Click here to Skip to main content
11,431,483 members (65,740 online)
Click here to Skip to main content

Authentication for Web Services (using SOAP headers)

, 24 Jun 2003
Rate this:
Please Sign up or sign in to vote.
Simple authentication for web services using SOAP headers.

Sample Image - AuthForWebServices.gif

Introduction

I recently put up a few web services for a client of mine, which returned some sensitive data. I needed to find a simple way to authenticate the users of these web services. This is the approach I took.

Background

I've started using web services fairly often in the applications that I've been developing, in most cases the information they pass is suitable for the public domain. However a recent project forced me to look into different authentication methods.

My requirements were that, it had to be simple for the client applications to authenticate, also that the web based administration system had to be used. This prevented me from using the Windows authentication (which is fairly easy to use for the clients of this web service.) By using SOAP headers to pass username and password information, it greatly simplifies any authentication request.

Using the code

I wanted to make it really easy for the client to understand:

protected System.Web.UI.WebControls.DataGrid dgData;
    
private void Page_Load(object sender, System.EventArgs e)
{
    //simple client
    AuthWebService.WebService webService = new AuthWebService.WebService();
    AuthWebService.AuthHeader authentication = new 
                              AuthWebService.AuthHeader();

    authentication.Username = "test";
    authentication.Password = "test";
    webService.AuthHeaderValue = authentication;

    //Bind the results - do something here
    DataSet dsData = webService.SensitiveData();

    dgData.DataSource = dsData;
    dgData.DataBind();    

}

Basically all the client needs to do is create an authentication object, fill out the username and password, then pass them to the web service object. The web service code is also pretty simple, the .NET framework lets you create custom SOAP headers by deriving from the SoapHeader class, so we wanted to add a username and password:

using System.Web.Services.Protocols;

public class AuthHeader : SoapHeader
{
    public string Username;
    public string Password;
}

The next step is to identify the web services that need the authentication, in the example I've included it's the method SensitiveData. To force the use of our new SOAP header we need to add the following attribute to our method:

[SoapHeader ("Authentication", Required=true)]

So our full definition for our web service method is:

public AuthHeader Authentication;


[SoapHeader ("Authentication", Required=true)]
[WebMethod (Description="Returns some sample data")]
public DataSet SensitiveData()
{
    DataSet data = new DataSet();
            
    //Do our authentication
    //this can be via a database or whatever
    if(Authentication.Username == "test" && 
                Authentication.Password == "test")
    {
        //they are allowed access to our sensitive data
        
        //just create some dummy data
        DataTable dtTable1 = new DataTable();
        DataColumn drCol1 = new DataColumn("Data", 
                System.Type.GetType("System.String"));
        dtTable1.Columns.Add(drCol1);

        DataRow drRow = dtTable1.NewRow();
        drRow["Data"] = "Sensitive Data";
        dtTable1.Rows.Add(drRow);
        dtTable1.AcceptChanges();

        data.Tables.Add(dtTable1);
    
    }else{
        data = null;
    }            

    return data;
}

I should also mention that when I say SOAP headers, I actually mean the soap:Header element in a SOAP request, it has nothing to do with the HTTP headers sent with the request. The SOAP request looks something like:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AUTHHEADER xmlns="http://tempuri.org/">
      <USERNAME>string</USERNAME>
      <PASSWORD>string</PASSWORD>
    </AUTHHEADER>
  </soap:Header>
  <soap:Body>
    <SENSITIVEDATA xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

I've included both the client and the web service in the attachment.

History

  • 25/06/2003 - Article created

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Dan_P
Web Developer
Australia Australia
I've been programming for a few years now. I blog regularly at httpcode.

Comments and Discussions

 
GeneralMy vote of 5 Pin
ketan italiya13-Aug-13 20:59
professionalketan italiya13-Aug-13 20:59 
GeneralMy vote of 5 Pin
b.ghadami2-Jul-13 1:00
memberb.ghadami2-Jul-13 1:00 
Questionreally good.... Pin
ssd_coolguy9-May-12 20:32
memberssd_coolguy9-May-12 20:32 
QuestionUsing SSL, this is pretty secure right? Pin
FredButters17-Apr-12 10:17
memberFredButters17-Apr-12 10:17 
QuestionAuthHeaderValue Pin
bacarndiaye28-Feb-12 6:54
memberbacarndiaye28-Feb-12 6:54 
QuestionSoap header authentication Pin
dhanwin15-Feb-12 22:53
memberdhanwin15-Feb-12 22:53 
GeneralMy vote of 5 Pin
Member 803756728-Nov-11 19:01
memberMember 803756728-Nov-11 19:01 
GeneralMy vote of 4 Pin
wwuwwei1-Oct-11 23:05
memberwwuwwei1-Oct-11 23:05 
QuestionAuthentication for Web Services (using SOAP headers) in JAVA Pin
Member 213261723-Aug-11 22:15
memberMember 213261723-Aug-11 22:15 
QuestionUsing that "Authentication" object with PHP5.x Pin
cadburry17-Aug-11 6:20
membercadburry17-Aug-11 6:20 
GeneralMy vote of 5 Pin
nipunasilva28-Jul-11 18:52
membernipunasilva28-Jul-11 18:52 
GeneralGood Article Pin
GauravGupta21226-Sep-10 23:21
groupGauravGupta21226-Sep-10 23:21 
GeneralInteresting information Pin
angeltoribio12-Nov-09 4:56
memberangeltoribio12-Nov-09 4:56 
GeneralThanks! Pin
knuteski3-Nov-09 12:08
memberknuteski3-Nov-09 12:08 
GeneralHey Pin
Eriksv26-May-09 3:35
memberEriksv26-May-09 3:35 
GeneralThanks Pin
Member 334705121-Mar-09 1:45
memberMember 334705121-Mar-09 1:45 
Generalusing from SilverLight 2 application Pin
AndrusM2-Jan-09 12:42
memberAndrusM2-Jan-09 12:42 
QuestionWeb service security techniques Pin
Jagadeeshs4-Sep-08 4:54
memberJagadeeshs4-Sep-08 4:54 
GeneralWeb service security Pin
Jagadeeshs4-Sep-08 4:49
memberJagadeeshs4-Sep-08 4:49 
Generalcall from oracle apps Pin
anjali.8627-Aug-08 20:08
memberanjali.8627-Aug-08 20:08 
GeneralCall from another language Pin
Mauricio_Junior7-Apr-08 10:32
memberMauricio_Junior7-Apr-08 10:32 
QuestionObject reference not set to an instance of an object Pin
Craig_L7-Aug-07 0:28
memberCraig_L7-Aug-07 0:28 
Questionhow to send this tricky header? [modified] Pin
blackjack215021-Feb-07 4:06
memberblackjack215021-Feb-07 4:06 
AnswerRe: how to send this tricky header? Pin
Lakhan Singh Rathore5-Jul-07 18:32
memberLakhan Singh Rathore5-Jul-07 18:32 
QuestionMore Web Services,What Client Authentication Pin
kenzhen31-Oct-06 1:06
memberkenzhen31-Oct-06 1:06 
GeneralAuthorization does not = Authentication - Weak Pin
punsu17-Aug-06 10:53
memberpunsu17-Aug-06 10:53 
GeneralRe: Authorization does not = Authentication - Weak Pin
Mohammad A Gdeisat1-Jan-09 14:59
memberMohammad A Gdeisat1-Jan-09 14:59 
Question.net client and non .net WS Pin
wakewakeup16-Jun-06 0:13
memberwakewakeup16-Jun-06 0:13 
AnswerRe: .net client and non .net WS Pin
punsu23-Aug-06 9:44
memberpunsu23-Aug-06 9:44 
QuestionAuthentication object never instantiated in Messages.asmx Pin
Anonymous9-Oct-05 22:22
sussAnonymous9-Oct-05 22:22 
GeneralAn unhandled exception of type 'System.Net.WebException' occurred in system.web.services.dll Pin
KhoiNguyen30-Aug-05 13:54
memberKhoiNguyen30-Aug-05 13:54 
GeneralAn even simplier option. Pin
DanielHac2-Mar-05 16:45
memberDanielHac2-Mar-05 16:45 
GeneralWSE 2.0 Pin
davidchentw@gmail.com21-Feb-05 20:08
memberdavidchentw@gmail.com21-Feb-05 20:08 
GeneralPassword Encryption Pin
TrickUK29-Jan-04 7:33
memberTrickUK29-Jan-04 7:33 
GeneralRe: Password Encryption Pin
sorcerer_848-May-08 2:32
membersorcerer_848-May-08 2:32 
GeneralRe: Password Encryption Pin
Brian.Clark13-Mar-09 9:40
memberBrian.Clark13-Mar-09 9:40 
GeneralSoapHeader(..., Required = true) Pin
lapierrem25-Sep-03 9:20
memberlapierrem25-Sep-03 9:20 
GeneralRe: SoapHeader(..., Required = true) Pin
WillemM26-Dec-03 21:28
memberWillemM26-Dec-03 21:28 
GeneralRe: SoapHeader(..., Required = true) Pin
jayprakash3117-Jul-07 4:29
memberjayprakash3117-Jul-07 4:29 
GeneralRe: SoapHeader(..., Required = true) Pin
Delagen10-Mar-10 20:33
memberDelagen10-Mar-10 20:33 
QuestionSensitive data is not encrypted??? Pin
Gunmen26-Jun-03 12:56
memberGunmen26-Jun-03 12:56 
AnswerRe: Sensitive data is not encrypted??? Pin
Dan_P26-Jun-03 15:03
memberDan_P26-Jun-03 15:03 
AnswerRe: Sensitive data is not encrypted??? Pin
AK23-Jul-03 17:09
memberAK23-Jul-03 17:09 
GeneralRe: Sensitive data is not encrypted??? Pin
nap2k12-Feb-04 0:05
membernap2k12-Feb-04 0:05 
GeneralPassword... Pin
mikasa26-Jun-03 8:16
membermikasa26-Jun-03 8:16 
GeneralRe: Password... Pin
Dan_P26-Jun-03 14:58
memberDan_P26-Jun-03 14:58 
GeneralRe: Password... Pin
Braulio Díez1-Jul-03 1:47
memberBraulio Díez1-Jul-03 1:47 
GeneralRe: Password... Pin
Tim Kohler10-Oct-03 7:24
memberTim Kohler10-Oct-03 7:24 
GeneralRe: Password... Pin
WillemM26-Dec-03 21:26
memberWillemM26-Dec-03 21:26 
GeneralRe: Password... Pin
jschlesinger18-Nov-04 17:50
memberjschlesinger18-Nov-04 17:50 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web04 | 2.8.150428.2 | Last Updated 25 Jun 2003
Article Copyright 2003 by Dan_P
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid