A4SWIFT Web Service Security – BizTalk Server


The A4SWIFTWeb service by default is installed in a highly secure hybrid security model. In the IIS/ASP.NET model a trust boundary exists between the Web service, the Windows SharePoint Services site, and the A4SWIFTdatabase.

IIS and ASP.NET Security Settings

When a call is made to the A4SWIFT Web server, IIS first authenticates the user by using Windows Authentication. The web.config Web service is set by default to use Windows Authentication without impersonation, and validates that the caller is a member of the A4SWIFT Users group. If the caller is a member of the A4SWIFT Users group, the Web service methods are run under the process identity of the application pool. For A4SWIFT, this is the default application pool for Windows SharePoint Services.

For the A4SWIFT Web service to delete the message from the inbox of the Web method caller, the A4SWIFT Web service must impersonate the caller for the Delete and GetCheckedOutUser methods. These are the only methods run under the context of the original caller. Because the A4SWIFT Web service is impersonating the caller of these Web methods, the caller must have explicit permissions set on the SharePoint document libraries upon which the caller is acting.

A4SWIFT Secure Communication Settings

A4SWIFT is concerned with guaranteeing the integrity and confidentiality of Web service messages as they flow from InfoPath to Windows SharePoint Services to BizTalk applications across the network. To provide the highest level of security A4SWIFT supports two levels of secure communication between applications: transport-level and message-level.

Transport-Level Security

A4SWIFT supports SSL communication between InfoPath, the A4SWIFT Web service, Windows SharePoint Services, and BizTalk Server. A4SWIFT automatically adapts to the MRSR site security settings when transmitting messages.

Internet Protocol security (IPSec) can also be implemented to secure communication between BizTalk Server and SQL Server.

For more information about implementing IPSec for secure communication between BizTalk Server and SQL Server, see “Securing Your Deployment of BizTalk Server” in BizTalk Server Help.

Message-Level Security

A4SWIFT message-level security is achieved by digitally signing messages to provide integrity. Message signing in A4SWIFT is covered in detail in InfoPath Security.