tailieunhanh - Mastering Web Services Security p7

đi qua các yêu cầu cho họ, và phân công các ID đối tượng, được gọi là tham chiếu đối tượng. Các bộ chuyển đổi đối tượng cũng đăng ký triển khai đối tượng với Box, và đôi khi, với các kho lưu trữ thực hiện, để các đối tượng máy chủ có thể được phát hiện tại thời gian chạy. Không tất cả các công nghệ trung gian (ví dụ, COM (+)) | 256 Chapter 8 This concludes our discussion of the building blocks of Web Services security. We hope you now have a fairly good idea of what you can do and how you can use various means to protect your Web Services. We deliberately avoided prescribing any specific approach because you have choices for every type of security functionality authentication data protection access control and auditing and the way you combine the choices depends largely on the specific risks in your application domain and on your business requirements. To give an example we show in the next section how these choices were made for our sample application eBusiness ePortal. This is also an example of putting everything together and implementing protection for a concrete system based on and other Microsoft technologies. Securing Access to eBusiness Since StoreFrontService acts as a SOAP gateway to the actual business logic and data access layer implemented as a COM server StoreFrontMiddleTier the middle tier enforces access control policies. The Web Service only authenticates the incoming SOAP requests as shown in Figure . If a user of ePortal wants to see the prices of the items and potentially purchase them the user has to log in by providing a username and password. The presentation tier at ePortal does not authenticate the user. Instead it uses the authentication data to perform HTTP basic authentication when making SOAP HTTP invocations to the eBusiness Web Service hosted by the IIS. Impersonation in this case comes in very handy for it enables the Web Service to use the client s identity when calling the COM server and accessing other resources. The main drawback of this schema is the necessity of mapping ePortal customers and members into OS accounts at the machines running the Web Service and COM server at eBusiness. Moreover both these machines have to share the account database by for example being in the same Windows domain. We did not show in this example how .