ASP.NET ASMX SECURE
320 views | +0 today
Follow
ASP.NET ASMX SECURE
ASP.NET ASMX SECURE
Curated by aspnetasmx
Your new post is loading...
Your new post is loading...
Scooped by aspnetasmx
Scoop.it!

HTTP Security and ASP.NET Web Services

One item that seems to be driving developers of Web services crazy is figuring out how IIS and ASP.NET Web services work together to provide security. Today, security is handled by IIS and leveraged by ASP.NET. ASP.NET can take the identity information provided by IIS and use that to know who called or to make use of code access security for specific operations on the Web service. The hard part for many is enabling the .NET application to take advantage of the built-in IIS security features. In the not too distant future, WS-Security will be an even better option. Until that day arrives, HTTP-level security will be what many of us use to make messaging secure.

more...
No comment yet.
Scooped by aspnetasmx
Scoop.it!

How to: Perform Custom Authentication Using SOAP Headers

The following custom solution is built using ASP.NET to provide an authentication mechanism using SOAP headers. The solution involves a custom IHttpModule on the Web server that executes the following steps:

The HTTP Module parses HTTP messages to check whether they are SOAP messages.

If the HTTP Module detects a SOAP message, it reads the SOAP headers.

If the SOAP message has the SOAP header with authentication credentials, HTTP Module raises a custom global.asax event.

In the sample provided, the HTTP Module authenticates the user and sets Context properties that a Web service can use to decide whether the client is authorized access to the Web service.

 

http://www.kerrywong.com/2006/12/01/using-x509-certificate-with-web-service-in-aspnet/

 

http://msdn.microsoft.com/en-us/library/w67h0dw7.aspx

 

Custom Authentication Using SOAP Headers

The Windows authentication mechanisms, including client certificates, rely on the HTTP transport, whereas SOAP is transport-independent. Web services built using ASP.NET use SOAP over HTTP, as well as HTTP-POST and HTTP-GET implementations that return non-SOAP XML documents. So, one reason to create a custom authentication mechanism is to decouple authentication from the transport. This can be accomplished by passing the authentication credentials in the SOAP header.

SOAP headers are a great way of passing out-of-band or information not related to the semantics of a Web service. Unlike the Body element of a SOAP message, which includes the in and out parameters for the Web service operation that are processed by the Web service method, the Header element is optional and can thus be processed by the infrastructure. That is, processed by infrastructure developed to provide a custom authentication mechanism.

For a description of one method of using SOAP headers for authentication, see How to: Perform Custom Authentication Using SOAP Headers.

To use SOAP headers for authentication, a Web service client would send its credentials to the Web service by adding the expected SOAP header to the SOAP request and populating it with the client credentials. To use SOAP header authentication, a Web service must do two things: specify that it expects the SOAP header containing the authentication credentials and authorize the client access to the Web service.

 

more...
No comment yet.