Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


.NET Web Services Security : Page 4

.NET has a lot to offer when it comes to both developing and consuming secure Web services. .NET allows developers to either rely on Windows-based authentication or develop custom authentication mechanisms. Each option has its own tradeoffs and implications on the programming models.

SOAP Headers
SOAP headers allow the client of a Web service to pass additional contextual information to the Web service object, without invoking methods. The client adds the information to the SOAP payload and it is up to the Web service to make use of it. When you implement a .NET Web service, .NET performs all the work involved in processing the headers. You can use SOAP headers to pass caller credentials to a Web service, but if you do so you should use secure channels, because the header information is transported in clear text.

The System.Web.Services.Protocolsnamespace provides support for SOAP headers. To use SOAP headers, you need to derive a class from SoapHeader and add credentials, such as user name and password, as class members. The class members in a SOAP header class must be public and in the form of fields or properties only (see Listing 5). Next, you need to add a member variable to the Web service class of the header type (see AuthHeader in Listing 5). When .NET creates the Web services Description Language (WSDL) associated with the service, the WSDL will contain the appropriate type information about the SOAP header member variable for the use of the clients.

You must decorate any Web method that accesses a SOAP header variable with the SoapHeader attribute, letting .NET know which member variable the method accesses:

[SoapHeader("AuthHeader")] [WebMethod] public int Add(int num1,int num2){...}

.NET will automatically initialize the AuthHeader member with the information provided by the client. All that is left for the Web method to do is to authenticate the caller (using UserManager again) in the sensitive methods. In Listing 5, this is done using the Authenticate() helper method, which simply extracts the credentials from the header member variable.

When a .NET client adds a Web reference to a service that uses SOAP headers, .NET will generate a definition of a client-side SoapHeader derived class, with public variables only (it will convert properties in the original header class). .NET will also add to the wrapper class a matching member variable. The type of that member will be the type of the client-side header class, and the name of the member will be the type name with a Value suffix, for example:

public class AuthenticationHeader : SoapHeader { public string UserName; public string Password; } public class SecureCalculator : SoapHttpClientProtocol { public AuthenticationHeader AuthenticationHeaderValue; //Method wrappers }

The wrapper class header member variable is set to null by default.

To pass credentials, the client has to initialize the member and call the Web method:

SecureCalculator calc = new SecureCalculator(); calc.AuthenticationHeaderValue = new AuthenticationHeader(); calc.AuthenticationHeaderValue.UserName = "UserName"; calc.AuthenticationHeaderValue.Password = "Password"; calc.Add(2,3);

The headers will be forwarded to the Web service, where it will use them to authenticate the caller. If the credentials are static, the client can also encapsulate initialization of the SOAP header in the wrapper class constructor.

Using SOAP headers in this manner requires that the client provide credentials on every method call. Authentication on the server side can be a time-consuming operation. If one-time authentication is sufficient for your needs, you can optimize for throughput and use a session variable to record the fact that the client has already authenticated itself. Listing 6 shows this technique. When asked to authenticate, the Web service checks the value of the IsAuthenticated property, which encapsulates the session variable. If the caller is already authenticated, no further action is required. If not, the service uses UserManager to authenticate the caller.

Note that the client still must provide the credentials in the SOAP header on every call, but the service uses them only during the first call.

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date