Authenticate to a Web Service

P

Peter Bradley

Hi,

I have to interact with a Web Service exposed by a partner organisation.
This Web Service requires that I authenticate to it before I can
successfully call its methods.

The partner organisation has supplied the following to me:

Username
Password
Secret Answer
User Group
HEI User (Y/N)
HEI Course Web Service User
Contact email address

So far, I've tried authenticating using the username and password, like
this:

CourseServices service = new CourseServices();
service.Credentials = new NetworkCredential("xxxxxx", "yyyyyy");
qualificationsListResponse quals = service.getQualificationsList(
new qualificationsListRequest());

I've also tried putting, in turn, the 'Secret Answer', the 'User Group'
and the 'HEI Course Web Service User' values into the optional third
parameter to the NetworkCredentials constructor.

In every case I get a SOAP fault returned saying that I haven't supplied
the correct credentials:

"WSDoAllReceiver: Incoming message does not contain required Security
header"

I've never had to include code to authenticate to a Web Service before,
so I've obviously missed something. Can someone point me in the right
direction, please?

Thanks



Peter
 
E

Evan Freeman

Short answer you don't have a security header in your request.

Long answer this isn't going to be as easy as you think it is. The security
header is encrypted, I honestly haven't done this in a long while so I can't
remember the exact details. But I was able to find an article on code
project that will help you .

http://www.codeproject.com/KB/webservices/WS-Security.aspx

Sorry I can't offer more. Good Luck let us know how it turns out.
 
P

Peter Bradley

Evan said:
Sorry I can't offer more. Good Luck let us know how it turns out.

Well, so far it's not turning out so good.

I've got this out of our partners. This is how they want the SOAP
message to look (obviously with the uid and pwd details blanked out:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsse:Security soap:mustUnderstand="1"

xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"


xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:UsernameToken>
<wsse:Username>*****</wsse:Username>
<wsse:password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0
#PasswordText">*****</wsse:password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:ns1="http://www.slc.co.uk/course/schema/1.0">
<!-- Message specific stuff goes here -->
</soap:Body>
</soap:Envelope>

Back in Microsoft-land, I've fired up WSE Security Settings Wizard and
added a policy like this, by specifying to the wizard "secure a client
application", "Username", "Password", "Enable WS-Security 1.1
Extensions", "Protection Order None (rely on transport protection)". The
policy file this generates is (with sensitive stuff overwritten):

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="username"
type="Microsoft.Web.Services3.Design.UsernameTokenProvider,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="credentials">
<usernameOverTransportSecurity>
<clientToken>
<username username="*****" password="*****" />
</clientToken>
</usernameOverTransportSecurity>
<requireActionHeader />
</policy>
</policies>

(I know that I don't, ultimately want the uid and pwd in the config
file, but I'm trying to keep it simple for now)

When I try to connect I get a SOAP error:

"WSDoAllReceiver: security processing failed (actions mismatch)"

Does anyone have any suggestions?

I wish I could just construct the header in code - or even the entire
message - and send it somehow to the server, manually.

Thanks in advance


Peter
 
P

Peter Bradley

Peter said:
Hi,

I have to interact with a Web Service exposed by a partner organisation.
This Web Service requires that I authenticate to it before I can
successfully call its methods.

This is not going well. I tried again using WSE, this time unchecking
the "Enable WS-Security 1.1 extensions" checkbox, but VS produces
exactly the same policy file and running the application brings back the
same error.

I installed Fiddler2 to see if I could sneak a peek at the actual output
being produced and, while Fiddler did produce some output I could find
no way of looking at the actual XML being produced in the SOAP request.

Does anyone have any ideas on this? Even just being able to dump the
generated SOAP request XML would be a start.

Thanks


Peter
 
E

Evan Freeman

In that article that I linked to you ther eis a "The Client Application"
section in there he shows how to programatically add the user name and
password to the security header.

The security header the wizard is generating still doesn't look right to me.
I'm guessing that thats where the problems are coming in. I understand that
the article is in c++ but its a fairly straight forward translation to c#.

Again sorry I'm not more helpful.
 
P

Peter Bradley

Evan said:
In that article that I linked to you ther eis a "The Client Application"
section in there he shows how to programatically add the user name and
password to the security header.

The security header the wizard is generating still doesn't look right to me.
I'm guessing that thats where the problems are coming in. I understand that
the article is in c++ but its a fairly straight forward translation to c#.

Again sorry I'm not more helpful.


Oh that's right. I read it. I just didn't imagine that there'd be a
difference between doing something programmatically and doing it via the
wizard. I put it in the config file because I thought it'd be simpler
"for now". Obviously not one of my better decisions.

I guess I still have to do all the other things that are in the wizard ...

Anyway, I'll try it tomorrow. I just wish I could get a look at what
XML is being output.

Thanks



Peter
 
E

Evan Freeman

Well I wish I could tell you how. Might be that this would be better served
in the ASPne.Security group than here.
 
P

Peter Bradley

Evan said:
In that article that I linked to you ther eis a "The Client Application"
section in there he shows how to programatically add the user name and
password to the security header.

Nah. Tried that. Doesn't work.

Also, at compile time there's a warning:

'Microsoft.Web.Services3.SoapContext.Security' is obsolete:
'SoapContext.Security is obsolete. Consider deriving from
SendSecurityFilter or ReceiveSecurityFilter and creating a custom policy
assertion that generates these filters.'

So I guess something has changed recently. It doesn't stop me running
the code, but when I do I just get the error:

'WSDoAllReciever: security processing failed'

So, back to the drawing board.

Many thanks for your suggestions, though.

Cheers



Peter
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,479
Members
44,900
Latest member
Nell636132

Latest Threads

Top