Web Service Security Guidance
With the release of the WSE 3.0 for Visual Studio 2005 and .NET Framwork 2.0, Microsoft released the Web Service Security Guidance. This guidance captures the most common scenarios related to Web Service Security such as:
- Public Web Services
- Intranet Web Services
- Internet Business to Business
- Multiply Internet Web Services
I personally like chapter 3, that talks about security at the transport and the message layer. In fact one one of the biggest feature that is so cool about WSE 3.0 compared with WSE 2.0 is the introduction of turnkey solutions. WSE 3.0 now include 5 turnkey security profiles that can be used for the most common scenarios leaving the developers with more time to concentrate on the business logic of the service. All of these turnkey solutions can be customized.
For those that are thinking of using Windows Communication Foundation (WCF)--formerly know as "Indigo"-- for writing distributed applications in the future then I would consider WSE 3.0 now and not later. First WSE 3.0 will integrate with WCF services or clients and second, many of the transport and message turnkey solutions build in in WSE 3.0 are similar if not that the same as those provided by WCF. Therefore, your knowledge of WSE 3.0 in terms of security will pay off when you move to WCF distributed applications.
WSE 3.0 will support side by side execution with WSE 2.0. Therefore, your development machines and production services can fully support both WSE 2.0 and WSE 3.0 applications.