Web Services Security

Hi Folks,

When it comes to SOAP security, I use the following schema for the SOAP Header:



It is really easy to use. Just have this class in your webservices project:


using System.Xml.Serialization;
using System.Web.Services.Protocols;

namespace Romiko.Hello.WebServices

    [XmlType(Namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")]
    [XmlRoot("Security", Namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", IsNullable = false)]
    public class SecuritySoapHeader : SoapHeader
        public UsernameTokenType UsernameToken;
        public class UsernameTokenType
            public string Username;
            public string Password;
            public string KeyIdentifier;



Then just add a public property on the webservice.asmx.cs code behind like:

public class Hellow World: System.Web.Services.WebService
        private SecuritySoapHeader security;
        public SecuritySoapHeader Security
            get { return security; }
            set { security = value; }

        [WebMethod(Description = "Hello System.", EnableSession = false, TransactionOption = TransactionOption.Disabled, BufferResponse = false, MessageName = "", CacheDuration = 0)]
        [SoapDocumentMethod(ParameterStyle = SoapParameterStyle.Bare)]
        [SoapHeader("Security", Direction = SoapHeaderDirection.In)]
        public Data_Records PullRecords(int BatchSize)
            return GetDataRecord(BatchSize);

Notice I do not use everything from the OASIS xsd, just a username, password and GUID key πŸ™‚


This will then be automatically generated in the WSDL in the types section:)

<s:schema elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
  <s:element name="Security" type="s2:SecuritySoapHeader" />

<s:complexType name="SecuritySoapHeader">
  <s:element minOccurs="0" maxOccurs="1" name="UsernameToken" type="s2:UsernameTokenType" />


  <s:anyAttribute />


<s:complexType name="UsernameTokenType">
  <s:element minOccurs="0" maxOccurs="1" name="Username" type="s:string" />

  <s:element minOccurs="0" maxOccurs="1" name="Password" type="s:string" />

  <s:element minOccurs="0" maxOccurs="1" name="KeyIdentifier" type="s:string" />





What is really nice as well is introducing an Enterprise Service Bus Management system, which can centrally audit all web services and authenticate users, then just publish the ESB management pages in SharePoint!

I will see, if I get time, I will show you how to build cool ESB Management systems πŸ™‚

I just finished university in my spare time, so this will certainly free up some time for blogs!

  • Uncategorized

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s