a published or unpublished Web service. Referencing a Web service and
using a Web service, though, are two entirely different things.
If the authentication and authorization nodes stored in the Web.Config
file are modified to protect a public Web method, then the user of the Web
service might be in for a shock when the Windows Authentication dialog
box appears, a Passport Authentication screen pops up, a form login
emerges, and so forth. In general, we dont want to use any type of autho-
rization that forces human interaction, because XML Web services are
meant more for computer consumption than for human consumption, but
it is something we may consider using.
The Web.Config file is an autonomous security file, containing more
built-in methods of authentication than the Internet Information Systems
(IIS) Internet Security Manager (ISM). The only way to configure Passport
Authentication in IIS is through the Web.Config file. Every available
method of authentication and authorization available in IIS is also avail-
able for modification in the Web.Config file, and the Web.Config file actu-
ally supports even more methods of authentication than are available in
the IIS ISM. We will discuss these methods further in later chapters.
Other Types of Security Measures
Suppose we are a full-service brokerage firm that offers real-time stock
quotes to our clients on the Web. The Web service operates using a unique
identifier as an input parameter and then returns an XML structure con-
taining the stock quotes.
The fact that we are offering only stock quotes might not warrant the
need for using encryption software to disguise the information because
this information is common knowledge and readily available to the gen-
eral public at many Web sites. The fact that we are offering this as a service
available only to our clientele, though, might warrant some form of
secrecy. After all, the stock quotes that are returned to our users will most
likely reflect either the stocks held in their portfolios or ones they are inter-
ested in purchasing.
As a result, it might be advantageous to hide the input parameters of the
Web service, making it difficult for unauthorized individuals to use the ser-
vice. By keeping the parameters hidden and simply exposing a string with-
out a definitive structure, you keep individuals from being able to use the
After all, if external viewers do not know what the required XML struc-
ture is to use the service and do not have access to code behind the Web
service, then chances are they will send invalid XML structures and unac-