Because security is one of the most fundamental aspects in the development and deployment of a Web service, there are a myriad of articles, documentation, and samples of how to make it secure. Yet the majority of this information is conveyed as abstract theory, as opposed to practical, real-world implementation. Here, I'll share some practical examples on Web service security in .NET, not just abstract theories. These examples provide an easy and fast way to accomplish a rather complex task. Let's explore programmatic Web service security using Visual Studio .NET to implement a custom, stateful SOAP Header to authenticate a consumer before allowing a method to execute. I will also show you how to remove public access to your Web service, how to prevent anonymous users from obtaining your WSDL file, and how to implement your Web service in an unauthorised manner. I will then explain how you can wrap your entire Web service implementation in a highly secure, encrypted format. A reusable security pattern
Web services are typically built as an add-in functionality or as an API on top of an existing ASP.NET application. The Web service may interact directly with your database or in an N-tier solution by calling intermediary components to perform the functionality. Your Web service needs to know who is invoking it and what privileges that user has in your application. More than likely, your users, roles, business rules, and authorisations have already been implemented, and you simply want to tap into this existing information. To do this, your Web service needs to implement a pattern for determining the requesting client's credentials. You could, in theory, pass a user ID and password to every method in your Web service, but a more object-oriented approach is to create a class that extends System.Web.Services.Protocols.SoapHeader. This class will become your SOAP Header, which is passed to your Web service and will include everything needed to authenticate your client. Server implementation
Listing A shows the server-side implementation code of a simple Web service, SecureWebServiceTester.asmx, and its associated SOAP Header class. The SecurityContext class extends the SoapHeader class, which tells the .NET Framework that it's a Soap Header and allows you to reference this class in the attribute. The main class, SecureWebServiceTester, contains the actual implementation methods for the Web service. These methods are denoted with the attribute. The LoginUser() function takes in an instance of your SecureContext Soap Header class and uses this object as it would any other object. Note that the object name is referenced within quotation marks and is matched to the secureCtx class attribute.