Securing WebService With SOAP Headers and Extensions
SOAP headers can be used for passing authentication data out-of-band. SOAP extensions are equally ideal for examining SOAP headers and rejecting calls that lack the required authentication data. Combine the two and we can write secure Web services that cleanly separate business logic from security logic.
Following sample present a technique for building secure Web services using SOAP headers and SOAP extensions.
------------------------------------------------------------------------------------------------
WebService Code
using System.Web.Services.Protocols;
public class MyWebService : System.Web.Services.WebService
{
public AuthHeader Credentials;
[AuthExtension]
[SoapHeader("Credentials", Required = true)]
[WebMethod]public string HelloWorld()
{
return "Hello World";
}
}
public class AuthHeader : SoapHeader
{
public string UserName;public string Password;
}
[AttributeUsage (AttributeTargets.Method)]
public class AuthExtensionAttribute : SoapExtensionAttribute
{
int _priority = 1;public override int Priority
{
get { return _priority; }
set { _priority = value; }
}
public override Type ExtensionType
{
get { return typeof (AuthExtension); }
}
}
public class AuthExtension : SoapExtension
{
public override void ProcessMessage(SoapMessage message)
{
if (message.Stage == SoapMessageStage.AfterDeserialize)
{
//Check for an AuthHeader containing valid
//credentials
foreach (SoapHeader header in message.Headers)
{
if (header is AuthHeader)
{
AuthHeader credentials = (AuthHeader)header;
if (credentials.UserName.ToLower() ==
"TestUser" &&
credentials.Password.ToLower() ==
"TestPassword")
return; // Allow call to execute
break;
}
}
// Fail the call if we get to here. Either the header
// isn't there or it contains invalid credentials.
throw new SoapException("Unauthorized",SoapException.ClientFaultCode);
}
}
public override Object GetInitializer(Type type)
{
return GetType();
}
public override Object GetInitializer(LogicalMethodInfo info,SoapExtensionAttribute attribute)
{
return null;
}
public override void Initialize(Object initializer)
{
}
}
---------------------------------------------------------------------------------------------
public static localhost1.MyWebService g_ProxyWebService;
g_ProxyWebService = new localhost1.MyWebService();
localhost1.AuthHeader Credentials = new localhost1.AuthHeader();
Credentials.UserName = "TestUser";
Credentials.Password = "TestPassword";
g_ProxyWebService.AuthHeaderValue = Credentials;
SOAP headers can be used for passing authentication data out-of-band. SOAP extensions are equally ideal for examining SOAP headers and rejecting calls that lack the required authentication data. Combine the two and we can write secure Web services that cleanly separate business logic from security logic.
Following sample present a technique for building secure Web services using SOAP headers and SOAP extensions.
------------------------------------------------------------------------------------------------
WebService Code
using System.Web.Services.Protocols;
public class MyWebService : System.Web.Services.WebService
{
public AuthHeader Credentials;
[AuthExtension]
[SoapHeader("Credentials", Required = true)]
[WebMethod]public string HelloWorld()
{
return "Hello World";
}
}
public class AuthHeader : SoapHeader
{
public string UserName;public string Password;
}
[AttributeUsage (AttributeTargets.Method)]
public class AuthExtensionAttribute : SoapExtensionAttribute
{
int _priority = 1;public override int Priority
{
get { return _priority; }
set { _priority = value; }
}
public override Type ExtensionType
{
get { return typeof (AuthExtension); }
}
}
public class AuthExtension : SoapExtension
{
public override void ProcessMessage(SoapMessage message)
{
if (message.Stage == SoapMessageStage.AfterDeserialize)
{
//Check for an AuthHeader containing valid
//credentials
foreach (SoapHeader header in message.Headers)
{
if (header is AuthHeader)
{
AuthHeader credentials = (AuthHeader)header;
if (credentials.UserName.ToLower() ==
"TestUser" &&
credentials.Password.ToLower() ==
"TestPassword")
return; // Allow call to execute
break;
}
}
// Fail the call if we get to here. Either the header
// isn't there or it contains invalid credentials.
throw new SoapException("Unauthorized",SoapException.ClientFaultCode);
}
}
public override Object GetInitializer(Type type)
{
return GetType();
}
public override Object GetInitializer(LogicalMethodInfo info,SoapExtensionAttribute attribute)
{
return null;
}
public override void Initialize(Object initializer)
{
}
}
---------------------------------------------------------------------------------------------
public static localhost1.MyWebService g_ProxyWebService;
g_ProxyWebService = new localhost1.MyWebService();
localhost1.AuthHeader Credentials = new localhost1.AuthHeader();
Credentials.UserName = "TestUser";
Credentials.Password = "TestPassword";
g_ProxyWebService.AuthHeaderValue = Credentials;
No comments:
Post a Comment