WSE Fundamentals

New to WSE? Here's what you can read to just get a kick start.

I guess you all are aware that security is a primary concern in most of the applications. There are different kinds of security models. What I am focussing is security in the messaging context.

The most common scenario would be exchanging information/services between two computers (client/server or partners) and there is a need to security the data that is being sent from one node to another. The common practice for this is to use SSL technology. To those who dont know SSL; its a way by which you are securing a communication channel by encrypting data and transmitting over this secured channel. It looks good and often this technique is often employed in most of the integration projects. Now the big question is where does WSE stands in this context?

SSL secures information only from point-to-point (transport level) i.e. the information is secured only as long as it exists on the secured channel, you are not actually securing the message itself. So if your message makes multiple hops over the network to reach its final destination, the entire path should be security. Secondly the sender has no security control over a message that left its security perimiter.

Alternative approach to this situation would be to secure the message itself and then transmit it to the sender. No matter how the message flows, it can be consumed only by its intended receipient. This approach is called "Message level security".

I guess now you have got it, yes WSE can be used to implement "Message level security"

WSE is an add-on by Microsoft that implements the WS-* specifications, specifically in the areas of security, reliable messaging & sending attachments

It provides:

o Message integrity : By signature
o Message authenticity: By signature
o Message Confidentiality: By Encryption
o Message Authorization: By Role based authorization

Some extra stuff

In WSE 3.0 the most common security scenarios have been provided with out-of-the-box solutions, called security assertions. So you need not spend more time figuring out how to implement each of the security scenario.

->UserNameOverX509Security
->AnonymousOverX509Security
->UserNameOverTransportSecurity
->KerberosSecurity
->MutualX509Security

You can find more at MSDN.

No comments: