Navigation

Search

Categories

On this page

WSE and the Next Generation of Security
Work, WSE and Indigo
New location and blogging engine
Incorrect Parameters and Enterprise Services
Indigo and NNUG

Archive

Blogroll

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

RSS 2.0 | Atom 1.0 | CDF

Send mail to the author(s) E-mail

Total Posts: 83
This Year: 0
This Month: 0
This Week: 0
Comments: 20

Sign In

# Wednesday, 31 December 2003
WSE and the Next Generation of Security
Wednesday, 31 December 2003 01:38:20 UTC ( Security | WSE )

I have spent a lot time with WSE 2.0 in the last few weeks, and as both my code and my mindset moves from testing and research to building production quality systems, I am beginning to think about how hard it is to get the security choices right with WSE 2.0.

From a practical point of view, the move from plain ASP.NET Web Services to WSE and WS-Security is about moving from the SSL checkbox in IIS to a fairly imperative and challenging programming model in WSE 2.0. While the SSL-checkbox is inflexible and does not provide you with a lot of room for configuration, it is reasonably simple to get right. The WSE toolkit on the other hand provides you with a lot of room for mistakes and bad decisions. Throw a bit of WS-SecureConversation and WS-Trust into the mix and things really start to get interesting.

Even though WSE is an advanced toolkit for early adopters, it is still being marketed and generally perceived as the technology that will ensure secure web services. In the real world, it needs to be easy to build secure services. This is not because security is a simple concept to grasp, as it in fact is hugely complex, but because it is a basic requirement in any software project. We need to be practical and provide solutions that by default are as close to bulletproof as we can get them.

Looking at the samples in the WSE 2.0 TP distribution, I fail to find one that ensures integrity and confidentially for both the request and the response in a message exchange, but I have not done an exhaustive search. Given the affection that exists for copy and paste development, I am scared of what will travel from and to web services in the next couple of years.

I know that making the move to WSE is about a lot more than just migrating from SSL/ TLS to the WS-x family, but I think that it will be one of the most common scenarios.

My current thinking is that I would not recommend using WSE unless you have a very strong understanding of security and you have a dire need for the functionality it provides.

This entry seems a bit negative towards WSE, but I assure you that it is a great toolkit with a lot of good stuff in it. My concern is with whether or not the migration from SSL checkbox security to WSE-security is an evolution that will increase security or be a great source for error and confusion. Simple end-to-end samples together with practical prescriptive guidance may be a viable path towards solving this problem.

I am just in the beginning of forming my opinions on this topic; perhaps they will change.

Comments [0] | | # 
Work, WSE and Indigo
Wednesday, 31 December 2003 00:16:37 UTC ( General | WSE )

I’ve been quiet lately, mostly because I have been very busy with work. These last couple of months has been intense and filled with SOAP, web services and the SOA paradigm.

After digging into Indigo and preparing for my overview presentation, I went strait on to designing and building a new version of our integration infrastructure. The solution relies heavily upon on WSE 2.0 and this has provided me with some interesting challenges. Naturally, it also borrows some concepts and ideas from Indigo.

Expect more details on my WSE 2.0 experience as I get both them and my mind organized.

Comments [0] | | # 
# Thursday, 11 December 2003
New location and blogging engine
Thursday, 11 December 2003 19:35:39 UTC ( Blog )

I have finally moved my blog to a professional blogging tool. My new blog is available at http://blog.morty.info. Thanks to the dasBlog development team for a great and free tool!

Comments [0] | | # 
# Thursday, 04 December 2003
Incorrect Parameters and Enterprise Services
Thursday, 04 December 2003 22:10:57 UTC ( Enterprise Services )

We were hunting down a weird bug at work today, and came across this interesting problem with Enterprise Services. If you send a non-empty decimal array into a ServicedComponent you get a “The parameter is incorrect.” argument exception.

Just create a method that takes a single argument, the decimal array, in your server activated ServicedComponent and give it a trial run. You’ll need to use an interface to get the COM magic going though.

					
[assembly: ApplicationActivation(ActivationOption.Server)]

public interface ITest
{
	void Test(decimal[] test);
}

public class TestComponent : ServicedComponent, ITest
{
	public void Test(decimal[] test) {}
}

class Client
{
	static void Main()
	{
		TestComponent cl = new TestComponent();
		cl.Test(new decimal[] {1m, 2m});
	}
}
					
				

Have fun ;)

Comments [0] | | # 
Indigo and NNUG
Thursday, 04 December 2003 18:31:42 UTC ( Indigo | Talks )

I delivered my third presentation at the Norwegian .Net User Group (NNUG) on Tuesday. Building on my previous presentation about message-oriented architectures I talked about the new Microsoft product codenamed “Indigo”; without a doubt some of the must exciting stuff in the works these days.

I positioned “Indigo” within modern architecture and talked about the primary programming model; the “Indigo” Service Model. I closed with some recommendation about how to prepare for “Indigo”, how to migrate your existing code and some information about interoperability with existing programming stacks.

Needless to say it was great fun. And I even got some Xbox games for my efforts ;)

The presentation, Codename “Indigo” – The Future of Distributed Applications, is available for download here.

Comments [0] | | #