Setting up WS-Security using Web
Service Enhancements 2.0
1) Install
WSE from http://msdn.microsoft.com/webservices/building/wse
2) To get
started lets create a “Web Application” to “Web Service” scenario using “UsernameToken”
- Create an “Empty Web Project” call it
“ClientWSE”
- Create an “Empty Web Project” call it
“ServerWSE”
3) Setup
ClientWSE
- Add a web form, call it “default.aspx”
- Add a button, call it “CallButton”
- Add a label, call it “ServiceResponse”
- Now we need to setup the web service
3) Setup
ServerWSE
- Add a “Web.config” (Add -> Add New
Item … -> Web Configuration File)
- Right click on the project name and
select “WSE Settings 2.0” (see image below)
- Select “Enable Microsoft Web Services
Enhancements Soap Extensions”
- This action will add a number of entries
to your Web.config file
4) Add a
web service called “Token.asmx”
- Add a method to return the token
attributes, call it “ReturnTokenAttributes”
[WebMethod]
public string ReturnTokenAttributes()
{
string tokenStr = string.Empty;
foreach(UsernameToken token in
RequestSoapContext.Current.Security.Tokens)
{
tokenStr
= " Password: " + token.Password + " Username: " + token.Username
+ "<br>";
}
return tokenStr;
}
5) Since
WSE automatically tries to authenticate the ws call against a windows account,
we need to implement custom authentication. Three steps are needed
- Step 1: Override the AuthenticateToken
method of UsernameTokenManager, add
the class below. Note the path of the credentials file
public class AuthenticationManager :
UsernameTokenManager
{
// This method returns the
password for the provided username
// WSE will make the
determination if they match
protected override string AuthenticateToken( UsernameToken token
)
{
string password = "BadPassword";
string username = token.Username;
string CustomCreds =
"http://localhost/ServerWSE/CustomCredentials.xml";
XmlTextReader
reader = null;
try
{
// Read the XML document
reader
= new XmlTextReader( CustomCreds );
// Looking for the matching
username
while( reader.Read() )
{
if((reader.LocalName=="Account")&&(reader.GetAttribute("username")==username))
{
password = reader.GetAttribute(
"password" );
break;
}
}
}
finally
{
if( null != reader ) reader.Close();
}
return password;
}
}
- Step 2: Add a SecurityTokenManager
element to Web.config
<security>
<securityTokenManager
type="ServerWSE.AuthenticationManager, ServerWSE"
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
qname="wsse:UsernameToken" />
</security>
- Note the namespace format of the type
ServerWSE is the namespace
AuthenticationManager is the class
- Step 3: Add a credential xml file, call
it “CustomCredentials.xml”
<CustomCredentials xmlns="urn:wse2-sample-security:custom-creds">
<Account username="joebloggs" password="NoTelinNE1"/>
<Account username="samsaw" password="MySeekr1t"/>
<Account username="janedoe" password="UDunno1t"/>
<Account username="sallysue" password="KleerTxt"/>
<Account username="joeboo" password="kNot2Saph"/>
</CustomCredentials>
6) Now that
the web service is setup we need to complete the calling web form.
- Double click the “CallButton” button add
an event. Add the code below
private void CallButton_Click(object
sender, System.EventArgs e)
{
// Create
the Username token
UsernameToken token = new UsernameToken( "joebloggs",
"NoTelinNE1", PasswordOption.SendPlainText );
// Create an
instance of the web service proxy
ServerWSE.TokenWse proxy = new ClientWSE.ServerWSE.TokenWse();
// Add the
token to the request context
proxy.RequestSoapContext.Security.Tokens.Add(
token );
// Call the
web service
string
greeting = proxy.ReturnTokenAttributes();
if
(greeting != string.Empty)
ServiceResponse.Text = greeting;
}
7) You are
done