Friday, July 1, 2011

Securing WebService

Securing WebService With SOAP Headers and Extensions

SOAP headers can be used for passing authentication data out-of-band. SOAP extensions are equally ideal for examining SOAP headers and rejecting calls that lack the required authentication data. Combine the two and we can write secure Web services that cleanly separate business logic from security logic.

Following sample present a technique for building secure Web services using SOAP headers and SOAP extensions.
 ------------------------------------------------------------------------------------------------
WebService Code

using System.Web.Services.Protocols;
public class MyWebService : System.Web.Services.WebService

{
public AuthHeader Credentials;

[AuthExtension]
[SoapHeader("Credentials", Required = true)]
[WebMethod]public string HelloWorld()

{
return "Hello World";
}


}

public class AuthHeader : SoapHeader

{
public string UserName;public string Password;
}


[AttributeUsage (AttributeTargets.Method)]

public class AuthExtensionAttribute : SoapExtensionAttribute

{
int _priority = 1;public override int Priority
{


get { return _priority; }
set { _priority = value; }
}
public override Type ExtensionType
{
get { return typeof (AuthExtension); }
}


}

public class AuthExtension : SoapExtension

{
public override void ProcessMessage(SoapMessage message)
{
if (message.Stage == SoapMessageStage.AfterDeserialize)
{


//Check for an AuthHeader containing valid


//credentials
foreach (SoapHeader header in message.Headers)
{
if (header is AuthHeader)
{
AuthHeader credentials = (AuthHeader)header;
if (credentials.UserName.ToLower() ==
"TestUser" &&
credentials.Password.ToLower() ==
"TestPassword")
return; // Allow call to execute
break;
}


}


// Fail the call if we get to here. Either the header

// isn't there or it contains invalid credentials.
throw new SoapException("Unauthorized",SoapException.ClientFaultCode);
}


}
public override Object GetInitializer(Type type)
{
return GetType();
}
public override Object GetInitializer(LogicalMethodInfo info,SoapExtensionAttribute attribute)
{
return null;
}
public override void Initialize(Object initializer)
{


}

}
---------------------------------------------------------------------------------------------
public static localhost1.MyWebService g_ProxyWebService;

g_ProxyWebService = new localhost1.MyWebService();
localhost1.AuthHeader Credentials = new localhost1.AuthHeader();


Credentials.UserName = "TestUser";
Credentials.Password = "TestPassword";
g_ProxyWebService.AuthHeaderValue = Credentials;

No comments:

Post a Comment

LIveCharts2: Charts for Windows and web

Charts for Windows and web including .Net MAUI  LiveCharts - LiveCharts2 (lvcharts.com)