Can Web Service modify SOAP Header parameters?

Discussion in 'ASP .Net Web Services' started by mojeza, Feb 6, 2007.

  1. mojeza

    mojeza Guest

    I built a test web service project in VS2005 (vb) and I'm tring to
    find if web service can modify SOAP Header variables and return them
    to the client. My Web Service look like this:

    Public Class MyHeader
    Inherits SoapHeader

    Public Username as String
    Public Password As String
    Public Token As String
    End Class

    Public Class Service
    Inherits System.Web.Services.WebService
    Public myHeadermemberVariables As MyHeader

    <WebMethod(Description:="Returns dataset", EnableSession:=true),
    SoapHeader("myHeaderMemberVariable")>_
    Public Function GetData(ByVal sQuery As String, ByRef i As Int64,
    ByRef sSessionID As String) As DataSet
    If (myHeaderMemberVariable.Username ="abcd") And
    (myHeaderMemberVariable.Password="1234") Then
    'code which get data from SQL Server and populate custDS dataset
    i = custDS.Tables("myData").Rows.Count
    sSession = Session.SessionID
    myHeaderMemberVariable.Token = Session.SessionID.ToString
    Return custDS
    Else
    i = 0
    sSession = Session.SessionID
    myHeaderMemberVariable.Token = Session.SessionID.ToString
    Return Nothing
    End If
    End Function
    End Class

    All work fine, client is able to populate grid with received dataset
    from this web service but SoapHeader Token variable as well as
    sSession function parameter are both set to Nothing (they are not
    populated with SessionID). My Problem is that I received very loose
    specs to develop web service which will be working in the following
    maner:
    1. Client Login with Username & Password. Based on these information
    user is authenticated and WS generates unique Token which is persisted
    in SQL Server database and then send back to client.
    2. Client uses this token every time client process calls WS
    functions.
    3. WS authorized client request base on last token, perform request
    and generates a new token which is then return to the client in SOAP
    header.
    4. This process is repeated on every client request till client issue
    Logout request.

    I thought that most logical place to have tokens located is a SOAP
    header, this would seperate authentication/authorization data from
    each function parameter list and return variable. I wonder if anybody
    tried something like this and would like to share some inside on
    implementation of this concept. Any help and comments are greatly
    apreciated.

    Thanks a lot.
    mojeza, Feb 6, 2007
    #1
    1. Advertising

  2. mojeza

    WishMaster Guest

    On Feb 7, 2:30 am, "mojeza" <> wrote:
    > I built a test web service project in VS2005 (vb) and I'm tring to
    > find if web service can modify SOAP Header variables and return them
    > to the client. My Web Service look like this:
    >
    > Public Class MyHeader
    > Inherits SoapHeader
    >
    > Public Username as String
    > Public Password As String
    > Public Token As String
    > End Class
    >
    > Public Class Service
    > Inherits System.Web.Services.WebService
    > Public myHeadermemberVariables As MyHeader
    >
    > <WebMethod(Description:="Returns dataset", EnableSession:=true),
    > SoapHeader("myHeaderMemberVariable")>_
    > Public Function GetData(ByVal sQuery As String, ByRef i As Int64,
    > ByRef sSessionID As String) As DataSet
    > If (myHeaderMemberVariable.Username ="abcd") And
    > (myHeaderMemberVariable.Password="1234") Then
    > 'code which get data from SQL Server and populate custDS dataset
    > i = custDS.Tables("myData").Rows.Count
    > sSession = Session.SessionID
    > myHeaderMemberVariable.Token = Session.SessionID.ToString
    > Return custDS
    > Else
    > i = 0
    > sSession = Session.SessionID
    > myHeaderMemberVariable.Token = Session.SessionID.ToString
    > Return Nothing
    > End If
    > End Function
    > End Class
    >
    > All work fine, client is able to populate grid with received dataset
    > from this web service but SoapHeader Token variable as well as
    > sSession function parameter are both set to Nothing (they are not
    > populated with SessionID). My Problem is that I received very loose
    > specs to develop web service which will be working in the following
    > maner:
    > 1. Client Login with Username & Password. Based on these information
    > user is authenticated and WS generates unique Token which is persisted
    > in SQL Server database and then send back to client.
    > 2. Client uses this token every time client process calls WS
    > functions.
    > 3. WS authorized client request base on last token, perform request
    > and generates a new token which is then return to the client in SOAP
    > header.
    > 4. This process is repeated on every client request till client issue
    > Logout request.
    >
    > I thought that most logical place to have tokens located is a SOAP
    > header, this would seperate authentication/authorization data from
    > each function parameter list and return variable. I wonder if anybody
    > tried something like this and would like to share some inside on
    > implementation of this concept. Any help and comments are greatly
    > apreciated.
    >
    > Thanks a lot.


    Hi Mojeza,

    You have to understand to patterns for Web Service Security and then
    it will be a piece of cake!!!

    Here is the stuff...

    In the code you are trying to implement Direct Authentication pattern
    (kind of). Meaning, Client and Web Service both knows each other and
    own the credentials as well as username and password. According to
    your requirements you want to have SSO (Single Sign On) and so on,
    which is not recommend for Direct Authentication pattern.

    You should follow Brokered Authentication pattern, which specifically
    developed for the requirements, like you have.
    There are three Brokered Authentication patterns:
    1) Kerberos
    2) X.509
    3) STS - Security Token Service

    Now it looks very complicated, isn't? Well it will be very simple if
    you just spend 4-5 hours of reading on this book, which is Free
    downloadable from Microsoft site
    http://www.microsoft.com/downloads/...c8-128a-47c2-9f39-4082582f3fe1&displaylang=en

    I would suggest reading at least chapter #1 and #3 and Part II,
    depending on your interest.

    Good luck!

    Cheers,
    Amer
    WishMaster, Feb 7, 2007
    #2
    1. Advertising

  3. mojeza

    mojeza Guest

    On Feb 7, 5:03 am, "WishMaster" <> wrote:
    > On Feb 7, 2:30 am, "mojeza" <> wrote:
    >
    > Hi Mojeza,
    >
    > You have to understand to patterns for Web Service Security and then
    > it will be a piece of cake!!!
    >
    > Here is the stuff...
    >
    > In the code you are trying to implement Direct Authentication pattern
    > (kind of). Meaning, Client and Web Service both knows each other and
    > own the credentials as well as username and password. According to
    > your requirements you want to have SSO (Single Sign On) and so on,
    > which is not recommend for Direct Authentication pattern.
    >
    > You should follow Brokered Authentication pattern, which specifically
    > developed for the requirements, like you have.
    > There are three Brokered Authentication patterns:
    > 1) Kerberos
    > 2) X.509
    > 3) STS - Security Token Service
    >
    > Now it looks very complicated, isn't? Well it will be very simple if
    > you just spend 4-5 hours of reading on this book, which is Free
    > downloadable from Microsoft sitehttp://www.microsoft.com/downloads/details.aspx?familyid=3e02a6c8-128...
    >
    > I would suggest reading at least chapter #1 and #3 and Part II,
    > depending on your interest.
    >
    > Good luck!
    >
    > Cheers,
    > Amer


    Hi Amer,

    I downloaded this pdf book and will read it.

    Thank you very much.
    mojeza, Feb 7, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Protoman
    Replies:
    4
    Views:
    262
  2. mlt
    Replies:
    2
    Views:
    814
    Jean-Marc Bourguet
    Jan 31, 2009
  3. Peter van der veen

    How to add SOAP header to a SOAP message?

    Peter van der veen, Nov 8, 2006, in forum: ASP .Net Web Services
    Replies:
    6
    Views:
    558
    J. Dudgeon
    Nov 14, 2006
  4. Curt K
    Replies:
    3
    Views:
    440
    John Saunders [MVP]
    Jun 15, 2007
  5. prasathrk
    Replies:
    0
    Views:
    140
    prasathrk
    Nov 27, 2007
Loading...

Share This Page