Web Service Security

Most web service tutorials only show you how to return a simple string value and they don’t address security at all. All of the web services you create based on the tutorials will allow anonymous access over the Internet. Anonymous access does not allow you to create commercial web services for which you wish to charge a fee. Unfortunately there are few tutorials on web service security.

The preferred method of making web services secure is to use Microsoft’s Web Services Enhancements (WSE 3.0). Unfortunately I encountered many problems using the WSE. For one thing, it does not work with Web Application Projects, a type of Visual Studio project that does not use virtual directories. Instead you must use a regular IIS hosted web project. After solving that problem I was able to add authentication to my web service and I could send the UsernameToken to my web service using VBScript. However, I ran into another problem with my windows application client. The web service proxy class would not allow me to add the UsernameToken to the request.

So rather than struggle with WSE I wound up using custom SOAP headers using SOAP extensions. This requires the client to send an username and password in the SOAP headers in order to be authenticated. The web service must also restrict access to SOAP requests because it must receive a SOAP header. That means you cannot access the web service using POST or GET. I was still able to create three types of client applications; a VBScript client for testing purposes, a Windows application client, and a web application client using ASP.NET.

In addition to implementing authentication, I also figured out how to control the XML that my web service returns by returning an XML document. Usually you have to struggle with various data structures in order to determine what sort of XML will be returned. For example, a dataset returns XML that is hard to format using XSL. By returning an XML document I gain the ability to tweak the XML to accommodate the needs of my client applications.

Web services provide very flexible and powerful methods of exchanging data but they are not as popular as they should be because of the simplistic tutorials. As usual, Microsoft and technology gurus have failed to gear their examples to practical business applications. Most of the available material on web services is superficial and serves as little more than a brief and inadequate introduction.

This entry was posted in ASP.NET, General. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *