a published or unpublished Web service. Referencing a Web service and using a Web service, though, are two entirely different things. If the authentication and authorization nodes stored in the Web.Config file are modified to protect a public Web method, then the user of the Web service might be in for a shock when the Windows Authentication dialog box  appears,  a  Passport  Authentication  screen  pops  up,  a  form  login emerges, and so forth. In general, we dont want to use any type of autho- rization  that  forces  human  interaction,  because  XML  Web  services  are meant more for computer consumption than for human consumption, but it is something we may consider using. The  Web.Config  file  is  an  autonomous  security  file,  containing  more built-in methods of authentication than the Internet Information Systems (IIS) Internet Security Manager (ISM). The only way to configure Passport Authentication  in  IIS  is  through  the  Web.Config  file.  Every  available method of authentication and authorization available in IIS is also avail- able for modification in the Web.Config file, and the Web.Config file actu- ally supports even more methods of authentication than are available in the IIS ISM. We will discuss these methods further in later chapters. Other Types of Security Measures Suppose  we  are  a  full-service  brokerage  firm  that  offers  real-time  stock quotes to our clients on the Web. The Web service operates using a unique identifier as an input parameter and then returns an XML structure con- taining the stock quotes. The  fact  that  we  are  offering  only  stock  quotes  might  not  warrant  the need  for  using  encryption  software  to  disguise  the  information  because this information is common knowledge and readily available to the gen- eral public at many Web sites. The fact that we are offering this as a service available  only  to  our  clientele,  though,  might  warrant  some  form  of secrecy. After all, the stock quotes that are returned to our users will most likely reflect either the stocks held in their portfolios or ones they are inter- ested in purchasing. As a result, it might be advantageous to hide the input parameters of the Web service, making it difficult for unauthorized individuals to use the ser- vice. By keeping the parameters hidden and simply exposing a string with- out a definitive structure, you keep individuals from being able to use the service. After all, if external viewers do not know what the required XML struc- ture is to use the service and do not have access to code behind the Web service, then chances are they will send invalid XML structures and unac- ceptable values. 16 Chapter 1