8
Security and
Unmanaged
Code
CERTIFICATION OBJECTIVES
8.01 Implement Security
8.02 Access Unmanaged code
✓
Two-Minute Drill
Q&A
Self Test
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:09 AM
Color profile: Generic CMYK printer profile
Composite Default screen
I
n this chapter, you will learn about two topics: security for the Windows services, .NET
Remoting objects, and XML Web Services and how to access legacy COM+ components.
The security implementation will cover how to configure and use the different
security mechanisms available through the .NET Framework, and how to integrate
the Windows authentication systems as well as the authorization needed to access
resources.
A large number of existing COM and COM+ applications are in use today—
it will take a long time to move beyond the use of them in all but total rewrite
situations. You will look at how to make use of these components from a Visual
Basic .NET application.
CERTIFICATION OBJECTIVE 8.01
Implement Security
You need to consider security for XML web services just as you do for any other

software product on a network. As with other software products, there are three
aspects of security that you must consider: authentication, authorization, and
secure communication.
Authentication
Authentication is the process of verifying that the client is truly who he or she claims
to be—this is done by collecting credentials (name and password) from the user.
The credentials are validated against an authority like a database—if the credentials
are valid, the client is an authenticated identity.
The authorization configuration is performed on IIS because IIS is the service
that the consumer will interact with to get access to an XML web service. Internet
Information Services (IIS) offers three security mechanisms:
■
Basic authentication The basic authentication method is a widely used
standard method for collecting name and password information from the
consumer. This method is part of the HTTP specification and is a standard
2
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:09 AM
Color profile: Generic CMYK printer profile
Composite Default screen
that is widely supported by browsers. It transmits the security credentials
in clear text, resulting in a possible security breach unless the transmission
channel is encrypted using Secure Sockets Layer (SSL).
■
Digest authentication The W3C has introduced digest authentication as a
replacement for the basic authentication method. In digest authentication,
a binary hash is built from the name, password, requested resource, HTTP

method, and some random values generated from the server.
To generate a hash, the browser applies an algorithm that is considered
one-way, meaning that there is no known way of getting back to the clear
text from the binary hash. This hash is then sent to the IIS server, which
verifies that the hash is the same as it received when performing the same
hash calculation on the user information as stored in the active directory.
Digest authentication is supported starting in HTTP 1.1.
■
Integrated Windows authentication This authentication is based on the
consumer having a Windows account that can be used for authentication.
The strength of integrated Windows authentication is that the username and
password are not sent across the network. Rather, a hash of the credentials is
used. In addition, the method can make use of the Kerberos V5 protocol to
take advantage of the secret-key cryptography provided in Active Directory
and Kerberos V5. The biggest problem with integrated Windows authentication
is that the server and the client must have network communication over
TCP/IP ports for the authentication—these ports are normally never left
open on any devices that are used on the Internet because of the risk of
intrusion into the system from Internet hackers.
You can also use custom SOAP headers, to add your own authentication
mechanism instead of using the built-in solutions. An XML web service consumer
can add credentials to the SOAP header that are then retrieved by the XML web
service, which can use the credentials to authenticate the consumer. For a refresher
on SOAP, see Appendix D.
IIS Authentication
In order to configure authentication for an XML web service, you need to configure
IIS through the Internet Services Manager. To start the Internet Services Manager,
Implement Security
3
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /

Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:09 AM
Color profile: Generic CMYK printer profile
Composite Default screen
select Start | Settings | Control Panel | Administrative Tools | Internet Services
Manager. The program is shown in the following illustration.
Remember that the authentication method for Windows authentication
is set in IIS.
In the Tree view, expand first the server and then the Default Web Site; you will
see several entries, as shown in Figure 8-1.
Select the web site you want to configure, right-click it, and select Properties.
This will open the Default Web Site properties dialog box. Click the Directory
Security tab as shown in Figure 8-2.
Security settings are configured under the Anonymous Access And Authorization
Control section. Click Edit to open the Authentication Methods dialog box shown
in the following illustration.
4
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:09 AM
Color profile: Generic CMYK printer profile
Composite Default screen
You can configure authentication in this dialog box. The default setting is that
anonymous access is permitted. You can change the anonymous authentication
configuration with the proxy account in the Anonymous User Account dialog box,
Implement Security
5

CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
FIGURE 8-1
The expanded
content of the
default web site
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:09 AM
Color profile: Generic CMYK printer profile
Composite Default screen
6
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
brought up when you click Edit in the Anonymous Access section. The proxy
account must be given the most restrictive access to the site possible.
If you configure Basic Authentication in the Authentication Methods dialog box,
you must make sure that the accounts that will access the XML web service are
given permission to log on to the web server that is hosting the XML web service.
FIGURE 8-2
The Properties
dialog box
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:10 AM
Color profile: Generic CMYK printer profile
Composite Default screen
If you configure Digest Authentication For Windows Domain Servers, the
domain controls must have a reversible encrypted (clear-text) copy of the account’s
password to be used when comparing against the hash the consumer sends in.
You will be requested to agree to the clear-text passwords when you select digest

authentication.
If you configure integrated Windows authentication, the user will not be
prompted for credentials unless the integrated Windows authentication fails.
Integrated Windows authentication cannot pass a firewall unless
the administrator opens additional ports. It is highly unlikely that
the administrator will do so because of the security risk involved.
Once the IIS configuration is complete, the XML web service must be configured
to use the required authentication. This is done by editing the Web.config file that
is located in the root directory for the XML web service. This file is also called the
application configuration file. To enable the Windows-based authentication method
(basic, digest, or integrated Windows) that was configured with IIS, add the following
to the Web.config file:
<configure>
<system.web>
<authentication mode = "Windows" />
</system.web>
</configure>
To access the user credentials programmatically, you can use the Context object
as in this demo web method from Visual Studio .NET:
<WebMethod()> _
Public Function HelloWorld() As String
return "Hello World " + Context.User.Identity.Name
End Function
Implement Security
7
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:10 AM
Color profile: Generic CMYK printer profile

Composite Default screen
The result of this web method is shown here:
When you consume an XML web service by using the wsdl tool or by adding
a web reference in Visual Studio .NET, the proxy class will inherit from the
SoapHttpClientProtocol class. Through this class, you have access to the
Credentials property that is used to read or set security credentials. In order
to control the authentication process, you can use the NetworkCredential
class as shown in the following code segment:
' instantiate the XML Web Service proxy
Dim ws As WService = New WService()
' get a NetworkCredential object
Dim cred As ICredentials
cred = New NetworkCredential("Ken", "password", "nop.com")
' configure the client credentials
ws.Credentials = cred
Dim s As String
Try
s = ws.HelloWorld()
Catch
Console.WriteLine("Authentication Failed!")
End Try
Use the
NetworkCredential
class to pass the authentication when calling
an XML web service.
8
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp

Wednesday, October 30, 2002 9:50:10 AM
Color profile: Generic CMYK printer profile
Composite Default screen
Implement Security
9
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
EXERCISE 8-1
Using Network Credentials
In this exercise, you will build an XML web service and configure the authentication
for it. You will also learn about how to create authentication accounts for the local
server.
The second part of this exercise deals with the consumer of the web service, and
how to use the NetworkCredential class to send authentication information
to an XML Web Service.
1.
Create a new Visual Basic .NET project based on the ASP.NET Web Service
template. Name the project HelloSecure.
2.
Open the code module and change the namespace of the Web service from
to .
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:10 AM
Color profile: Generic CMYK printer profile
Composite Default screen
10
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
3.

Change the name of the class to SHello.
<WebService(Namespace:=" _
Public Class SHello
Inherits System.Web.Services.WebService
...
End Class
4.
Implement a web method named HelloWorld() that returns a string.
<WebMethod()> Public Function HelloWorld() As String
...
End Function
5.
In the return statement for the HelloWorld() web method, you need to
append the name of the user that was authenticated to use the web method.
The Context.User.Identity.Name property will give you that
information.
<WebMethod()> Public Function HelloWorld() As String
Return "Hello World " + Context.User.Identity.Name
End Function
6.
Save and build the Web Service.
7.
To test the web service, run the XML Web Service help application by
pressing
F
5. The result of running the HelloWorld() web method
should look like this:
Notice that the user identity is blank. That is because the web service at this
moment is configured to use anonymous authentication. The next step is to
P:\010Comp\CertPrs8\653-6\ch08.vp

Wednesday, October 30, 2002 9:50:10 AM
Color profile: Generic CMYK printer profile
Composite Default screen
Implement Security
11
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
change that to Windows integrated authentication, and the next few steps
show how you do that.
8.
Open the Internet Services Manager console from Control Panel |
Administrative Tools.
9.
Expand the localhost server.
10.
Expand the Default Web Site.
11.
Select the HelloSecure web site.
12.
Right-click the HelloSecure web site, and select Properties from the context
menu. This will open the HelloSecurity properties dialog.
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:11 AM
Color profile: Generic CMYK printer profile
Composite Default screen
12
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
13.

Select the Directory Security tab in the dialog.
14.
Click Edit in the Anonymous Access And Authentication Control section.
This will open the Authentication Method dialog.
15.
Clear the check box next to Anonymous access.
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:11 AM
Color profile: Generic CMYK printer profile
Composite Default screen
Implement Security
13
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
16.
Make sure that the check box next to Integrated Windows Authentication is
checked as shown here:
17.
Click OK to close the Authentication Method dialog.
18.
Click OK to close the HelloSecure properties dialog.
19.
Close the Internet Services Management console. To test that the security
settings are in effect, you need to run the HelloSecure web service again.
20.
Switch to the HelloSecure project. If you closed Visual Studio .NET earlier,
you will need to start it first.
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:11 AM
Color profile: Generic CMYK printer profile

Composite Default screen
14
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
21.
Execute the HelloSecure web service by pressing
F
5.
22.
Invoke the HelloWorld() web method. The result should be similar to
this image, apart from the username:
The addition of the security information indicates in this case that user ken from
the NOPCOMP domain is the one that is currently authenticated to the web
service.
The next step is to build a client that allows the user to select the login information
needed—you will build a login form that uses the HelloSecure web service.
EXERCISE 8-2
Building a Security Client
For this exercise, you will build a Windows Form that will ask the user for login
credentials. You will the call the HelloSecure web service and use the return
information to determine if the credentials you authenticated were valid.
1.
Create a new Visual Basic .NET project based on the Windows Application
template. Name the project HelloTest.
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:11 AM
Color profile: Generic CMYK printer profile
Composite Default screen
Implement Security

15
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
2.
When the project is built, add two TextBox controls to the form. Change the
name of the first to txtUserName and the second to txtPassword.
3.
Position the txtUserName control and txtPassWord controls centered
in the form.
4.
Change the PasswordCharacter property of txtPassword to *.
5.
Position a Button control directly under the txtPassword control.
6.
Rename the Button control to btnHello.
7.
Change the Text property of the btnHello control to "Click Me!".
8.
Position a Label control directly under btnHello; size the Label control to
span the form.
9.
Change the TextAlign property to MiddleCenter.
10.
Clear the Text property of the Label control.
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:11 AM
Color profile: Generic CMYK printer profile
Composite Default screen
11.
Change the name of the Label control to lblHello. The resulting form should

look like this:
In order to be able to use the XML web service, you will need to add a web
reference to the web service. Steps 12–16 show how you do that.
12.
Select Add Web Reference from the Project menu to open the Add Web
Reference dialog.
16
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:12 AM
Color profile: Generic CMYK printer profile
Composite Default screen
13.
In the Address field, enter the URL of the HelloSecure XML web service you
built in Exercise 8-1 (http://localhost/HelloSecure/Service1.asmx).
14.
Press the
ENTER
key, or click the Enter button. The result is that the web
service is shown in the Add Web Reference dialog.
15.
Click Add Reference to complete the action.
16.
Expand the Web Reference tree in the Solution Explorer to ensure that the
web service has been added.
17.
Open the code editor and add an import statement in the first line for
System.Net to give access to the security classes.

Imports System.Net
18.
Add an event handler for the btnHello control's click event.
Implement Security
17
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:12 AM
Color profile: Generic CMYK printer profile
Composite Default screen
18
Chapter 8: Security and Unmanaged Code
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind /
222653-6 / Chapter 8
19.
In the click event handler, you will need to declare a variable (ws) that will
be a reference to the web service and instantiate that service.
' instantiate the XML Web Service proxy
Dim ws As localhost.SHello
ws = New localhost.SHello()
20.
Declare a variable to represent the security credentials (cred); it should
be of type ICredentials. Instantiate the object as belonging to the
NetworkCredential class. Pass two string parameters to the
constructor; they should be the Text properties from the txtUsername
and txtPassword controls.
' get a NetworkCredential object
Dim cred As ICredentials
cred = New NetworkCredential(txtUserName.Text, txtPassword.Text)

21.
Assign the credentials to the web services Credentials property.
' configure the client credentials
ws.Credentials = cred
At this point, you have instantiated the web service and built network
credentials that will be used when you execute the web service. The next
step is to call the web method of the web service to see if it all works. The
call to any web methods must be in Try...Catch blocks to ensure that
you handle authentication exceptions.
22.
Declare a variable for a String.
23.
Declare a Try block, call the web method, and assign the return data to the
string variable.
24.
In the Catch block, assign the string literal "Authentication
Failure, try again" to the String variable.
25.
After the End Try statement, assign the string variable to the Text
property of the lblHello control. The following code listing is the
complete click event handler for the btnHello control:
Private Sub btnHello_Click(ByVal sender As System.Object, _
ByVal e As System.EventArgs) _
Handles btnHello.Click
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:12 AM
Color profile: Generic CMYK printer profile
Composite Default screen
' instantiate the XML Web Service proxy
Dim ws As localhost.SHello

ws = New localhost.SHello()
' get a NetworkCredential object
Dim cred As ICredentials
cred = New NetworkCredential(txtUserName.Text, txtPassword.Text)
' configure the client credentials
ws.Credentials = cred
Dim s As String
Try
s = ws.HelloWorld()
Catch
s = "Authentication Failure, try again"
End Try
lblHello.Text = s
End Sub
26.
Save and execute the application. Enter a random user name and password,
click the button, and you should get the authentication error message
shown next:
Before you can test the authentication, you will need to create some accounts that
you can test against.
Implement Security
19
CertPrs8 / MCAD/MCSD XML Web Services and Server Components Development with Visual Basic .NET / Lind / 222653-6 /
Chapter 8
P:\010Comp\CertPrs8\653-6\ch08.vp
Wednesday, October 30, 2002 9:50:12 AM
Color profile: Generic CMYK printer profile
Composite Default screen