RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Implement Secure .NET Web Services with WS-Security

Implement secure .NET Web services by digitally signing, encrypting, and adding security credentials to SOAP messages.

Web Services Enhancements 1.0 for Microsoft .NET (WSE) provides the functionality for Microsoft .NET Framework developers to support the latest Web services capabilities. WSE is the cornerstone of the GXA (Global XML Web-Services Architecture), an architecture of proposed Web services standards that Microsoft, IBM, and other companies have written. (Table 1 describes the core specifications of GXA.)

This article examines the GXA's WS-Security spec and demonstrates how you can use it to implement secure .NET Web services by digitally signing, encrypting, and adding security credentials to SOAP messages.

How to Implement WSE
WSE is implemented as a SOAP extension and therefore must be registered within the web.config file of your Web service. To accommodate this task, the web.config file contains the <soapExtensionTypes> element. Within this element you can configure all SOAP extensions, which should be available to your Web service at runtime.

I have added the following lines within the <configuration> section of the web.config file:

         <add type="Microsoft.Web.Services.
            priority="1" group="0" />

Note that the new <soapExtensionTypes> element must be written on one line. I've divided it into several lines only for better reading. Adding this new text to web.config configures the SOAP extension on the server side. It is then ready to use.

To expose the functionality of the WSE to the client, you must derive the Web service proxy class from the class WebServicesClientProtocol, which lives in the namespace Microsoft.Web.Services. So when you add a Web reference to your project and want to use the WSE, you must modify the Reference.cs file manually and change the base class of the proxy to WebServicesClientProtocol. Currently, Visual Studio.NET does not provide an option to mark a Web service as WSE-enabled.

Once you've registered WSE and derived the Web service proxy class, both the client and server sides are ready to use the new features of the WSE.

On the client side, all WSE features can be accessed through the proxy class and a property called RequestSoapContext. With this context object you can now encrypt SOAP messages, sign them, and assign user credentials to them. The following code shows how to get a reference to this object:

SoapContext myContext = myProxyClass.RequestSoapContext;

Traceable Client/Server Traffic
A very useful feature of the WSE is all the network traffic between the client and server can be traced. These tracing capabilities can be also configured in the web.config file. But before you can use this feature, you must create a new section called Microsoft.Web.Services. This task can be accomplish with the following code:

      <section name="microsoft.web.services" 
         Microsoft.Web.Services, Version=, 
         PublicKeyToken=31bf3856ad364e35" />

With this entry in web.config you configure a new section called Microsoft.Web.Services and the appropriate section handler Microsoft.Web.Services.Configuration.WebServicesConfiguration. After that, the tracing feature can be enabled with the following lines:

         <trace enabled="true" input="inputTrace.config" 
            output="outputTrace.config" />

All further requests from the client are written in the inputTrace.config file and the response from the Web service is written in the outputTrace.config file. How you can examine and interpret the content of both these files is shown later in this article.

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date