email article printer friendly get the code more resources

Write Secure Web Services
Use Web Services Enhancements (WSE) 3.0 to secure your Web services and send binary data.
by Vijay P. Mehta

July 27, 2005

Technology Toolbox: C#, SQL Server 2000, Visual Studio 2005 beta 2, Web Services Enhancements 3.0 (CTP)

Web services and binary attachments have proved a difficult pair to make work well together when it's time to implement security. But new functionality in Web Services Enhancement 3.0 (WSE3) should simplify working with binary attachments and Web services tremendously, giving you the ability to implement binary attachments with Web services out of the box.

The computing industry has debated the format of binary attachments in Web services for years; SOAP with Attachments (SwA), Direct Internet Message Encapsulation (DIME), and Message Transmission Optimization Mechanism (MTOM) all vied for supremacy. The first two, SwA and DIME, were fundamentally flawed because they lacked the means to apply WS-Security (the standard specification for applying security to Web services) to the message. MTOM, a younger specification, has overcome this flaw, and the W3C group recently moved MTOM into "Recommended" status.

Microsoft has long straddled the fence in this debate, but its recent move of supporting MTOM in the new release of WSE signals a more proactive approach by the company. In addition to the MTOM enhancements, WSE3 offers several new security features, including turnkey security solutions for enhancing your Web services, as well as a set of robust extensions to the policy model that make it simple to change security at run time.

I'll show you how to use some of these new security features in a real-world example that manipulates binary attachments with a Web service using the MTOM functionality inside WSE 3.0. The sample requires that you install Visual Studio 2005 and WSE3. As I write this article, WSE3 is a "Community Technical Preview" (CTP), which means it's an early beta release. Writing about a CTP technology might seem a little bleeding edge, but the current production version of WSE (2.0 SP3) is not supported with .NET 2.0, and we didn't want to write about something that has the potential to be obsolete in the relatively near term. Note that features are subject to change, as is the case when working with any beta software, but the fundamental concepts explained in this article should remain unchanged, even if their implementation changes slightly. You will also need to have a SQL Server database installed to work with the example. I used SQL Server 2000, but the sample should work as designed with MSDE or SQL Server 2005 (download the database scripts and the sample code here).

The inspiration for this sample came from a project I worked on that required designing and creating a Web service to send and receive PDF files. Specifically, the client wanted a way to digitally sign and encrypt the sending\receiving of PDF files to and from a relational database using a Web service. The only way to accomplish the task at the time was to write large amounts of custom code and ignore pieces of the WS* specifications on binary attachments (see the sidebar, "Creating the WS* Standards"). Binary attachment specifications simply didn't give developers an effective way to apply WS-Security to the message of the Web service. Fortunately, much has changed since I worked on that project, and WS* now provides MTOM, which allows you to secure the binary attachment (technically a MIME attachment with MTOM) with your Web services. Another key advantage of using MTOM is that the protocol allows for the byte array to be sent as is, not Base-64–encoded (like its predecessors), which means that the message size is much smaller than DIME or SwA.