Email Password Remember me?  Lost your password?

• Download source - 35.8 Kb

Introduction

The following article deals with the implementation of security in Web Services. It briefs about how to make Web Services allow only those requests which have been validated for user name or binary tokens. The following article shows how to create such a service and how to invoke such a service. The platform used for development is Windows XP. Username tokens can be validated against built-in accounts. But for the implementation of Kerberos tokens, the machine needs to belong to a domain and should have the logged-in user listed in the Active Directory. The Kerberos key Distribution Center (KDC) issues tickets on validation.

Using the code

1. Make sure you have Microsoft Web Services Enhancements (WSE) 2.0 installed.
2. Create a blank solution.
3. Add two C# projects to the blank solution.
   • ASP.NET Web Service (C#). Name it "service".
   • Windows Application (C#). Name it "client".
4. Enable WSE on both the projects. This can be done by right clicking on the projects and clicking on WSE 2.0 Settings.
   • Make sure that the ASP.NET service has both the WSE enhancements and the SOAP Extensions enabled.
   • The client only needs to have WSE enabled.
5. There are two parts in the project:
   • UserName Token
   • Kerberos Token
6. Creating the service that will accept a UserName or a Kerberos Token and after validating will execute the WebMethod.

The code

1. Namespaces used:

   using Microsoft.Web.Services2;
   using Microsoft.Web.Services2.Security;
   using Microsoft.Web.Services2.Security.Tokens;

2. A method ValidateToken() is called before actually executing the web method.

   [WebMethod]
   public long perform(long a,long b)
   {
       //check whether the request is from a valid source or not.
   
       if (ValidateToken())
           return a+b;
       else
           return long.MinValue;
   }

3. Extracting and verifying the token from the SOAP context:

   Copy all the elements from the SOAP context into a collection.

   //The Security elements are extracted from
   
   // the SOAP context and stored in a collection
   
   SecurityElementCollection e = 
      RequestSoapContext.Current.Security.Elements;

   Now iterate through the elements to find the message signature.

   //The collection containing the SOAP Context 
   
   //is iterated through to get the message signature
   
   foreach( ISecurityElement secElement in e ) 
   {

   Now find the MessageSignature if present in the SOAP context.

   //The collection containing the SOAP Context 
   
   //is iterated through to get the message signature
   
   foreach( ISecurityElement secElement in e ) 
   { 
       if( secElement is MessageSignature ) 
       {

   Now check whether it is a Username token or a Kerberos token and do the needful if validated.

           SecurityToken sigTok = msgSig.SigningToken; 
           //check whether the signature contains a username or a kerberos token
   
           if( sigTok is UsernameToken ) 
           {
               //This checks against the BuiltIn Users
   
               return sigTok.Principal.IsInRole( @"BUILTIN\Users" );
           }
           else if( sigTok is KerberosToken )
           {
               //The logged in user is checked against 
   
               //the Kerberos Key Distribution Center(KDC).
   
               return sigTok.Principal.Identity.IsAuthenticated;
           }

4. Creating the client.
   1. Namespaces used are:

      using Microsoft.Web.Services2.Security;
      using Microsoft.Web.Services2.Security.Tokens;

   2. Add a web proxy for the service that we just created.

      

   3. UserName Token -- the following code creates a UserName Token:

      //declare any Security Token
      
      SecurityToken token=null;
      switch (option)
      {
          case "UserName":
          {
              try
              {
                  //create a username Token.
      
                  UsernameToken unToken=new UsernameToken(textBox1.Text, 
                            textBox2.Text,PasswordOption.SendPlainText);
                  //assign the any SecurityToken an Username Token.
      
                  token=unToken;
              }
              catch(Exception ex)
              {
                  MessageBox.Show(ex.Message);
                  return;
              }
              break;
          }

   4. Kerberos Token -- The following code creates a Kerberos Token:

          case "Kerberos":
          {
              try
              {
                  //create a kerberos Token.
      
                  KerberosToken kToken = 
                    new KerberosToken(System.Net.Dns.GetHostName() );
                  //assign the any SecurityToken an Username Token.
      
                  token=kToken;
              }
              catch(Exception ex)
              {
                  MessageBox.Show(ex.Message);
                  return;
              }
              break;
          }

5. Now check whether the security token could be obtained or not. If yes then we create a class from the proxy that has been generated and we add the token acquired to the RequestSoapContext of the call.

   if (token == null)
       throw new ApplicationException( "Unable to obtain security token." );
   
   // Create an instance of the web service proxy that has been generated.
   
   SecureServiceProxy.Service1Wse proxy = 
      new client.SecureServiceProxy.Service1Wse();
   
   //set the time to live to any value.
   
   proxy.RequestSoapContext.Security.Timestamp.TtlInSeconds = 60;
   
   
   // Add the SecurityToken to the SOAP Request Context.
   
   proxy.RequestSoapContext.Security.Tokens.Add( token );
   
   // Sign the SOAP message with a signatureobject.
   
   proxy.RequestSoapContext.Security.Elements.Add(new 
                         MessageSignature( token ) );

6. Finally call the service.

   // Create and Send the request
   
   long a=long.Parse(textLong1.Text);
   long b=long.Parse(textLong2.Text);
   //call the web service.
   
   long result=proxy.perform(a,b);
   //Display the result.
   
   MessageBox.Show(a + " + " + b + " = " + result.ToString());

Points of Interest

I had forgotten to add the Web Service Enhancements to the WSE 2.0 service and that ate a lot of my time.

You must Sign In to use this message board.

Per page 102550

FirstPrevNext

Using Windows Login/Kerboros Authentication between client and server Aditya P Gupta 0:01 26 Nov '07   Hi Abhishek, I read your article and found it interesting. However I have a query, I basically want to initiate a single sign-in sort of mechanism between my client application and server. Basically something like we use for SQL Server authentication (Windows logged-in user account). I want to provide my client application the option of saying use windows authentication, now when this login request/connection request hits the server. Server should be able to validate this Token and then allow client access to resources based on the token. I would appreciate if you can help me on this. Regards, Aditya Sign In·View Thread·PermaLink 1.50/5 EXception while executing USerName Token Abhishek Chatterjee 15:29 30 May '07   i have created a web service and client for the same and using username token "UserNamePolicy".when i exceute the code it throws and Web Service Error ->Specified arguemnt was out of range of valid Values Parameter name:policy "UserNamePolicy"is not configured in the System. Kindly help "If u believe in psychokinesis then raise my hand." Sign In·View Thread·PermaLink Re: EXception while executing USerName Token Abhishek Chatterjee 15:31 30 May '07   Hi Kitu, could not answer ur mail as ur settings did not allow me to send mails.. so answering here.. i guess u r using wse 3.0 for implementing security. u have to go thru the entire wizard to create the policy file properly. also open the policy file created and check whether non allowed values have been added into the xml file. "If u believe in psychokinesis then raise my hand." Sign In·View Thread·PermaLink server without IIS frohwein 11:48 27 Mar '07   Hi, I use a standalone soap service (without IIS) running as a Win32 service on a number of xp systems. How can I use soap security (signing and/or encryption) in this case, so without IIS? greetings Rob Sign In·View Thread·PermaLink 4.20/5 Re: server without IIS Abhishek Chatterjee 18:38 27 Mar '07   if u r running standalone soap services then u can add the security headers directly to the soap message.. u do not need to know what protocol is being used to communicate "If u believe in psychokinesis then raise my hand." Sign In·View Thread·PermaLink WSE 3.0 Bernhard Hofmann 23:54 26 Mar '07   Could you suggest/write an article on how to do this with WSE 3.0? Don't worry, nobody lives forever. Sign In·View Thread·PermaLink 5.00/5 Re: WSE 3.0 Abhishek Chatterjee 0:01 27 Mar '07   try wse 3.0 turnkey security scenarios. they have detailed implementations about plausible scenarios... "If u believe in psychokinesis then raise my hand." Sign In·View Thread·PermaLink 2.00/5 Re: WSE 3.0 Bernhard Hofmann 2:20 27 Mar '07   Could you suggest a suitable link? There seems to be so much noise on WSE 3.0 that I can't find the information on exactly how to "activate" a turnkey policy. Don't worry, nobody lives forever. Sign In·View Thread·PermaLink 1.00/5 Re: WSE 3.0 Abhishek Chatterjee 18:36 27 Mar '07   download and install wse 3.0 from msdn.microsoft.com there is enuf documentation and samples for the turnkey scenarios in it. "If u believe in psychokinesis then raise my hand." Sign In·View Thread·PermaLink 2.00/5 I get an error... sroche 7:54 16 Oct '06   Thanks for the article and sourcecode. I have built the client and server under VS2003 and they build cleanly. I can't seem to get past this error: "The underlying connection was closed: The remote name could not be resolved." I noticed that the Web reference URL is "http://hydhtc35369/kerberos/service/Service1.asmx", so I tried updating that to point at the service home (replacing "hyd..." with "localhost", but then I get another error. I also tried setting the url before proxy.perform(), but got the same error. In both cases, I get an error stating that the asmx file could not be downloaded with a big messy html message that seems to indicate that the web.config file on the server side is not configured correctly. Any idea what I'm doing wrong? Thanks in advance, Steve stever@infomap.com Sign In·View Thread·PermaLink 5.00/5 Re: I get an error... [modified] Abhishek Chatterjee 18:31 16 Oct '06   remote name could not be resolved means that the client could not find the service. Here hydhtc35369 is my machine name and the path is the location of the web service. So here you need to provide the URL of the location where u have created the web service. I think the Web Service you have created is not up or u r incorrectly stating the endpoint address. -Abhishek "EgoSurfing" Sign In·View Thread·PermaLink 1.00/5 How to setup the Kerberos Key Distribution Center(KDC)? bbgal 1:54 14 Feb '06   I have tried out the kerberos authentication in the sample u provided, however I got this error message. The kerberos ticket could not be retrieved. The RetrieveKerbTicket failed with the following message. There are currently no logon servers available to service the logon request. How do I setup the Kerberos ticket provider or the logon server in order to make the Kerberos authentication work. Please tell me as I urgently need the info. Any tutorials or guidelines that can help me. Sign In·View Thread·PermaLink 2.33/5 Validating against a database eeehhh 4:02 27 Sep '05   I am adopting this to a web client that uses forms authentications. What is need to change in order to validate the credentials against a database? Thanks Sign In·View Thread·PermaLink 3.50/5 Re: Validating against a database Abhishek Chatterjee 4:27 27 Sep '05   Hi, If u are authenticating against a DB instead of the domain then u have to use UserNameToken and the Username/pwd that comes to the web service has to be validated by a Custom Security Token Manager. The logic for the validation of the credentials is written inside the custom security token manager. -thanks Abhishek eeehhh wrote: I am adopting this to a web client that uses forms authentications. What is need to change in order to validate the credentials against a database? Thanks "If u believe in psychokinesis then raise my hand." Sign In·View Thread·PermaLink 2.00/5 Great Article! Andries Olivier 22:18 26 Sep '05   Thumbs Up! Sign In·View Thread·PermaLink 5.00/5 RequestSoapContext is not a member of Proxy Greg McFarlane 5:26 1 May '07   Hi I have some code that consumes a webservice. I used to connect via the method described in this article. The author may have even cut and pasted your example in his tutorial. Things worked great for a while. I am now getting a message that the RequestSoapContext method is not available in the proxy. I have WSE2.0sp3. I have deleted the web reference and readded it. Is this method deprecated? Is there some newer way? Is the proxy not getting generated correctly? Or maybe has the author done something, and I should follow up w/ them? any help appreciated greg greg Sign In·View Thread·PermaLink 5.00/5 Re: RequestSoapContext is not a member of Proxy Abhishek Chatterjee 22:14 1 May '07   some of the checkpoints i can suggest are as follows. *check if the web service has changed internally..(if it is a remote ws.. check if it has the same security requirements). *check if a new version of the wse 2.0 has been installed on the client machine. Sign In·View Thread·PermaLink 3.50/5

Last Visit: 17:29 23 Nov '09     Last Update: 17:29 23 Nov '09 1