Consider, for example, the SecureCalculator Web service, defined as:

   public class SecureCalculator    {      [WebMethod]      public int Add(int num1,int num2)      {         return num1+num2;      }   }

If you configure this Web service to rely on Basic authentication, the client needs to provide the account credentials. The client may or may not be a Windows or .NET client. However, if the client is written in .NET, then it can use the built-in support that the client-side wrapper class has for passing network credentials (even when interacting with a non-Windows service that relies on Basic authentication). If you develop a client in .NET, when you add a Web reference to the SecureCalculator Web service, Visual Studio .NET generates a client-side SecureCalculator wrapper class that derives indirectly from WebClientProtocol. WebClientProtocol has a public property called Credentials, of type ICredentials. You’ll find ICredentials in the System.Net namespace (see Listing 1 for the ICredentials definition). By default, the Credentials property is not initialized and is set to null. Before invoking a method on a Web service that uses Basic authentication, the client needs to initialize the Credentials property of the wrapper class with a NetworkCredentials object and then call the method:

   using System.Net;    SecureCalculator calc = new SecureCalculator();   ICredentials creds;   creds = new    NetworkCredential("UserName","Password","Domain");   calc.Credentials = creds;   //Optional:   calc.PreAuthenticate = true;    calc.Add(2,3);

The client can also set the PreAuthenticate property of the wrapper class to true. This will cause the wrapper class to send credentials to the server, even when not challenged for them. This is an optimization option that can save the round trip after receiving a 401 error.

It is important to note that Basic authentication sends credentials in clear text, so you should use HTTPS or SSL, especially when using Basic authentication over the Internet. If the credentials are static, that is, they are not a run-time parameter the client retrieves somehow, then the client can encapsulate setting the credentials in the constructor of the wrapper class:

   public class SecureCalculator : SoapHttpClientProtocol    {         public SecureCalculator ()      {         ICredentials creds;         creds = new NetworkCredential("UserName",           "Password","Domain");         Credentials = creds;         Url = "http://<...>/SecureCalculator.asmx";      }      //Method wrappers...   }     SecureCalculator calc = new SecureCalculator();   Calc.Add(2,3);

Digest Windows Authentication
Digest authentication uses a special hashing algorithm (MD5) to avoid sending passwords in clear text over HTTP, and does not require HTTPS. Digest authentication is an industry standard (RFC 2617) supported natively by IIS. However, it does require using Active Directory to store the password. If you are not using Active Directory, the Digest authentication option will be disabled on the Authentication Methods dialog box in IIS (see Figure 1).

If you select to use Digest authentication, IIS will look in the request for the digest credentials and authenticate the user accordingly. There is nothing the Web service developer needs to do; it is up to the client to pass the digested credentials. If the client is a .NET client, it needs to initialize the Credentials property of the wrapper class with an object of type CredentialCache, as defined in Listing 2. CredentialCache is a collection of credentials that is polymorphic with ICredentials.

The client needs to construct individual credentials and add them to the cache, while specifying the type of the credentials using a non-type-safe string. Then, just as when using Basic authentication, the client needs to initialize the Credentials property of the wrapper class with the CredentialCache, optionally enable pre-authentication, and call the method:

   SecureCalculator  calc = new SecureCalculator();   ICredentials credsCache = new CredentialCache();   Uri uriPrefix = new Uri("");   ICredentials creds;   creds = new NetworkCredential("UserName",     "Password","Domain");   credsCache.Add(uriPrefix,"Digest",creds);    calc.Credentials = credsCache;   calc.PreAuthenticate = true;//Optional   calc.Add(2,3);

With static credentials, the client can also encapsulate these settings in the wrapper class constructor.

Integrated Windows Authentication
Integrated authentication is a Windows protocol that uses a proprietary password-hashing algorithm and requires both the client and the Web service to run on Windows stations. When using Integrated authentication, you can send credentials over HTTP, because they are not sent in clear text. Integrated authentication relies on the fact that Windows already knows the identity and credentials of the client (more precisely, the security token of the client’s thread), which it can capture and provide as authentication credentials. To use Integrated authentication, the client needs to initialize the Credentials property of the wrapper class by assigning to it the credentials returned from the DefaultCredentials static property of CredentialsCache:>

   SecureCalculator  calc = new SecureCalculator();   calc.Credentials = CredentialCache.    DefaultCredentials; calc.PreAuthenticate = true;   //Optional   calc.Add(2,3);

If the client’s identity is not adequate and you need to explicitly provide other Windows credentials, then you should use Basic or Digest authentication.

Custom Authentication
When you use custom Web services authentication, you do not rely on IIS to authenticate the callers. Instead, you will need to obtain the caller’s credentials somehow, and verify them against a custom repository, typically a database. The source files accompanying this article contain the UserManager helper class, defined as:

   public class UserManager    {      public UserManager();      public bool Authenticate(string userName,         string password);      //Other members and methods    }

UserManager accesses a database and authenticates the caller against the entries in the database. You will see UserManager used in the custom authentication code samples.

If the callers provide valid credentials, they are allowed to call the Web method; otherwise, the Web service can throw an exception. Custom authentication is appropriate when the callers do not have accounts on the server and when the number of identities is considerably large. An important distinction between custom authentication and Windows authentication is that custom authentication offers a fine level of control over which calls to Web methods the Web service authenticates. For example, a Web method that returns current inventory status is less sensitive than a Web method that processes a purchase order. In the interest of throughput, you may choose to only authenticate purchasing calls.

When using custom authentication, you need to allow anonymous access to the service by selecting the Anonymous access check box in the IIS Authentication Mode dialog box, and by setting the authentication mode in the Web service configuration file to None:

Using custom authentication you can use whatever custom mechanism you want, but in general, you will likely use a log-in method, SOAP headers, or SOAP extensions. Each of these mechanisms has its variations and you can come up with your own tweaks as well.

Log-in Method
The log-in method, as the name implies, involves exposing a dedicated method on the Web service that accepts the caller’s credentials. Needless to say, you should use the log-in method only over a secure channel (HTTPS) because the credentials are transmitted in clear text. When the Web service authenticates a caller, it stores the caller’s authentication in a session variable. In each Web method call that requires authentication, you need to explicitly verify that the caller’s session state variable indicates an authenticated caller.

Listing 3 shows the server-side code for security using the log-in method. The SecureCalculator Web service encapsulates and uses a Session variable to set the value of the Boolean IsAuthenticated property. Note that every Web method that deals with security has to enable session state support explicitly by setting the EnableSession property of the WebMethod attribute to true:

   [WebMethod(EnableSession=true)]

The LogIn() method of the SecureCalculator shown in Listing 3 uses the UserManager helper class to verify that the caller provided valid credentials, and if so, it sets the IsAuthenticated property to true. Before doing anything else, every method must verify that the caller is authenticated by checking the value of IsAuthenticated. The Web server only authenticates the caller the first time the caller connects to the service; subsequent calls are not authenticated. The caller will be logged out once the session ends or when the cookie used to manage the session expires. For increased security you can also provide a LogOut() method that allows the client to explicitly log out.

A .NET client using the log-in method of authentication has to enable support for cookies in the Web service wrapper class by initializing the CookieContainer property, typically by modifying the wrapper class constructor:

   public class SecureCalculator :      SoapHttpClientProtocol    {      public SecureCalculator()       {         CookieContainer = new              System.Net.CookieContainer();         Url = "http://<...>/SecureCalculator.asmx";      }      public bool LogIn(string userName,         string password);       public void LogOut();      public int Add(int num1,int num2);      //Other methods   }

The client, of course, needs to call LogIn() before using secure methods of the Web service:

   SecureCalculator calc = new SecureCalculator();   calc.LogIn("UserName","Password");   calc.Add(2,3);   calc.LogOut();   calc.Add(2,3); //Throws exception

You can take the log-in method approach one step further by factoring it into a base class and adding declarative authentication support using a custom principal. A principal is an object that represents an identity and its role membership. Listing 4 shows the LogInWebService abstract class. Like the LogIn() method in Listing 3, LogInWebService uses a session variable to indicate whether the caller is authenticated and encapsulates the session variable in the IsAuthenticated property. LogInWebService also uses a session variable to store the user name and encapsulates the session variable in the UserName property.

It is always a good practice to encapsulate session variables and expose logical properties around them. This eases the task of maintenance and provides a single place to enforce business rules. For example, UserName only allows the user name to be set if the user is authenticated.

The LogIn() and LogOut() methods of LogInWebService are nearly the same as the methods of the same name shown in Listing 3. One difference is that in LogInWebService, LogIn() stores the user name in the UserName property if the caller is authenticated, while LogOut() resets the user name if the caller logs out. The main difference between the methods, however, is in the LogInWebService constructor. If the caller is authenticated (because it already called the LogIn() method), the constructor creates a generic identity around the user name, and provides it to a generic principal. Then, the constructor installs the generic principal as the principal of the current thread:

   IIdentity identity= new GenericIdentity(UserName);   IPrincipal principal = new      GenericPrincipal(identity,null);   Thread.CurrentPrincipal = principal;

Both GenericIdentity and GenericPrincipal are defined in the System.Security.Principal namespace. The purpose of this is clear when you examine a Web service that derives from LogInWebService:

   public class SecureCalculator : LogInWebService   {      [PrincipalPermission(SecurityAction.Demand,         Authenticated = true)]      [WebMethod(EnableSession=true)]      public int Add(int num1,int num2)      {         return num1+num2;      }   }

All the SecureCalculator needs to do is add the PrincipalPermission attribute to sensitive methods, and demand that the caller is authenticated. The PrincipalPermission attribute looks for the current principal associated with the current thread, GenericPrincipal in this case, and asks it if the user is authenticated. The GenericPrincipal installed by default returns false, but ours returns true. This makes developing secure Web services trivial, and it provides the benefits of declarative security.

SOAP Headers
SOAP headers allow the client of a Web service to pass additional contextual information to the Web service object, without invoking methods. The client adds the information to the SOAP payload and it is up to the Web service to make use of it. When you implement a .NET Web service, .NET performs all the work involved in processing the headers. You can use SOAP headers to pass caller credentials to a Web service, but if you do so you should use secure channels, because the header information is transported in clear text.

The System.Web.Services.Protocolsnamespace provides support for SOAP headers. To use SOAP headers, you need to derive a class from SoapHeader and add credentials, such as user name and password, as class members. The class members in a SOAP header class must be public and in the form of fields or properties only (see Listing 5). Next, you need to add a member variable to the Web service class of the header type (see AuthHeader in Listing 5). When .NET creates the Web services Description Language (WSDL) associated with the service, the WSDL will contain the appropriate type information about the SOAP header member variable for the use of the clients.

You must decorate any Web method that accesses a SOAP header variable with the SoapHeader attribute, letting .NET know which member variable the method accesses:

   [SoapHeader("AuthHeader")]   [WebMethod]   public int Add(int num1,int num2){...}

.NET will automatically initialize the AuthHeader member with the information provided by the client. All that is left for the Web method to do is to authenticate the caller (using UserManager again) in the sensitive methods. In Listing 5, this is done using the Authenticate() helper method, which simply extracts the credentials from the header member variable.

When a .NET client adds a Web reference to a service that uses SOAP headers, .NET will generate a definition of a client-side SoapHeader derived class, with public variables only (it will convert properties in the original header class). .NET will also add to the wrapper class a matching member variable. The type of that member will be the type of the client-side header class, and the name of the member will be the type name with a Value suffix, for example:

   public class AuthenticationHeader : SoapHeader    {      public string UserName;      public string Password;   }   public class SecureCalculator : SoapHttpClientProtocol   {      public AuthenticationHeader          AuthenticationHeaderValue;      //Method wrappers   }

The wrapper class header member variable is set to null by default.

To pass credentials, the client has to initialize the member and call the Web method:

   SecureCalculator calc = new SecureCalculator();   calc.AuthenticationHeaderValue = new       AuthenticationHeader();       calc.AuthenticationHeaderValue.UserName =      "UserName";   calc.AuthenticationHeaderValue.Password =      "Password";       calc.Add(2,3);

The headers will be forwarded to the Web service, where it will use them to authenticate the caller. If the credentials are static, the client can also encapsulate initialization of the SOAP header in the wrapper class constructor.

Using SOAP headers in this manner requires that the client provide credentials on every method call. Authentication on the server side can be a time-consuming operation. If one-time authentication is sufficient for your needs, you can optimize for throughput and use a session variable to record the fact that the client has already authenticated itself. Listing 6 shows this technique. When asked to authenticate, the Web service checks the value of the IsAuthenticated property, which encapsulates the session variable. If the caller is already authenticated, no further action is required. If not, the service uses UserManager to authenticate the caller.

Note that the client still must provide the credentials in the SOAP header on every call, but the service uses them only during the first call.

SOAP Extensions
Using SOAP extensions is an advanced way a Web service developer can intercept all calls coming into the service and perform custom pre- and post-call processing. The Web service client can also interact with the SOAP extension, and provide custom pre-and post-call processing. For example, you can use SOAP extensions to compress the SOAP payload and to encrypt the information. Note that using SOAP extensions for payload encryption raises some interesting challenges, such as key distribution. In general, relying on SSL is a lot easier than developing a SOAP extension, especially for a public service.

You can also use SOAP extensions to transport the caller’s credentials. If you encrypt the payload as well, there is no need for secure channels. Developing a real-life SOAP extension involves a non-trivial amount of work. In practice, the use of SOAP extensions assumes a .NET client interacting with a .NET service, because other development platforms have very little or no support for it.

This article only provides a brief mention of SOAP extensions, as a full discussion of this topic would merit an article in its own right.

Comparing the Options
This article described three Windows-based and five custom authentication techniques for Web services. Obviously, there are many more permutations and variations on this theme. Table 1 lists the authentication options I discussed.

Table 1: Comparing Windows-based and custom authentication techniques for Web services.

Here are the main points to consider when choosing an authentication mechanism:

• Is the password sent in clear text and therefore requires HTTPS?
• What are the platform requirements on both the client and the server side?
• When does authentication take place, on the first call only, or on every call? What are the throughput implications of that?

My own recommendation is that whenever possible, you should choose Windows authentication over custom authentication to minimize the amount of work involved in developing the Web service. If you do need a custom solution, I would opt for the log-in method factored to a base class. It is trivial to apply, it results in clear declarative security for the Web methods, and it is intuitive and easy for the client to use. In addition, it is easier to call a method than to use a SOAP header or extension, especially if the client platform, such as legacy Visual Basic 6.0, does not have native support for SOAP headers or extensions.

No doubt, support for Web services security will become much more powerful and integrated in future versions of .NET, especially once the standards are finalized and adopted. However, you should not wait for that day to come. Armed with the techniques shown in this article, you can deploy and consume secure .NET Web services now.

The Best Mechanical Keyboards For Programmers: Where To Find Them

May 29, 2023

When it comes to programming, a good mechanical keyboard can make all the difference. Naturally, you would want one of the best mechanical keyboards for programmers. But with so many

The Digital Panopticon: Is Big Brother Always Watching Us Online?

May 26, 2023

In the age of digital transformation, the internet has become a ubiquitous part of our lives. From socializing, shopping, and learning to more sensitive activities such as banking and healthcare,

Embracing Change: How AI Is Revolutionizing the Developer’s Role

May 25, 2023

The world of software development is changing drastically with the introduction of Artificial Intelligence and Machine Learning technologies. In the past, software developers were in charge of the entire development

The Benefits of Using XDR Solutions

May 24, 2023

Cybercriminals constantly adapt their strategies, developing newer, more powerful, and intelligent ways to attack your network. Since security professionals must innovate as well, more conventional endpoint detection solutions have evolved

How AI is Revolutionizing Fraud Detection

May 23, 2023

Artificial intelligence – commonly known as AI – means a form of technology with multiple uses. As a result, it has become extremely valuable to a number of businesses across

Companies Leading AI Innovation in 2023

May 22, 2023

Artificial intelligence (AI) has been transforming industries and revolutionizing business operations. AI’s potential to enhance efficiency and productivity has become crucial to many businesses. As we move into 2023, several

Step-by-Step Guide to Properly Copyright Your Website

May 18, 2023

Creating a website is not easy, but protecting your website is equally important. Implementing copyright laws ensures that the substance of your website remains secure and sheltered. Copyrighting your website

Fivetran Pricing Explained

May 17, 2023

One of the biggest trends of the 21st century is the massive surge in analytics. Analytics is the process of utilizing data to drive future decision-making. With so much of

Kubernetes Logging: What You Need to Know

May 16, 2023

Kubernetes from Google is one of the most popular open-source and free container management solutions made to make managing and deploying applications easier. It has a solid architecture that makes

Why Is Ransomware Such a Major Threat?

May 15, 2023

One of the most significant cyber threats faced by modern organizations is a ransomware attack. Ransomware attacks have grown in both sophistication and frequency over the past few years, forcing

Tools You Need to Make a Data Dictionary

May 12, 2023

Data dictionaries are crucial for organizations of all sizes that deal with large amounts of data. they are centralized repositories of all the data in organizations, including metadata such as

10 Software Development Tips to Get Early Funding for your Startup

May 11, 2023

If you’re thinking about a startup, it’s likely you need to raise an initial round of funding for your venture. This article covers some of the very early development techniques

Show More