I would suggest SSL, a firewall rule specific to fixed client IP-range or server, and Digital Signatures.
If you are making use of C#, .Net 2.0 and WSE 2.0 (I think that is what I see in your repository?) I would suggest one of these two methods, depending on how easy they are for the calling organization to implement.
#1. How to: Verify Digital Signatures of SOAP Messages Signed by an X.509 Certificate
http://msdn2.microsoft.com/en-us/library/ms824650.aspx
#2. How to: Verify Digital Signatures of SOAP Messages Signed Using a User Name and Password
http://msdn2.microsoft.com/en-us/library/ms819945.aspx
How to: Add Security Credentials to a SOAP Message
http://msdn2.microsoft.com/en-us/library/ms819938.aspx
Using MessageSignature,
http://msdn2.microsoft.com/en-us/library/microsoft.web.services2.security.messagesignature.aspx
Instead of using the EncryptedData class, because SSL provides the overall encryption.
If you want to use WSE 3.0 instead, the setup is similar.
Writing a WCF Service would be a potential idea as well. That would allow you to create the service once and specify this type of security behavior in configuration when exposing it as a WebService.
No comments:
Post a Comment