How to create a secure webservice in asp.net

Web service is a way to communicate between 2 machines via http, those 2 machines can be on different platform.
See more about web service at this url : http://www.sharepointcafe.net/2015/05/all-about-web-service-soap-rest.html

As you know web service is a way to communicate over http, so the main concern here is security.
What are the possibilities and ways to make a secure web service.

Below are few authentication options that are available to web service in ASP.Net

  1. Windows Basic
  2. Windows Basic Over SSL
  3. Windows Client Certificates
  4. Custom SOAP Headers
In this blog I will explain about how can we secure web service using Custom SOAP Header.

SOAP web service includes following items it it.
SOAP Envelop, SOAP Header, SOAP Body, SOAP Fault

Lets implement Custom SOAP Header by an example.

Create a Web Project in Visual Studio, Add web service in your project.

Write Below code:


using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Script.Serialization;
using System.Web.Script.Services;
using System.Web.Services;
using System.Web.Services.Protocols;

/// <summary>
/// Summary description for TestService
/// </summary>
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
// To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line. 
// [System.Web.Script.Services.ScriptService]
public class TestService : System.Web.Services.WebService {

    public TestService () {

        //Uncomment the following line if using designed components 
        //InitializeComponent(); 
    }

    public AuthHeader Authentication;
 
    [WebMethod]
    [ScriptMethod (ResponseFormat = ResponseFormat.Xml)]
    [SoapHeader("Authentication")]
    public string GetMessage(string name)
    {
        if (Authentication.Username == "myid" && Authentication.Password == "mypwd")
        {
            string msg = string.Format("Hello {0}", name);
            return msg;
        }

        else
        {
            return "User Authentication Fail";
        }
    }
    
}

public class AuthHeader : SoapHeader
{
    public string Username;
    public string Password;
}


Now create a client to consume web service.
I have created a console application to consume.

 static void Main(string[] args)
        {

            WebServiceReference1.TestServiceSoapClient webservice = new WebServiceReference1.TestServiceSoapClient();
            WebServiceReference1.AuthHeader authentication = new WebServiceReference1.AuthHeader();

            authentication.Username = "myid";
            authentication.Password = "mypwd";

            string msg = webservice.GetMessage(authentication, "SharePoint Cafe User");
            Console.WriteLine(msg);
            Console.ReadKey();

        }

In above example, I have mentioned a dummy username and password, good way to implement is to check username and password is from some data sources like sql and xml.

Also note that I have added below attribute to web method GetMessage()

[SoapHeader("Authentication")]

I have created a separate class called "AuthHeader " inheriting another class "SoapHeader"

Comments

Popular

C# 6.0 New Features

SharePoint Interview Questions and Answers

Calling ASP.Net WebMethod using jQuery AJAX

What is Cloud Computing - A guide for beginners