Protecting ASP.NET Web Services

Protecting ASP.NET Web Services

Konstantin Beznosov (University of British Columbia, Canada)
DOI: 10.4018/978-1-59904-639-6.ch009


This chapter reports on our experience of designing and implementing an architecture for protecting enterprise-grade Web service applications hosted by ASP.NET. Security mechanisms of Microsoft ASP.NET container—a popular hosting environment for Web services—have limited scalability, flexibility, and extensibility. They are therefore inade-quate for hosting enterprise-scale applications that need to be protected according to diverse and/or complex application-specific security policies. To overcome the limitations of ASP.NET security, we developed a flexible and extensible protection architecture. Deployed in a real-world security solution at a financial organization, the architecture enables integra-tion of ASP.NET into the organizational security infrastructure with reduced effort on the part of Web Service developers. Throughout this report, we discuss our design decisions, suggest best practices for constructing flexible and extensible authentication and authoriza-tion logic for Web Services, and share lessons learned.

Complete Chapter List

Search this Book: