SECURITY CHOICES AND XML WEB SERVICES SQLXML 3.0 Functionality In SQLXML 3.0, the equivalent functionality would be defined by using the IIS Virtual Directory Management for SQL Server GUI tool and adding a new virtual directory. Because we are using native HTTP support rather than an ISAPI application, when we use CREATE ENDPOINT in SQL Server 2005, we are not adding a virtual directory to IIS. Security Choices and XML Web Services The same reasons that HTTP is conveniently usable as a transport also make it a security risk. Firewall administrators routinely leave port 80 open for HTTP traffic. Web spiders and other search engines scour arbitrary servers looking for content to index (or break into). Tools exist that make it easy to execute a denial of service attack on an arbitrary Web server. A server listens to TCP port 80 at its own risk. It is not the case that the HTTP protocol itself is less secure than, say, the TDS protocol; it is just more of a known quantity. The fact that the headers and verbs are text based (a feature shared by SOAP and XML) makes any message readable by default. Arbitrary TDS messages may be run through a binary decoding filter, but when you are using a text-based protocol, the filter is your eyes. Making security explicit and denying access the default behavior is crucial when using HTTP to talk directly to your corporate database. As we mentioned before, SQL Server s HTTP support is turned off by default. Enabling HTTP is required. Endpoints are not started by default, and no endpoints are predefined. This is a big improvement over software that comes with Web servers preinstalled, autostarted, with security turned off. Because SQL Server endpoints are their own Web servers, you use traditional HTTP security protocols for authentication. In addition to authentication, SQL Server s HTTP endpoints allow IP address filtering by using the RESTRICT_IP and EXCEPT_IP parameters on CREATE ENDPOINT. This is similar to the equivalent functionality found in most Web servers. You can permit access to SQL Server endpoints using either SQL Server authentication or Windows integrated security logins on SQL Server. A variety of authentication protocols are supported, including WS-Security (the Web Service standard security authentication protocol), which will be added before SQL Server 2005 ships. Once authenticated, access to SQL Server resources (authorization) is handled by SQL Server permissions. In

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services

Bookmark the permalink.

Comments are closed.