Click here to Skip to main content
Click here to Skip to main content

Authentication for Web Services (using SOAP headers)

, 24 Jun 2003
Rate this:
Please Sign up or sign in to vote.
Simple authentication for web services using SOAP headers.

Sample Image - AuthForWebServices.gif

Introduction

I recently put up a few web services for a client of mine, which returned some sensitive data. I needed to find a simple way to authenticate the users of these web services. This is the approach I took.

Background

I've started using web services fairly often in the applications that I've been developing, in most cases the information they pass is suitable for the public domain. However a recent project forced me to look into different authentication methods.

My requirements were that, it had to be simple for the client applications to authenticate, also that the web based administration system had to be used. This prevented me from using the Windows authentication (which is fairly easy to use for the clients of this web service.) By using SOAP headers to pass username and password information, it greatly simplifies any authentication request.

Using the code

I wanted to make it really easy for the client to understand:

protected System.Web.UI.WebControls.DataGrid dgData;
    
private void Page_Load(object sender, System.EventArgs e)
{
    //simple client
    AuthWebService.WebService webService = new AuthWebService.WebService();
    AuthWebService.AuthHeader authentication = new 
                              AuthWebService.AuthHeader();

    authentication.Username = "test";
    authentication.Password = "test";
    webService.AuthHeaderValue = authentication;

    //Bind the results - do something here
    DataSet dsData = webService.SensitiveData();

    dgData.DataSource = dsData;
    dgData.DataBind();    

}

Basically all the client needs to do is create an authentication object, fill out the username and password, then pass them to the web service object. The web service code is also pretty simple, the .NET framework lets you create custom SOAP headers by deriving from the SoapHeader class, so we wanted to add a username and password:

using System.Web.Services.Protocols;

public class AuthHeader : SoapHeader
{
    public string Username;
    public string Password;
}

The next step is to identify the web services that need the authentication, in the example I've included it's the method SensitiveData. To force the use of our new SOAP header we need to add the following attribute to our method:

[SoapHeader ("Authentication", Required=true)]

So our full definition for our web service method is:

public AuthHeader Authentication;


[SoapHeader ("Authentication", Required=true)]
[WebMethod (Description="Returns some sample data")]
public DataSet SensitiveData()
{
    DataSet data = new DataSet();
            
    //Do our authentication
    //this can be via a database or whatever
    if(Authentication.Username == "test" && 
                Authentication.Password == "test")
    {
        //they are allowed access to our sensitive data
        
        //just create some dummy data
        DataTable dtTable1 = new DataTable();
        DataColumn drCol1 = new DataColumn("Data", 
                System.Type.GetType("System.String"));
        dtTable1.Columns.Add(drCol1);

        DataRow drRow = dtTable1.NewRow();
        drRow["Data"] = "Sensitive Data";
        dtTable1.Rows.Add(drRow);
        dtTable1.AcceptChanges();

        data.Tables.Add(dtTable1);
    
    }else{
        data = null;
    }            

    return data;
}

I should also mention that when I say SOAP headers, I actually mean the soap:Header element in a SOAP request, it has nothing to do with the HTTP headers sent with the request. The SOAP request looks something like:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AUTHHEADER xmlns="http://tempuri.org/">
      <USERNAME>string</USERNAME>
      <PASSWORD>string</PASSWORD>
    </AUTHHEADER>
  </soap:Header>
  <soap:Body>
    <SENSITIVEDATA xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

I've included both the client and the web service in the attachment.

History

  • 25/06/2003 - Article created

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

Share

About the Author

Dan_P
Web Developer
Australia Australia
I've been programming for a few years now. I blog regularly at httpcode.

Comments and Discussions

 
GeneralMy vote of 5 Pinprofessionalketan italiya13-Aug-13 20:59 
GeneralMy vote of 5 Pinmemberb.ghadami2-Jul-13 1:00 
Questionreally good.... Pinmemberssd_coolguy9-May-12 20:32 
QuestionUsing SSL, this is pretty secure right? PinmemberFredButters17-Apr-12 10:17 
QuestionAuthHeaderValue Pinmemberbacarndiaye28-Feb-12 6:54 
QuestionSoap header authentication Pinmemberdhanwin15-Feb-12 22:53 
GeneralMy vote of 5 PinmemberMember 803756728-Nov-11 19:01 
GeneralMy vote of 4 Pinmemberwwuwwei1-Oct-11 23:05 
QuestionAuthentication for Web Services (using SOAP headers) in JAVA PinmemberMember 213261723-Aug-11 22:15 
QuestionUsing that "Authentication" object with PHP5.x Pinmembercadburry17-Aug-11 6:20 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web03 | 2.8.141216.1 | Last Updated 25 Jun 2003
Article Copyright 2003 by Dan_P
Everything else Copyright © CodeProject, 1999-2014
Layout: fixed | fluid