Click here to Skip to main content
15,867,453 members
Articles / Web Development / ASP.NET
Article

Authentication for Web Services (using SOAP headers)

Rate me:
Please Sign up or sign in to vote.
4.63/5 (62 votes)
24 Jun 20032 min read 877.1K   14.7K   157   52
Simple authentication for web services using SOAP headers.

Sample Image - AuthForWebServices.gif

Introduction

I recently put up a few web services for a client of mine, which returned some sensitive data. I needed to find a simple way to authenticate the users of these web services. This is the approach I took.

Background

I've started using web services fairly often in the applications that I've been developing, in most cases the information they pass is suitable for the public domain. However a recent project forced me to look into different authentication methods.

My requirements were that, it had to be simple for the client applications to authenticate, also that the web based administration system had to be used. This prevented me from using the Windows authentication (which is fairly easy to use for the clients of this web service.) By using SOAP headers to pass username and password information, it greatly simplifies any authentication request.

Using the code

I wanted to make it really easy for the client to understand:

C#
protected System.Web.UI.WebControls.DataGrid dgData;
    
private void Page_Load(object sender, System.EventArgs e)
{
    //simple client
    AuthWebService.WebService webService = new AuthWebService.WebService();
    AuthWebService.AuthHeader authentication = new 
                              AuthWebService.AuthHeader();

    authentication.Username = "test";
    authentication.Password = "test";
    webService.AuthHeaderValue = authentication;

    //Bind the results - do something here
    DataSet dsData = webService.SensitiveData();

    dgData.DataSource = dsData;
    dgData.DataBind();    

}

Basically all the client needs to do is create an authentication object, fill out the username and password, then pass them to the web service object. The web service code is also pretty simple, the .NET framework lets you create custom SOAP headers by deriving from the SoapHeader class, so we wanted to add a username and password:

C#
using System.Web.Services.Protocols;

public class AuthHeader : SoapHeader
{
    public string Username;
    public string Password;
}

The next step is to identify the web services that need the authentication, in the example I've included it's the method SensitiveData. To force the use of our new SOAP header we need to add the following attribute to our method:

C#
[SoapHeader ("Authentication", Required=true)]

So our full definition for our web service method is:

C#
public AuthHeader Authentication;


[SoapHeader ("Authentication", Required=true)]
[WebMethod (Description="Returns some sample data")]
public DataSet SensitiveData()
{
    DataSet data = new DataSet();
            
    //Do our authentication
    //this can be via a database or whatever
    if(Authentication.Username == "test" && 
                Authentication.Password == "test")
    {
        //they are allowed access to our sensitive data
        
        //just create some dummy data
        DataTable dtTable1 = new DataTable();
        DataColumn drCol1 = new DataColumn("Data", 
                System.Type.GetType("System.String"));
        dtTable1.Columns.Add(drCol1);

        DataRow drRow = dtTable1.NewRow();
        drRow["Data"] = "Sensitive Data";
        dtTable1.Rows.Add(drRow);
        dtTable1.AcceptChanges();

        data.Tables.Add(dtTable1);
    
    }else{
        data = null;
    }            

    return data;
}

I should also mention that when I say SOAP headers, I actually mean the soap:Header element in a SOAP request, it has nothing to do with the HTTP headers sent with the request. The SOAP request looks something like:

XML
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AUTHHEADER xmlns="http://tempuri.org/">
      <USERNAME>string</USERNAME>
      <PASSWORD>string</PASSWORD>
    </AUTHHEADER>
  </soap:Header>
  <soap:Body>
    <SENSITIVEDATA xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

I've included both the client and the web service in the attachment.

History

  • 25/06/2003 - Article created

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Web Developer
Australia Australia
I've been programming for a few years now. I blog regularly at httpcode.

Comments and Discussions

 
GeneralMy vote of 5 Pin
ketan italiya13-Aug-13 19:59
ketan italiya13-Aug-13 19:59 
GeneralMy vote of 5 Pin
b.ghadami2-Jul-13 0:00
b.ghadami2-Jul-13 0:00 
Questionreally good.... Pin
ssd_coolguy9-May-12 19:32
ssd_coolguy9-May-12 19:32 
QuestionUsing SSL, this is pretty secure right? Pin
FredButters17-Apr-12 9:17
FredButters17-Apr-12 9:17 
QuestionAuthHeaderValue Pin
bacarndiaye28-Feb-12 5:54
bacarndiaye28-Feb-12 5:54 
QuestionSoap header authentication Pin
dhanwin15-Feb-12 21:53
dhanwin15-Feb-12 21:53 
GeneralMy vote of 5 Pin
Member 803756728-Nov-11 18:01
Member 803756728-Nov-11 18:01 
GeneralMy vote of 4 Pin
wwuwwei1-Oct-11 22:05
wwuwwei1-Oct-11 22:05 
QuestionAuthentication for Web Services (using SOAP headers) in JAVA Pin
Member 213261723-Aug-11 21:15
Member 213261723-Aug-11 21:15 
QuestionUsing that "Authentication" object with PHP5.x Pin
cadburry17-Aug-11 5:20
cadburry17-Aug-11 5:20 
GeneralMy vote of 5 Pin
nipunasilva28-Jul-11 17:52
nipunasilva28-Jul-11 17:52 
GeneralGood Article Pin
GauravGupta21226-Sep-10 22:21
GauravGupta21226-Sep-10 22:21 
GeneralInteresting information Pin
angeltbcn12-Nov-09 3:56
angeltbcn12-Nov-09 3:56 
GeneralThanks! Pin
knuteski3-Nov-09 11:08
knuteski3-Nov-09 11:08 
Thanks for this great article, it provided everything I needed to protect my web service. There was one little misspelling that threw me off but it was minor and I figured it out. Look forward to more great article from you.

Mike Thumbs Up | :thumbsup:
GeneralHey Pin
Eriksv26-May-09 2:35
Eriksv26-May-09 2:35 
GeneralThanks Pin
mahmoud alam21-Mar-09 0:45
mahmoud alam21-Mar-09 0:45 
Generalusing from SilverLight 2 application Pin
AndrusM2-Jan-09 11:42
AndrusM2-Jan-09 11:42 
QuestionWeb service security techniques Pin
Jagadeeshs4-Sep-08 3:54
Jagadeeshs4-Sep-08 3:54 
GeneralWeb service security Pin
Jagadeeshs4-Sep-08 3:49
Jagadeeshs4-Sep-08 3:49 
Generalcall from oracle apps Pin
anjali.8627-Aug-08 19:08
anjali.8627-Aug-08 19:08 
GeneralCall from another language Pin
Mauricio_Junior7-Apr-08 9:32
Mauricio_Junior7-Apr-08 9:32 
QuestionObject reference not set to an instance of an object Pin
Craig_L6-Aug-07 23:28
Craig_L6-Aug-07 23:28 
Questionhow to send this tricky header? [modified] Pin
blackjack215021-Feb-07 3:06
blackjack215021-Feb-07 3:06 
AnswerRe: how to send this tricky header? Pin
Lakhan Singh Rathore5-Jul-07 17:32
Lakhan Singh Rathore5-Jul-07 17:32 
QuestionMore Web Services,What Client Authentication Pin
kenzhen31-Oct-06 0:06
kenzhen31-Oct-06 0:06 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.