ASP.NET web service UsernameToken Authentication

Question

User950454326 posted

Hi All, 

I am trying to implement UsernameToken authentication on ASMX web service something similar to below example, username and password should be sent in secured soap header. I found the code only from client side(how to consume the service). But I want to implement it on the service side. Any suggestions? 

  <soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>[user]</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[Password]</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>

Thanks in advance. 

Answer 1

User-893317190 posted

Hi DevD,

wsse:Security belongs to ws-security , it is not only about add header and  asmx doesn't implement this feature.

Maybe you could try Web Services Enhancements (WSE). https://stackoverflow.com/questions/2527029/ws-security-using-the-asmx-file-in-asp-net-3-5

But you had better use wcf , it has build-in support for ws-security.

https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/common-security-scenarios

Best regards,

Ackerly Xu

Answer 2

User767034699 posted

Hi there DevD,

thanks for posting it here, surely i have implemented something similar. So i had to put signature for every request in the header. You could use Metadata to get what you looking for example.

 public class TransactionService : System.Web.Services.WebService
    {
        public Metadata Authentication = new Metadata();
        public MetadataVoucherValidate ValidateVoucherMeta = new MetadataVoucherValidate();
        HMACSHA256 hmacSHA256 = new HMACSHA256();
        HttpContext ctx = HttpContext.Current;

        HttpResponseMessageProperty property = new HttpResponseMessageProperty();
      
        List<string> messages = new List<string>();



        [WebMethod(Description = "Checks Credits for clients. Returns 'Ok' if report status  is above. ")]
        [SoapHeader("Authentication", Required = true, Direction = SoapHeaderDirection.InOut)]
   
         public XmlDocument CreditCheck(string APIUserName, string APIPassword, int userReferenceId, string Countrycode, string CellNumber, decimal withdrawAmount, short iBookmakerId)
        {
            int iAccountId = -1;
            int iWebServiceUserId = -1;
            int iSiteId = -1;


         //Here you check if if the token matches with what you have stored in your webconfig, something similar.

         if (Authentication.Signature != null)
            {

                if (!Authentication.Signature.Equals(sSignature) || Authentication.Signature == "")
                {
                  string message = "Signature" + " " + Authentication.Signature + " " + " mismatch.";
                  XmlDocument sResponse = HelperClass.CreateResponseSignature(message.ToString());
                  return sResponse;
                  
                }
                if (String.IsNullOrEmpty(Authentication.MessageID))
                {
                    string message = "No messageID Supplied";
                    XmlDocument sResponse = HelperClass.CreateResponseSignature(message.ToString());
                    return sResponse;
                }
            }
            else
            {
                string message = "No $Signature supplied in the Hearder" + " " + Authentication.Signature;
                XmlDocument sResponse = HelperClass.CreateResponseSignature(message.ToString());
                return sResponse;
            }

        }


}

Class for Soapheader

public class Metadata : SoapHeader
    {
        public string Signature;
        public string MessageID;
    }

hope it helps,

kind regards

Tony