SecurityDeveloper's Gateway: Passport and XML Web Services

Developer’s Gateway: Passport and XML Web Services content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Application development has evolved in recent years and it is about to enter yet another realm of change. Web services has become a standard for application-to-application interoperability, and it is now one of the most frequently used designs by enterprise architects. Microsoft has expanded on its .NET deliverables by offering its Passport authentication service as an XML Web service this summer. Passport now supporting XML and also WS Security capabilities are signs that a shift is occurring that will ultimately increase developer productivity and open the way for a new class of applications in the future.

Network tiered approach

Developers are building complex systems utilizing components from the span of their network offerings. It is a tiered approach where the end-result is more complex, and upon completion of the application the developers can add individual components that differentiate the final product. This brings application development into the larger scheme of the marketplace, as developers are now able to focus on business value rather than just building infrastructure. The end result is a faster time to market, higher developer productivity, better quality software and more tailored solutions for consumers to choose.

XML and Web services

And more recently, the Internet has opened up yet another paradigm of application development with XML and Web services. The network tiered approach of the past allowed applications to be created for a particular business, but the beauty of XML is that applications can now interoperate regardless of the platform or the business served. Web services and XML have changed the way developers look at application development, and together they create a gateway to allow applications to act more as interoperable services rather than independent islands.

The concept of applications as a service is possible because XML couples the productive aspects of network tiered computing with message-oriented concepts of the Web. These two methods of computing meshed together form the newest stage in the evolution of application development called Web services, which allows developers to leverage from existing sources of data and services over the Internet.

Developers can then call up Web APIs from various locations and be routed across the Internet to a service residing on a remote system. A service such as Passport enables a developer to provide authentication for an application from a remote service. Also, since XML is the standard for building Web services, the issue is no longer which platform to choose or develop on. This allows business to concentrate on core functionality rather than on technology.


Passport provides a centralized authentication system for all .NET services. Its Single Sign In (SSI) technology means users no longer have to remember multiple user names and passwords for every Web site that requires them to log in. A single Passport account serves as identification to enter all participating sites.

Companies can employ this already-available authentication tool to implement new applications that were not possible before. Without the underlying infrastructure or money to spend on new technology, but a large investment in Web services from a business-perspective, companies can use Passport and hook up to a ready-made database of users that lets them in readily and easily. Another advantage is that the Web services option is both cheaper and easier than buying an additional authentication package or building it from scratch.

Passport offers the capability for developers to bind authentication within XML Web services. It makes a lot of sense and takes away a lot of fears. Why should developers deal with writing all of the security levels and the user identification list?


Developers need to work with line-of-business people, to think beyond a single application to how the company can build a customer interface. This will help build solutions that can handle more customers with less resources and extend the reach of business applications.

It is clear that Web services provide value through the interoperability across platforms and vendor offerings, but the value diminishes if users need to provide credentials every time a boundary is crossed.

In order to achieve a SSI system, the architecture of the system must be flexible enough to allow a method of authenticating users and services through disparate systems and networks. Through adopting Passport as the authentication and identity provider and strategic approach to solutions architecture, developers and development teams are on the mission of building security and identity into the boilerplate of the solution. This not only simplifies the complexity of building secure applications by outsourcing the identity and authentication piece to a “trusted” specialized agent; but also gives the Web service the ability to concentrate on the service provided and the authority to consume it.


There is always a trust issue, with the question of how you can be sure that the information is truly secure and not being used by others. If you trust Microsoft with your operating system, why not Passport? The majority of users will already have a trust base with Microsoft, but it is the recent breaches in security that have raised the question of whether Passport data could be vulnerable. While the Passport database continues to grow by providing services to sites such as MSN, Hotmail and eBay, Microsoft will continue to evolve its security practices in order to improve user confidentiality risks.

Microsoft’s challenge

With the setbacks in light of the recent security flaws, it should come as no surprise that Passport may take even longer to become more popular. The problem of impersonating another user could potentially allow someone to go into, for example, and hack into the records. Because of this security risk, Citicards forces users to provide a second password registered on Citibank’s records. At the end this defeats the entire purpose of using and subscribing to Passport. Any security blunder such as this gives the opportunity for other competitors to quickly gain market share.

Client’s challenge

There is also a risk on the client side of Web services by creating cookies that can be captured and used for identity theft or impersonation. Web services will not create cookies on servers or databases unless they maliciously do so. But the latest security breaches prove that a user who is not logged into Passport is not safe from impersonation.

It only takes an unsecure application and a careless user for someone to be able to capture a user’s Passport credentials or impersonate them. For example, someone uses a vulnerable browser (such as all IE browsers prior to 5.5) that exposes the cookies content to hackers over the Web. The problem is not the cookies themselves, but the browser. With past vulnerabilities, hackers did not need to decrypt the Passport token to impersonate a user. They were able to use Passport’s cookie and use the token to gain access to the user’s information.

Measures Microsoft can take to ensure security

To ensure security, Microsoft needs to manage the issuance of patches to their software as vulnerabilities either are exposed or identified. To alleviate past problems, Microsoft has already taken the Secure Code/Applications initiative, where experts assesses all applications and identify all potential security flaws and risks, mitigate the risks, take proper action and ensure only certified code is issued. This initiative comes from the inside out and will change the way applications are developed and used on the Microsoft platform.

Measures developers can take to add further security

It is very difficult to build a totally secure system, but there are certain variables provided by the browser that can be used to further validate a user and make this type of attack more difficult. There are a couple of features developers can do to ensure further protection to their users, but they will all add extra coding and administration.

  • Using the hashed value of the User-Agent header as an additional identity token. To replicate this, the hacker would need to replicate the user’s browser; a task that while possible, will definitely add an extra layer of complexity
  • Timeout the session in a shorter timeframe, forcing the user to reenter the password upon timeout
  • The IP address could be used as a validation point. Certain Web technologies such as Web proxies would need to be considered, but this would add an extra layer of validity to the authentication process
  • Users should be required to provide their password when purchasing items.
  • Make sure that when the user is leaving a site, all high risk cookies are deleted from the system.

Looking forward

The largest issue ahead in spreading adoption of XML Web services is the education of corporate IT on the business benefits. In the face of recent fears, developers cannot do much to change the impact that the media’s scare tactics have on corporate decision-makers. However, Gartner’s suggestion of submitting the Passport’s source code for open-source review to regain trust would be a solid step in the right direction. An architecture and development team can see and understand the benefits of having all applications distributed and working as Web services on the technical side. For business, the idea of turning information into a service is amazing progress, and the concept of offering an application as a service and charging for the use or consumption is a whole paradigm shift for the software industry.

On the other side, Passport has been available as a Web service for some time, but due to the structure and security concerns of the past, only larger enterprises that had the infrastructure to support and develop applications, such as Citibank (Citicards) and eBay (, really took advantage of it. The support of WS Security should begin to quench the fears that smaller enterprises and developers of business-to-business and business-to-consumer applications face. It will take time for Passport and XML Web services to be fully adopted by the public. In the mean time, developers need to create solutions using both proprietary authentication services and other agents such as Passport. XML Web services will continue to evolve and will eventually offer services never imagined before.

About the Author

Ted Dinsmore –

Ted is president of Conchango New York and founded the practice in 1997. He has since built it into a full consultancy, additionally establishing North-East practices in the Connecticut and Boston markets. He is responsible for sales and business development in the North-East region, with a customer base of American Fortune 500 firms. In addition, he has built up relationships with Microsoft, to provide solutions in the New York and New England marketplace for international clients. Ted has worked with international organizations in both Washington DC and New York, including USA Today and the French government.

# # #

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Latest Posts

Related Stories