P&P Summit Day Two: Security Patterns for Services

June 14, 2008 (Last Modified: June 15, 2008)

The fifth speaker for today is Jason Hogg. He just came from building 41 on the campus, which apparently is on fire. Nice. He’s been working on web service security within Patterns and Practices.

With WCF the implementation model doesn’t necessary need to know about security directly. You can add security in around the message or transport level the same way for each type of transport mechanism. Whether you are using TCP/IP directly or HTTP you can deal with security in the same way in WCF.

They have created a pdf of security patterns they defined during meetings between the P&P group and the WCF team. The pdf contains guidance about what to do security wise in different scenarios. They define some scenarios and then provide a set of decision matrices to help weight the pros and cons of each of the options to use for securing your services. Finally, they provide a set of patterns to implement the security (Authentication patterns, message protection patterns, resource access patters, boundary defense patterns, and security deployment patterns).

The next few minutes of the presentation was a discussion of some of the patterns and scenarios described in the pdf, so I’ll just suggest you go read that for more information.

Jason followed the discussion of the pdf with how all this can tie in with Visual Studio and your environment. They put out the web service software factory back in June to help walk people through generating these types of services, including security.

Jason then ran through a demo of using the web service factory to create a web service solution, complete with a client to test the service with. While showing this solution he pulled up the svctraceviewer that comes with the Windows SDK with WCF. It lets you see the request and response messages from the service log.

By using the security based software factory guidance package you can constrain and enforce security requirements for all services within the service. They even have code analysis rules that will ensure that your selected security choices are followed by the developers. I really need to look more into these software factories.