Be Expert with us in .NET and SQL Server

•   Authentication
•   Standard user account mechanisms

Authorization

•   Custom code
•   Configuration settings in Web.config

  Encryption

•   SSL ( Watch out for performance hit )
•   IPSec

  WS-Security

•   Integrated security for Web Services
•   Global XML Web Services Architecture (GXA)

In Details:-

  Restricting access to an XML Web service

  XML Web services can be implemented so that only authorized clients receive access, but to restrict access, you need a way to authenticate clients. Then, based on the credentials presented by the client, you can decide whether to authorize access to the service.

  Securing an XML Web service is slightly different than securing a Web site in that you authorize computers or businesses to access the XML Web service instead of end users.

  If you know which computers need access to your XML Web service, you can use Internet Protocol Security (IPSec) or firewalls to restrict access to computers of known IP addresses. This technique is particularly useful when you want to restrict access to computers within a private network.

  In most Internet scenarios, however, the IP addresses of all your clients will be unknown. In this case, the most straight-forward approach to implementing authentication is to leverage the authentication features of the protocol used to exchange messages. For example, if you are sending and receiving SOAP messages over HTTP, you will want to leverage the authentication features available for HTTP. Microsoft® Internet Information Services 5.0 supports several authentication mechanisms for HTTP (see www.microsoft.com/technet/iis/authmeth.asp for more details).

  Basic – Use for non-secure or semi-secure identification of clients because the username and password are sent in plain text. Internet Information Services will authorize access to the XML Web service if the credentials match a valid user account.

  Basic over SSL – Same as Basic authentication except that the username and password are sent across the network with Secure Sockets Layer (SSL) encryption rather than in plain text. Basic over SSL is a good option for Internet scenarios, although using SSL has a significant impact on performance.

  Digest – Uses hashing to transmit client credentials in a secure way, though it is not widely supported on platforms other than Microsoft Windows®. Internet Information Services will authorize access to the XML Web service if the credentials match a valid user account.

  Integrated Windows authentication – Useful only for Intranet scenarios since it uses NTLM or Kerberos and cannot be used across proxy servers or other firewalls. Internet Information Services will authorize access to the XML Web service if the credentials match a valid user account.

  WS-Security WS-Security describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. These mechanisms can be used to accommodate a wide variety of security models and encryption technologies. XML Web Services no longer have to rely on the security features of the underlying transport mechanisms.

  GXA is a framework from Microsoft for specifying generic higher-level services which augment XML Web Services. GXA provides an implementation of WS-Security which includes support for X.509 certificates and Kerberos tickets.

  WS-Security Index Page http://msdn.microsoft.com/webservices/understanding/gxa/default.asp?pull=/library/en-us/dnglobspec/html/wssecurspecindex.asp

  Using WS-Security with the Web Services Development Kit Technology Preview http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/wssecwithwsdk.asp