Click here to Skip to main content
15,867,330 members
Articles / Web Development / ASP.NET
Article

Authentication for Web Services (using SOAP headers)

Rate me:
Please Sign up or sign in to vote.
4.63/5 (62 votes)
24 Jun 20032 min read 877.1K   14.7K   157   52
Simple authentication for web services using SOAP headers.

Sample Image - AuthForWebServices.gif

Introduction

I recently put up a few web services for a client of mine, which returned some sensitive data. I needed to find a simple way to authenticate the users of these web services. This is the approach I took.

Background

I've started using web services fairly often in the applications that I've been developing, in most cases the information they pass is suitable for the public domain. However a recent project forced me to look into different authentication methods.

My requirements were that, it had to be simple for the client applications to authenticate, also that the web based administration system had to be used. This prevented me from using the Windows authentication (which is fairly easy to use for the clients of this web service.) By using SOAP headers to pass username and password information, it greatly simplifies any authentication request.

Using the code

I wanted to make it really easy for the client to understand:

C#
protected System.Web.UI.WebControls.DataGrid dgData;
    
private void Page_Load(object sender, System.EventArgs e)
{
    //simple client
    AuthWebService.WebService webService = new AuthWebService.WebService();
    AuthWebService.AuthHeader authentication = new 
                              AuthWebService.AuthHeader();

    authentication.Username = "test";
    authentication.Password = "test";
    webService.AuthHeaderValue = authentication;

    //Bind the results - do something here
    DataSet dsData = webService.SensitiveData();

    dgData.DataSource = dsData;
    dgData.DataBind();    

}

Basically all the client needs to do is create an authentication object, fill out the username and password, then pass them to the web service object. The web service code is also pretty simple, the .NET framework lets you create custom SOAP headers by deriving from the SoapHeader class, so we wanted to add a username and password:

C#
using System.Web.Services.Protocols;

public class AuthHeader : SoapHeader
{
    public string Username;
    public string Password;
}

The next step is to identify the web services that need the authentication, in the example I've included it's the method SensitiveData. To force the use of our new SOAP header we need to add the following attribute to our method:

C#
[SoapHeader ("Authentication", Required=true)]

So our full definition for our web service method is:

C#
public AuthHeader Authentication;


[SoapHeader ("Authentication", Required=true)]
[WebMethod (Description="Returns some sample data")]
public DataSet SensitiveData()
{
    DataSet data = new DataSet();
            
    //Do our authentication
    //this can be via a database or whatever
    if(Authentication.Username == "test" && 
                Authentication.Password == "test")
    {
        //they are allowed access to our sensitive data
        
        //just create some dummy data
        DataTable dtTable1 = new DataTable();
        DataColumn drCol1 = new DataColumn("Data", 
                System.Type.GetType("System.String"));
        dtTable1.Columns.Add(drCol1);

        DataRow drRow = dtTable1.NewRow();
        drRow["Data"] = "Sensitive Data";
        dtTable1.Rows.Add(drRow);
        dtTable1.AcceptChanges();

        data.Tables.Add(dtTable1);
    
    }else{
        data = null;
    }            

    return data;
}

I should also mention that when I say SOAP headers, I actually mean the soap:Header element in a SOAP request, it has nothing to do with the HTTP headers sent with the request. The SOAP request looks something like:

XML
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AUTHHEADER xmlns="http://tempuri.org/">
      <USERNAME>string</USERNAME>
      <PASSWORD>string</PASSWORD>
    </AUTHHEADER>
  </soap:Header>
  <soap:Body>
    <SENSITIVEDATA xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

I've included both the client and the web service in the attachment.

History

  • 25/06/2003 - Article created

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


Written By
Web Developer
Australia Australia
I've been programming for a few years now. I blog regularly at httpcode.

Comments and Discussions

 
GeneralAn unhandled exception of type 'System.Net.WebException' occurred in system.web.services.dll Pin
Gauhdrung30-Aug-05 12:54
Gauhdrung30-Aug-05 12:54 
GeneralAn even simplier option. Pin
DanielHac2-Mar-05 15:45
DanielHac2-Mar-05 15:45 
GeneralWSE 2.0 Pin
Member 175061721-Feb-05 19:08
Member 175061721-Feb-05 19:08 
GeneralPassword Encryption Pin
TrickUK29-Jan-04 6:33
TrickUK29-Jan-04 6:33 
GeneralRe: Password Encryption Pin
VarunPant8-May-08 1:32
VarunPant8-May-08 1:32 
GeneralRe: Password Encryption Pin
Brian.Clark13-Mar-09 8:40
Brian.Clark13-Mar-09 8:40 
GeneralSoapHeader(..., Required = true) Pin
lapierrem25-Sep-03 8:20
lapierrem25-Sep-03 8:20 
GeneralRe: SoapHeader(..., Required = true) Pin
WillemM26-Dec-03 20:28
WillemM26-Dec-03 20:28 
My visual studio says:

Required Attributes is obsolete and will be removed in a future version.
So I think your pretty right that this attribute does nothing.
I haven't found a solution yet to this problem... And I don't know what the webservice will be doing if I don't include this attribute with my request.

Greetings.... Smile | :)

GeneralRe: SoapHeader(..., Required = true) Pin
jayprakash3117-Jul-07 3:29
jayprakash3117-Jul-07 3:29 
GeneralRe: SoapHeader(..., Required = true) Pin
Delagen10-Mar-10 19:33
Delagen10-Mar-10 19:33 
QuestionSensitive data is not encrypted??? Pin
Gunmen26-Jun-03 11:56
Gunmen26-Jun-03 11:56 
AnswerRe: Sensitive data is not encrypted??? Pin
Dan_P26-Jun-03 14:03
Dan_P26-Jun-03 14:03 
AnswerRe: Sensitive data is not encrypted??? Pin
Alex Korchemniy23-Jul-03 16:09
Alex Korchemniy23-Jul-03 16:09 
GeneralRe: Sensitive data is not encrypted??? Pin
nap2k11-Feb-04 23:05
nap2k11-Feb-04 23:05 
GeneralPassword... Pin
mikasa26-Jun-03 7:16
mikasa26-Jun-03 7:16 
GeneralRe: Password... Pin
Dan_P26-Jun-03 13:58
Dan_P26-Jun-03 13:58 
GeneralRe: Password... Pin
Braulio Dez1-Jul-03 0:47
Braulio Dez1-Jul-03 0:47 
GeneralRe: Password... Pin
Tim Kohler10-Oct-03 6:24
Tim Kohler10-Oct-03 6:24 
GeneralRe: Password... Pin
WillemM26-Dec-03 20:26
WillemM26-Dec-03 20:26 
GeneralRe: Password... Pin
jschlesinger18-Nov-04 16:50
jschlesinger18-Nov-04 16:50 
GeneralRe: Password... Pin
Anonymous12-May-05 12:00
Anonymous12-May-05 12:00 
GeneralRe: Password... Pin
jschlesinger12-May-05 16:36
jschlesinger12-May-05 16:36 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.