Introduction, Integration and Securing Web Services

I'm Jason Hogg, a Program Manager on the Microsoft patterns & practices team. Myself and a cast of patterns & practices rock stars including Don Smith (, Jonathan Wanagel, David Trowbridge, Larry Brader, Nelly Delgado and many more are responsible for planning and developing guidance relating to Integration. For the last 9 months we have been focusing on Web service security and have three very exciting projects in the pipeline. Rather than bore you with the nitty gritty details of all of them - I thought I would start with the first, and then over the next week or so talk more about the others.

  1. Web Service Security: Scenarios, Patterns and Implementations - Releasing on December 2nd!  A guide that demystifies web service security through the use of:
    • Five security decision matrices that help you take your requirements and decide how best to configure your web services based on client credential type, message protection level, message vs transport layer security and so forth
    • Four sample scenarios that are representative of typical customer challenges, each described to illustrate how to use the security decision matrices resulting in a selection of design and implementation patterns
    • Architecture and design patterns that provide prescriptive solutions to recuring problems independent of a particular technology. This abstraction allows the guidance / patterns to remain relavent from WSE 2.0 to WSE 3.0 and of course onto Indigo (now called WCF). Rather than having to go back to the drawing board when you move from one product to the next you can simply look for the WCF versions of our implementation patterns and learn how a pattern like "Exception Shielding" can be implemented on WCF.
    • Composite implementation patterns - This is where the tires hit the road. Rather than forcing you to work out whether it is ok to use data encryption without data integrity we have grouped a series of design patterns together that make sense from a security perspective and then demonstrate how to do that in a single composite implementation pattern. Our first release was based on WSE 2.0 (we only released to the GotDotNet workspace and our release which will go live in two weeks time is based on WSE 3.0
    • Implementation patterns - Additional implementation patterns that can be incrementally added to the composite patterns. Again demonstrated on WSE 3.0 and in many cases also demonstrating some of the great extensibility points of WSE 3.0. Look for implementation patterns such as: Message Replay Protection, Service Perimeter Router, Message Validation and more...
    • Technical Supplements - In depth content that should be considered when you start thinking about deploying your Web services to production
      • Anyone who has tried to deploy a Kerberos based web service to production has probably wondered how best to support web farms, how to create SPN's (or even why) and would have also loved a troubleshooting guide. We have it.
      • We also have a similar guide for X.509 as well... so before you ask whether you should use MakeCert for production (answer is no) take a look at our X.509 technical supplement.
    • Quickstarts - We are going to post actual sample code that shows each of the patterns actually running. So you can actually execute a sample application to better understand how the patterns work. Stay tuned to our GotDotNet workspace as we hope to post these in the next couple of weeks.
  2. Security Token Service Quickstart for WSE 3.0 - A sample demonstrating how to issue and consume SAML v1.1 tokens on WSE 3.0. Stay tuned for more.
  3. WS-I Basic Security Profile Reference Implementation - A WSE 3.0 version of the age old classic demonstration of cross platform interoperability. Stay tuned for more.

Anyway, before I turn this into a book, I thought I would conclude by emphasizing how important we value our customers contributions to our work. For most of our projects we set up customer advisory boards that help us better understand specific requirements, we alsouse GotDotNet workspaces to get feedback on beta releases to help us fine tune our deliverables prior to release. Discussions on our workspaces are often the most interesting as we get to observe multiple people's opinions on subjects which allows all of us to better understand the intracacies of certain scenarios. We are also happy to interact directly. I should also mention that Don is also working on a survey which will help us determine what challenges we focus on as we start to consider what guidance should accompany WCF. If you have ideas please let us know...