Lesson 1: Minimizing Risk When Calling External Components in .NET

Creation QR Code 2d barcode in .NET Lesson 1: Minimizing Risk When Calling External Components

10-9

10-10

10

Answer the following questions to provide your assessment of the risks of each appli cation. 1. What risks are associated with the Teller application 2. What can be done to mitigate the risks associated with the Teller application 3. What risks are associated with the Reporting application 4. What can be done to mitigate the risks associated with the Reporting application 5. What risks are associated with the Web site 6. What can be done to mitigate the risks associated with the Web site

There is a security risk associated with calling third-party components, because you cannot be certain the code is secure and, depending on the type of compo nent, the component might be exempt from CAS checks. To limit the risk of calling unmanaged code, validate all input and output, create a managed wrapper class, and instruct users not to run your application with administrator privileges. To verify that an external DLL called by your application has not been modified, import the DLL using the absolute path to the DLL, and compare the hash of the DLL at that location to a known good hash stored in your source code.

10-11

Web services are the preferred way for applications to communicate across a network. Web services resemble standard browser-oriented Web applications, but they make it simple for a wide variety of clients to call methods on the Web service server and retrieve data that can be easily processed by the client application. Just like any Web server, a Web service requires security. Specifically, the standard security elements of authentication, authorization, and encryption should be used to protect any Web ser vice that is not intended to be publicly available. This lesson teaches how to create Web service servers and clients that take advantage of the security features built into the .NET Framework and the Web Services Enhance ments (WSE) extension.

This lesson assumes that you have experience working with Web services. If you do not, visit Microsoft s Web Services Development Center at http://msdn.microsoft.com /webser vices/.

Describe the purpose of WS-Security and the capabilities it adds to standard Web ser-

Describe Web Services Enhancements (WSE) and why you might want to use it. List the most important classes provided by WSE. Use WSE to add standards-based authentication to a Web service.

You can authenticate a Web service client in two ways: using the user s current credentials from her current desktop session, or using alternate credentials. To pass to the Web service the user credentials from the user s current desktop session, set the System.Web .Services.Protocols.SoapHttpClientProtocol.Credentials object to System.Net.CredentialCache .DefaultCredentials. The following code sample creates a new SoapHttpClientProtocol object based on an imaginary Web service located at http://www.northwindtraders.com /EmployeeServices, and configures the object to use the current user s credentials:

10-12

10

new com.northwindtraders.www.EmployeeServices();

server.Credentials = System.Net.CredentialCache.DefaultCredentials;

This code causes the user s user name and password to be added to the HTTP headers. Microsoft Internet Information Services (IIS) uses these headers for authentication in exactly the same way it authenticates a user who enters a user name and password when prompted by a Web browser. Explicitly providing credentials is only slightly more complicated. The following code sample from a console application gathers the user s credentials from command-line arguments and prepares a SoapHttpClientObject object to present those credentials:

Console.WriteLine(@"Enter username in the format domain\username: );

string username = Console.ReadLine();

Console.WriteLine( Enter password: );

string password = Console.ReadLine();

new com.northwindtraders.www.EmployeeServices();

// Create a credentials object and assign it the user s credentials NetworkCredential credentials = new NetworkCredential(username, password); // Now, assign that value to the Web service s credentials

server.Credentials = credentials;