RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Implement Secure .NET Web Services with WS-Security : Page 2

Implement secure .NET Web services by digitally signing, encrypting, and adding security credentials to SOAP messages.

If you have programmed Web services with the .NET Framework, you realize it has no platform-independent support for securing Web services across the Internet. With the introduction of WS-Security, that support now exists.

WS-Security offers the following new security functions:

  • Digitally signing SOAP messages:
    • using an X.509 certificate
    • using a user name and a password
    • using a custom binary token
  • Encrypting SOAP messages:
    • using an X.509 certificate
    • using a shared secret
    • using a custom binary token
  • Adding security credentials to the SOAP message
  • Signing a SOAP Request with a User Name and Password
    Let's look more closely at digitally signing SOAP messages with a user name and a password, since this option is used very often in Web services. To work correctly, the Web service itself must provide a class that implements the interface IPasswordProvider:

    public interface IPasswordProvider
       public String GetPassword(UsernameToken token);

    As you can see, there is only one method, GetPassword, which is made available by the implementing class. The WSE framework calls this method when it must authenticate a Web service request. The parameter of type UsernameToken provides more information about the incoming user request. As a result the method must return the user's password. The property Username of the class UsernameToken contains the credentials of the user making the SOAP request. With it, returning the correct user password is very easy (e.g., querying from a database or XML file).

    After that the runtime creates a hash of the password and compares it to the password hash provided by the Web service request. If the hashes match, the request is processed. If not, the request is rejected.

    A value from the enumeration PasswordOption defines how the password is sent across the wire:

  • SendNone: No password is sent in the SOAP message.
  • SendHashed: A SHA-1 hash of the password is sent in the SOAP message.
  • SendPlainText: The password is sent in clear text. When using this option, a secure transport channel such as SSL should be used.

    The following listing shows how a SOAP request can be signed with a username and a password:

    // Create a UsernameToken
    UsernameToken userToken = new UsernameToken(
       Environment.UserName, "MyPassword", 
    // Create proxy class
    MyProxyClass proxy = new MyProxyClass();
    SoapContext context = proxy.RequestSoapContext();
    // Add a security token
    // Sign the SOAP request
    context.Security.Elements.Add(new Signature(userToken))
    // Call a method

    As you can see, you can sign a SOAP request by just adding a new instance of the class Signature to the collection Elements. Easy, isn't it? But which bits were sent across the wire?

    Within the <soap:Header> element you will find the section <wsse:Security>. This section is responsible for the additional information that WSE uses. The sub-section <wsse:UsernameToken> contains the user credentials sent with the SOAP request:

    <wsse:UsernameToken xmlns:wsu="..." wsu:Id="...">
       <wsse:Password Type="wsse:PasswordDigest">

    Only the hash of the password is sent across the network. This hash is then compared to the hash from the password that the method GetPassword of the interface IPasswordProvider returned. If both hashes match, the SOAP request is successfully authenticated.

    The section <Signature> follows <wsse:Security>. It contains additional information about the signature used to sign the SOAP request. Here you will find some <Reference> sections that define various algorithms for signing the request. Every algorithm has a unique URI identifying it. The SOAP body contains one of these URIs, which identifies the algorithm used to sign the body:

       <HelloWorld xmlns="http://tempuri.org" />

  • Close Icon
    Thanks for your registration, follow us on our social networks to keep up-to-date