Skip to main content

Securing WebService

Securing WebService With SOAP Headers and Extensions

SOAP headers can be used for passing authentication data out-of-band. SOAP extensions are equally ideal for examining SOAP headers and rejecting calls that lack the required authentication data. Combine the two and we can write secure Web services that cleanly separate business logic from security logic.

Following sample present a technique for building secure Web services using SOAP headers and SOAP extensions.
 ------------------------------------------------------------------------------------------------
WebService Code

using System.Web.Services.Protocols;
public class MyWebService : System.Web.Services.WebService

{
public AuthHeader Credentials;

[AuthExtension]
[SoapHeader("Credentials", Required = true)]
[WebMethod]public string HelloWorld()

{
return "Hello World";
}


}

public class AuthHeader : SoapHeader

{
public string UserName;public string Password;
}


[AttributeUsage (AttributeTargets.Method)]

public class AuthExtensionAttribute : SoapExtensionAttribute

{
int _priority = 1;public override int Priority
{


get { return _priority; }
set { _priority = value; }
}
public override Type ExtensionType
{
get { return typeof (AuthExtension); }
}


}

public class AuthExtension : SoapExtension

{
public override void ProcessMessage(SoapMessage message)
{
if (message.Stage == SoapMessageStage.AfterDeserialize)
{


//Check for an AuthHeader containing valid


//credentials
foreach (SoapHeader header in message.Headers)
{
if (header is AuthHeader)
{
AuthHeader credentials = (AuthHeader)header;
if (credentials.UserName.ToLower() ==
"TestUser" &&
credentials.Password.ToLower() ==
"TestPassword")
return; // Allow call to execute
break;
}


}


// Fail the call if we get to here. Either the header

// isn't there or it contains invalid credentials.
throw new SoapException("Unauthorized",SoapException.ClientFaultCode);
}


}
public override Object GetInitializer(Type type)
{
return GetType();
}
public override Object GetInitializer(LogicalMethodInfo info,SoapExtensionAttribute attribute)
{
return null;
}
public override void Initialize(Object initializer)
{


}

}
---------------------------------------------------------------------------------------------
public static localhost1.MyWebService g_ProxyWebService;

g_ProxyWebService = new localhost1.MyWebService();
localhost1.AuthHeader Credentials = new localhost1.AuthHeader();


Credentials.UserName = "TestUser";
Credentials.Password = "TestPassword";
g_ProxyWebService.AuthHeaderValue = Credentials;

Comments

Popular posts from this blog

WPF - Checking Cap Lock Status in WPF

Checking Cap Lock status will be useful in Logon page where we can provide warning to user <Caps Lock is on. Having Caps Lock on may cause you to enter password incorrectly.>

Following sample uses the Control class that is a standard class within the System.Windows.Forms namespace. The DLL containing this namespace is automatically included in Windows Forms applications. The class includes a method named IsKeyLocked, which allows you to determine whether keys such as Caps Lock are switched on or off. To check the status of the Caps Lock key, you can use the method in the following manner:

Example:
privatevoid KeyDownEventHanlder(object sender, KeyEventArgs e)
{
if (Console.CapsLock == true)
{
lblError.Foreground = Brushes.Red;
lblError.Content = "Caps Lock is on.";// Having Caps Lock on may cause you to enter password incorrectly.";

}

else

{
if (lblError.Foreground == Brushes.Red)lblError.Foreground = Brushes.Transparent;
}

}

Error CS0234 The type or namespace name 'ApplicationInsights' does not exist in the namespace 'Microsoft' (are you missing an assembly reference?)

Error CS0234 The type or namespace name 'ApplicationInsights' does not exist in the namespace 'Microsoft' (are you missing an assembly reference?)
To fix this issue run the following command in the Package Manager Console 
Install-Package Microsoft.ApplicationInsights.WindowsApps