoperability with GSSAPI" on MSDN.

For information about replay detection with the sequence field, see section "5.3.2 Authenticators" in RFC 1510.

For in-depth troubleshooting information for the Kerberos protocol implementation in Windows 2000 and Windows 2003, see "Troubleshooting Kerberos Delegation" on Microsoft TechNet.

For information about Kerberos authentication, see "What Is Kerberos Authentication?" on Microsoft TechNet.

For information about certificate policies, see "Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework".

For information about X.509 PKI services on Windows Server 2003, see "Designing a Public Key Infrastructure" on Microsoft TechNetx.

For information about the MakeCert utility, see "Certificate Creation Tool (Makecert.exe)" on MSDN.

For information about PKI and Windows Server 2003, see "Public Key Infrastructure for Windows Server 2003".

For information about the Online Certificate Status Protocol (OCSP), see "RFC 2650, "X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP".

For information about the Certificate Services PKI solution in Windows Server 2003, see "What Is Certificate Services?".

For more information about certificates, see "What are certificates?" on the RSA Laboratories Web site.

For information about Secure Sockets Layer (SSL), see "What is SSL?" on the RSA Laboratories' Web site.

For more information about WS-Security version 1.0, see the OASIS Standards and Other Approved Work (including WS-Security) on the OASIS Web site.

For information about IPSec, see "Internet Protocol Security (IPsec) Operations Topics".

For information about the Internet X.509 PKI certificate and CRL profile, see "Internet X.509 Public Key Infrastructure Certificate and CRL Profile" (RFC 2459).

Appendix

For in-depth information about interoperability and Web service security, see WS-I Basic Security Profile 1.0 Reference Implementation: Preview release for the .NET Framework version 1.1 on MSDN.

For information about the implemented specifications, see the "WSE 3.0 documentation".

For information about the WS-I Basic Security Profile, see "Basic Security Profile Version 1.0".

For information about SOAP Message Security 1.0, see "Web Services Security: SOAP Message Security 1.0 (WS-Security 2004) from OASIS"

Describing the Enterprise Architectural Space.

For more security glossary information, see the following resources:

Community Workspace and Wiki

To post questions, provide feedback, or connect with other users for sharing ideas, visit the community workspace "Web Service Security: Scenarios, Patterns, and Implementation Guidance [Content link no longer available, original URL:https://go.microsoft.com/fwlink/?LinkId=57044]".

To add new problem/solution links related to this guidance, see the "Web Service Security Wiki".

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.