ASP.NET web service UsernameToken Authentication RRS feed

  • Question

  • User950454326 posted

    Hi All, 

    I am trying to implement UsernameToken authentication on ASMX web service something similar to below example, username and password should be sent in secured soap header. I found the code only from client side(how to consume the service). But I want to implement it on the service side. Any suggestions? 

    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:UsernameToken wsu:Id="UsernameToken-1" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[Password]</wsse:Password>

    Thanks in advance. 

    Sunday, March 17, 2019 7:12 PM

All replies

  • User-893317190 posted

    Hi DevD,

    wsse:Security belongs to ws-security , it is not only about add header and  asmx doesn't implement this feature.

    Maybe you could try Web Services Enhancements (WSE). https://stackoverflow.com/questions/2527029/ws-security-using-the-asmx-file-in-asp-net-3-5

    But you had better use wcf , it has build-in support for ws-security.


    Best regards,

    Ackerly Xu

    Monday, March 18, 2019 1:40 AM
  • User767034699 posted

    Hi there DevD,

    thanks for posting it here, surely i have implemented something similar. So i had to put signature for every request in the header. You could use Metadata to get what you looking for example.

     public class TransactionService : System.Web.Services.WebService
            public Metadata Authentication = new Metadata();
            public MetadataVoucherValidate ValidateVoucherMeta = new MetadataVoucherValidate();
            HMACSHA256 hmacSHA256 = new HMACSHA256();
            HttpContext ctx = HttpContext.Current;
            HttpResponseMessageProperty property = new HttpResponseMessageProperty();
            List<string> messages = new List<string>();
            [WebMethod(Description = "Checks Credits for clients. Returns 'Ok' if report status  is above. ")]
            [SoapHeader("Authentication", Required = true, Direction = SoapHeaderDirection.InOut)]
             public XmlDocument CreditCheck(string APIUserName, string APIPassword, int userReferenceId, string Countrycode, string CellNumber, decimal withdrawAmount, short iBookmakerId)
                int iAccountId = -1;
                int iWebServiceUserId = -1;
                int iSiteId = -1;
             //Here you check if if the token matches with what you have stored in your webconfig, something similar.
             if (Authentication.Signature != null)
                    if (!Authentication.Signature.Equals(sSignature) || Authentication.Signature == "")
                      string message = "Signature" + " " + Authentication.Signature + " " + " mismatch.";
                      XmlDocument sResponse = HelperClass.CreateResponseSignature(message.ToString());
                      return sResponse;
                    if (String.IsNullOrEmpty(Authentication.MessageID))
                        string message = "No messageID Supplied";
                        XmlDocument sResponse = HelperClass.CreateResponseSignature(message.ToString());
                        return sResponse;
                    string message = "No $Signature supplied in the Hearder" + " " + Authentication.Signature;
                    XmlDocument sResponse = HelperClass.CreateResponseSignature(message.ToString());
                    return sResponse;

    Class for Soapheader

    public class Metadata : SoapHeader
            public string Signature;
            public string MessageID;

    hope it helps,

    kind regards


    Monday, April 1, 2019 7:42 AM