Lesson 1: Creating and Consuming XML Web Services CHAPTER 9 619 Security and XML Web Services You have two primary options for securing XML Web services written as .asmx files and host- ed by ASP.NET. The first is to use one of the standard ASP.NET security methods to authen- ticate and authorize users. This option is similar to securing any ASP.NET resources such as a Web page, directory, or other file. The second approach is to write a custom security model using SOAP headers. This option can be useful if your calling clients cannot participate in the standard, Windows-based security models used by ASP.NET. ASP.NET Security There a number of ways you can use the authentication and authorization methods of ASP.NET to secure your XML Web services. Thankfully, these options are not much different from securing other ASP.NET resources. This is a result of the Web service working much like a Web page. They both have a URL that points to a file. You can therefore lock down this file like you would any ASP.NET resource. Each ASP.NET security option comes with performance versus security trade-offs. As an example, if you are processing sensitive information such as social security numbers, credit cards, and the like, you will want to encrypt this data as it travels over the network. However, this encryption will decrease performance as the calls have to be encrypted and decrypted, and the messages themselves will be larger. On the other hand, if you are sending basic information to and from the Web service (such as a part numbers, category identifiers, or similar details), you can relax the need for encryption and focus instead on authenticating and authorizing a user. This will help increase your performance and throughput. If your Web service is meant to be public (either inside or outside the firewall), you can always provide anonymous access to your Web service. The first step in setting up your security model is determining a method for authentica- tion. This means determining who the user actually is. The second is to decide if the user has authorization rights to actually access the Web service or the features the Web service ex- poses. The following list describes the basic ASP.NET security methods and a brief description of how they can be applied to Web services for both authentication and authorization. n Windows Basic Authentication You use basic authentication to restrict rights to au- thorized users. In this case, the users are defined on the Web server and are given file- based access rights to the site or the service. When a user hits your service, they are challenged to provide credentials. Of course, these credentials can be provided by the calling client (and not the actual user). However, basic authentication sends the user and password information from the client to the server in clear text. This can be helpful if your clients are non-Windows clients. However, as the information is encoded (and not encrypted), it can be intercepted by network monitoring tools and compromised. n Windows Basic Authentication over SSL This version of basic authentication en- crypts the calls over Secure Sockets Layer (SSL). This adds additional security to this type of authentication as the name and password are encrypted. However, the entire 6 2 0 CHAPTER 9 Writing and Working with Services communication, in this scenario, is also encrypted. Therefore, while you gain in secu- rity, you lose in performance. n Client certifi cates You can use client certifi cates to identify both the caller and the Web service. Certifi cates, in this case, are obtained from a trusted, third-party certifi - cate authority. The client’s certifi cate is presented with the service call and verifi ed as trusted. You can then use Windows to map the certifi cate to an actual user account. You then use the user account to defi ne access to the given service resource. n Windows digest This is similar to Windows Basic. However, digest sends the user’s password in a hashed, encrypted format so it cannot be compromised. This option does not require SSL and will often work through default fi rewalls. However, platforms outside of Windows do not support Windows digest security. n Forms-based authentication Forms-based authentication is not supported for Web service scenarios. n Windows Integrated You can use Windows Integrated security to securely pass encrypted credentials from the client to the server. However, this option requires that both the client and the server are running Windows. If you are accessing a secured service from the user’s browser, it can pass the credentials on to the Web server where they will be evaluated for authentication. In the case of Windows Integrated security, you must be using Microsoft Internet Explorer on the client. That said, user client calls to a Web service is an unlikely scenario with Web services. It is more likely that you will be calling a Web service from code inside your Web site (running server-side). To pass basic authentication credentials from your Web server to a Web service, you fi rst create a NetworkCredentials class. This class contains the user name, password, and domain information. You can then create a CredentialCache object to which you add the Network- Credentials instance. You then set the Web service’s generated client proxy’s Credentials property to the newly created CredentialCache object. If you are using integrated security between the Web server and the Web service, you set the Credentials property of the Web service proxy class to System.Net.CredentialCache .DefaultCredentials. The Web server running your Web page will then pass credentials to the Web service. NOTE SETTING UP ASP.NET SECURITY Confi guring and setting up ASP.NET security is similar for both Web services and ASP.NET pages. Therefore, it is covered in Chapter 14, “Implementing User Profi les, Authentica- tion, and Authorization.” You can also review the section “How to: Confi gure an XML Web Service for Windows Authentication” on MSDN for additional context. NOTE NOTE NOTE SETTING UP ASP.NET SECURITY Confi guring and setting up ASP.NET security is similar for both Web services and ASP.NET pages. Therefore, it is covered in Chapter 14, “Implementing User Profi les, Authentica- tion, and Authorization.” You can also review the section “How to: Confi gure an XML Web Service for Windows Authentication” on MSDN for additional context. Lesson 1: Creating and Consuming XML Web Services CHAPTER 9 621 Custom Security with SOAP Headers You can also use SOAP headers to write a custom mechanism for passing user information into a Web service. Because this option uses Web service standards and not Windows, you can use it to work in scenarios where you require access to your service from other platforms besides Windows. Custom SOAP headers can be used in a secure, encrypted manner. However, the encryp- tion is optional and up to you to write (using the .NET Framework, of course). You can also use SOAP headers to send information to the service as plaintext (unencrypted). This is useful if you need to pass along information or you are behind a trusted fi rewall. It is not, however, a best practice to send unencrypted user information (name and password) using a SOAP header. There are no default, built-in features for working with custom SOAP headers in authenti- cation scenarios. Instead, both the client and the service need to be aware of how to format and pass the header information. In addition, on the server, you need to implement the IHttpModule interface to intercept the SOAP request, get the SOAP header, and parse (and decrypt) the user information. If the operation fails, you throw a SoapException instance. MORE INFO USING CUSTOM SOAP HEADERS For more information on implementing custom SOAP headers in ASP.NET, see the topic “Perform Custom Authentication Using SOAP Headers” on MSDN. Quick Check 1. What type of fi le do you use to create an XML Web service? 2. What is the name of the attribute class you apply to your Web service? 3. How do you identify a method as exposed as part of a Web service? Quick Check Answers 1. You add a new .asmx fi le to a Web site to create an XML Web service. 2. You use the WebServiceAttribute class to mark a class as an XML Web service. 3. You use the WebMethodAttribute class to tag a method as a Web method. Lab Creating and Consuming ASP.NET Web Services In this lab, you create a Web service that works with information in the Pubs database. You then create a Web client interface to call that Web service. If you encounter a problem completing an exercise, the completed projects are available in the samples installed from the companion CD. MORE INFO USING CUSTOM SOAP HEADERS For more information on implementing custom SOAP headers in ASP.NET, see the topic “Perform Custom Authentication Using SOAP Headers” on MSDN. Quick Check 1 . What type of fi le do you use to create an XML Web service? 2 . What is the name of the attribute class you apply to your Web service? 3 . How do you identify a method as exposed as part of a Web service? Quick Check Answers 1 . You add a new .asmx fi le to a Web site to create an XML Web service. 2 . You use the WebServiceAttribute class to mark a class as an XML Web service. 3 . You use the WebMethodAttribute class to tag a method as a Web method. 1 2 3 1 2 3 6 2 2 CHAPTER 9 Writing and Working with Services ExErcisE 1 Creating an ASP.NET Web Service In this exercise, you create the Web Service application project and defi ne a Web service. 1. Open Visual Studio and create a new ASP.NET Web Service Application project using either C# or Visual Basic. Name the project PubsServices. 2. Add the Pubs.mdf fi le to the App_Data directory of the Web Service application. You can get the database fi le in the samples installed from this book’s companion CD. 3. Delete Service.asmx (and its code-behind fi le) from your project. Add a new service fi le called Authors.asmx by right-clicking the project and choosing Add New Item. Select the Web Service template from the Add New Item dialog box. 4. Open the code-behind fi le for Authors.asmx in the code editor. Delete the default code in the service fi le template. Add a new class defi nition for the Authors service. There is no need to inherit from the WebService class as this service does not use the features of ASP.NET. Tag the class with the WebServiceAttribute class and pass a default namespace. Your class defi nition should look similar to the following: 'VB <WebService(Namespace:="http://tempuri.org/")> _ Public Class Authors End Class //C# namespace PubsServices { [WebService(Namespace = "http://tempuri.org/")] public class Authors { } } 5. Open the Web.confi g fi le. Find the <connectionStrings /> element. Add markup to de- fi ne a connection to the pubs.mdf database. The following shows an example (format- ted to fi t on the printed page): <connectionStrings> <add name="PubsConnectionString" connectionString="Data Source=.\SQLEXPRESS; AttachDbFilename=|DataDirectory|\pubs.mdf;Integrated Security=True; User Instance=True" providerName="System.Data.SqlClient"/> </connectionStrings> 6. Return to the .asmx service fi le. Add using (Imports in Visual Basic) statements to the class fi le for System.Data, System.Data.SqlClient, and System.Confi guration. 'VB <WebService(Namespace:="http://tempuri.org/")> _ Public Class Authors End Class //C# namespace PubsServices { [WebService(Namespace = "http://tempuri.org/")] public class Authors { } } <connectionStrings> <add name="PubsConnectionString" connectionString="Data Source=.\SQLEXPRESS; AttachDbFilename=|DataDirectory|\pubs.mdf;Integrated Security=True; User Instance=True" providerName="System.Data.SqlClient"/> </connectionStrings> Lesson 1: Creating and Consuming XML Web Services CHAPTER 9 623 7. Add a private variable at the class level to store the connection string to the Pubs data- base. Name this variable _cnnString, as shown in the following code: 'VB Private _cnnString As String = _ ConfigurationManager.ConnectionStrings("PubsConnectionString").ToString //C# private string _cnnString = ConfigurationManager.ConnectionStrings["PubsConnectionString"].ToString(); 8. Add a method to the class to return all titles for a given author based on their authorId. These authors can be returned as a DataTable instance. Name this method GetAuthor- Titles. 9. Tag the GetAuthorTitles method with the WebMethodAttribute class. Set the Cache- Duration to 300 seconds. Your method should look as follows: 'VB <WebMethod(CacheDuration:=300)> _ Public Function GetAuthorTitles(ByVal authorId As String) As DataTable Dim sql As String = "SELECT titles.title, titles.type, titles.price, " & _ "titles.pubdate FROM titleauthor INNER JOIN titles ON " & _ "titleauthor.title_id = titles.title_id " If authorId <> "0" Then sql = sql & " WHERE (titleauthor.au_id = @AuthorId)" Dim cnn As New SqlConnection(_cnnString) Dim cmd As New SqlCommand(sql, cnn) cmd.Parameters.Add("AuthorId", SqlDbType.VarChar, 11).Value = authorId Dim adp As New SqlDataAdapter(cmd) Dim ds As New DataSet() adp.Fill(ds) Return ds.Tables(0) End Function //C# [WebMethod(CacheDuration = 300)] public DataTable GetAuthorTitles(string authorId) { string sql = "SELECT titles.title, titles.type, titles.price, " + "titles.pubdate FROM titleauthor INNER JOIN titles ON " + 'VB Private _cnnString As String = _ ConfigurationManager.ConnectionStrings("PubsConnectionString").ToString //C# private string _cnnString = ConfigurationManager.ConnectionStrings["PubsConnectionString"].ToString(); 'VB <WebMethod(CacheDuration:=300)> _ Public Function GetAuthorTitles(ByVal authorId As String) As DataTable Dim sql As String = "SELECT titles.title, titles.type, titles.price, " & _ "titles.pubdate FROM titleauthor INNER JOIN titles ON " & _ "titleauthor.title_id = titles.title_id " If authorId <> "0" Then sql = sql & " WHERE (titleauthor.au_id = @AuthorId)" Dim cnn As New SqlConnection(_cnnString) Dim cmd As New SqlCommand(sql, cnn) cmd.Parameters.Add("AuthorId", SqlDbType.VarChar, 11).Value = authorId Dim adp As New SqlDataAdapter(cmd) Dim ds As New DataSet() adp.Fill(ds) Return ds.Tables(0) End Function //C# [WebMethod(CacheDuration = 300)] public DataTable GetAuthorTitles(string authorId) { string sql = "SELECT titles.title, titles.type, titles.price, " + "titles.pubdate FROM titleauthor INNER JOIN titles ON " + 6 2 4 CHAPTER 9 Writing and Working with Services "titleauthor.title_id = titles.title_id "; if(authorId != "0") sql = sql + " WHERE (titleauthor.au_id = @AuthorId) "; SqlConnection cnn = new SqlConnection(_cnnString); SqlCommand cmd = new SqlCommand(sql, cnn); cmd.Parameters.Add("AuthorId", SqlDbType.VarChar, 11).Value = authorId; SqlDataAdapter adp = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); adp.Fill(ds); return ds.Tables[0]; } 10. Compile your application and make sure there are no errors. ExErcisE 2 Consuming an ASP.NET Web Service In this exercise, you create a client for accessing an ASP.NET Web service. 1. Continue editing the project you created in the previous exercise. Alternatively, you can open the completed Lesson 1, Exercise 1 project in the samples installed from the CD. 2. Add a new Web site to the solution: Right-click the solution and choose Add | New Web Site. Select the ASP.NET Web Site template. Name the Web site PubsClient. Right-click the Web site and choose Set As StartUp Project. 3. Add a Web reference to the Web service created in Exercise 1. Start by right-clicking the Web site; choose Add Web Reference. In the Add Web Reference dialog box, select Web Services In This Solution. This should display the Authors service; click it. On the right side of the dialog box, change the Web reference name to PubsService. Finish by clicking Add Reference. NOTE VIEWING THE GENERATED PROXY CLASS If you want to see the generated proxy class, you should change your project type from Web Site to Web Application. In this case, your code is compiled as .dll fi les and the generated code is exposed. For Web sites, Visual Studio generates code and compiles it on demand. 4. Open the Default.aspx page in your Web site. Add an object data source control to the page. Confi gure it to use the Web service proxy class. Set the authorId parameter to be set via the query string value auId. "titleauthor.title_id = titles.title_id "; if(authorId != "0") sql = sql + " WHERE (titleauthor.au_id = @AuthorId) "; SqlConnection cnn = new SqlConnection(_cnnString); SqlCommand cmd = new SqlCommand(sql, cnn); cmd.Parameters.Add("AuthorId", SqlDbType.VarChar, 11).Value = authorId; SqlDataAdapter adp = new SqlDataAdapter(cmd); DataSet ds = new DataSet(); adp.Fill(ds); return ds.Tables[0]; } NOTE VIEWING THE GENERATED PROXY CLASS NOTE VIEWING THE GENERATED PROXY CLASSNOTE If you want to see the generated proxy class, you should change your project type from Web Site to Web Application. In this case, your code is compiled as .dll fi les and the generated code is exposed. For Web sites, Visual Studio generates code and compiles it on demand. Lesson 1: Creating and Consuming XML Web Services CHAPTER 9 625 Add a GridView control to the page and set its DataSourceId property to the object data source. Your markup should look as follows: <asp:ObjectDataSource runat="server" ID="ObjectDataSourceAuthors" TypeName="PubsService.Authors" SelectMethod="GetAuthorTitles"> <SelectParameters> <asp:QueryStringParameter Name="authorId" QueryStringField="auId" Type="String" DefaultValue="0" /> </SelectParameters> </asp:ObjectDataSource> <asp:GridView ID="GridView1" runat="server" DataSourceID="ObjectDataSourceAuthors"> </asp:GridView> 5. Run the application to see the results. Lesson Summary n You create an XML Web service in ASP.NET by defi ning an .asmx fi le. You use the at- tribute class WebServiceAttribute to mark a class as a Web service. You use the Web- Method attribute class to defi ne the methods on that class that should be exposed as Web services. You can also inherit from WebService if you intend to use the features of ASP.NET (like session) inside your service. n You can consume an XML Web service in an ASP.NET Web site by setting a Web refer- ence to it. This generates a proxy class for you. You can program against the proxy as if the Web service were actually running on the same server. The proxy class handles the rest. n You can call a Web service from the client using ASP.NET AJAX extensions. You use the ScriptManager class to reference a Web service that is in the same domain as the given Web page. A JavaScript client proxy is then generated for you. You can use this proxy to call your Web service. ASP.NET AJAX takes care of the rest. n You secure a Web service in ASP.NET as you would any other ASP.NET resource. You can also defi ne custom Web service security through custom SOAP headers. <asp:ObjectDataSource runat="server" ID="ObjectDataSourceAuthors" TypeName="PubsService.Authors" SelectMethod="GetAuthorTitles"> <SelectParameters> <asp:QueryStringParameter Name="authorId" QueryStringField="auId" Type="String" DefaultValue="0" /> </SelectParameters> </asp:ObjectDataSource> <asp:GridView ID="GridView1" runat="server" DataSourceID="ObjectDataSourceAuthors"> </asp:GridView> 626 CHAPTER 9 Writing and Working with Services Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Creating and Consuming XML Web Services.” The questions are also available on the com- panion CD if you prefer to review them in electronic form. NOTE ANSWERS Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. 1. You wish to create a new Web service that will expose multiple methods that are meant to work with user-specifi c data through a transaction. You decide to use ASP.NET session state to manage the user’s context on the server between Web service requests. How shoul d you defi ne your Web service? A. Defi ne a class that inherits from WebServiceAttribute. B. Defi ne a class that inherits from WebService. C. Defi ne a class that inherits from WebMethodAttribute. D. Do not inherit from a base class. Hosting the Web service in ASP.NET is suffi cient. 2. You wish to consume an existing Web service from your ASP.NET Web site. What ac- tions should you take? (Choose all that apply.) A. Use the Add Reference dialog box to set a reference to the .wsdl fi le that contains the Web service. B. Use the Add Web Reference dialog box to point to the URL of the given Web s e r v i c e . C. Write a method in your Web site that has the same function signature as your Web service. Do not implement this method. Instead, mark it with the WebMethod attribute. D. Call a proxy class that represents calling your Web service. 3. You need to secure your Web service. The service will be accessed over the Internet by multiple, different systems. Authentication information should be secured. You wish to trust only those callers that have been verifi ed as trusted. What type of security should you consider? A. Windows Basic B. Windows digest C. Client certifi cates D. Custom SOAP headers NOTE ANSWERS Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book. Lesson 1: Creating and Consuming XML Web Services CHAPTER 9 627 4. You wish to write a Web service and call it from client-side script. What actions should you take? (Choose all that apply.) A. Add the ScriptService attribute to the Web service class. B. Make sure the ScriptHandlerFactory is registered for your Web site inside the Web .config file. C. Add a ScriptManager class to your Web page. Set the ServiceReference to point to the .asmx Web service. D. Make sure your Web page and service are in the same domain. 6 2 8 CHAPTER 9 Writing and Working with Services Lesson 2: Creating and Consuming WCF Services In the previous lesson, you learned about creating XML Web services with ASP.NET. This is a very useful, straightforward way to create Web services that you intend to host in IIS and call over HTTP. However, the service model can be extended beyond HTTP. For example, you might want to write a service that is accessed inside the fi rewall over Transmission Control Protocol (TCP) instead of HTTP. This can provide increased performance in this scenario. In earlier versions of the .NET Framework, this meant you wrote the service using Remoting. However, if that same service code needed to be called over both HTTP and TCP, you had to write and host it twice. This is one of the many problems WCF is meant to solve. WCF is a unifying programming model. It is meant to defi ne a singular way for writing services and thereby unify things like Web services (.asmx), .NET Remoting, Message Queue (MSMQ), Enterprise Services (COM+), and Web Services Enhancements (WSE). It does not replace these technologies on an individual basis. Instead, it provides a single programming model that you can use to take advantage of all of these items at once. With WCF, you can create a single service that can be exposed as HTTP, TCP, named pipes, and so on. You also have multiple hosting options. This lesson covers the basics of WCF to give you a solid footing when working with this technology. This lesson is not all-encompassing on WCF. Rather, it focuses on those areas in- side WCF that are specifi c to an ASP.NET developer: writing, hosting, and calling WCF services with ASP.NET Web sites. After this lesson, you will be able to: n Understand the architecture of WCF. n Create a WCF service in ASP.NET and host it. n Call a WCF service from an ASP.NET Web page. Estimated lesson time: 45 minutes Presenting Windows Communication Foundation (WCF) Before you build your fi rst WCF service application, it is important to get an overview of how the technology works. WCF enables message-based communication to and from endpoints. You write your service and then attach, or confi gure, endpoints. A given service can have one or more endpoints attached to it. Each WCF endpoint defi nes a location to which messages are sent and received. This location includes an address, a binding, and a contract. This ad- dress, binding, and contract concept is often referred to as the ABCs of WCF. The following list describes each of these items in detail: After this lesson, you will be able to: n Understand the architecture of WCF. n Create a WCF service in ASP.NET and host it. n Call a WCF service from an ASP.NET Web page. Estimated lesson time: 45 minutes Estimated lesson time: 45 minutes [...]... As you can see, ASP.NET simplifies creating WCF services based on REST and JSON You can also use the features of WCF and the NET Framework to define REST services and JSONbased messages outside of ASP.NET In fact, the NET Framework supports serializing between NET types and JSON data structures Calling a JSON-Based WCF Service from AJAX The AJAX support in ASP.NET also makes calling a REST-based... (like ASP.NET) In most enterprise application cases, you will want to use an existing host for your service rather than writing your own You can see there are many options for creating, configuring, and hosting a wide array of services Again, this chapter covers building, hosting, and calling WCF services with respect to ASP.NET (HTTP transport and IIS hosting) Creating a WCF Service with ASP.NET Creating... wrong are located in the “Answers” section at the end of the book 1 You wish to write a WCF service application You intend to host the service in IIS and leverage ASP.NET to build the service What type of project should you create? a A WCF Service library b A WCF Service application c An ASP.NET Web Service application d A Windows Service 2 You define your own custom type to be used with your WCF service... ShipperServiceClient(); nwShipper.SaveShipper(shipper); } 7 Run the application Enter a Shipper ID (1, 2, or 3) Edit the data and save it back to the database Lesson Summary n WCF is a unifying programming model for creating service-oriented applications With WCF, you can create services that work with HTTP, TCP, MSMQ, and named pipes n ASP.NET and IIS allow you to host WCF services that you wish to... As you can see, the WCF Service application in ASP.NET takes care of many of the common steps to a WCF service In fact, steps 1, 3, and 4, as discussed previously, are taken care of by default That leaves step 2, implement the service, and step 5, call the service from a client application Implementing the WCF Service To implement the service, you start... (see lab) } } Consuming a WCF Service in an ASP.NET Page You are now ready to call the WCF service created previously The contract is defined via the IShipperService interface The contract is implemented inside the ShipperService.svc file An endpoint is configured via the default HTTP endpoint set up inside the Web.config file The service is hosted by IIS and ASP.NET (or your local Web server) The final... service is hosted by IIS and ASP.NET (or your local Web server) The final step is to set a client to call the service In this case, we assume the client is another ASP.NET Web site However, it could easily be a Windows application or another application on a different platform To start, you need to generate a proxy class for calling the WCF service This can be done using Visual Studio You right-click... 2: Creating and Consuming WCF Services CHAPTER 9 639 Writing a WCF Service Based on REST and JSON Creating a WCF service based on REST and JSON is somewhat simplified in ASP.NET This is due in part to the AJAX support built into ASP.NET Because of this, there is a WCF template that you can use to quickly create a service that leverages the REST calling mechanism and the JSON data format This AJAX-WCF... service in an application 5 Reference and call the service from a client application As you can see, a WCF service application starts with the contract This contract indicates the features and functionality your service will offer to calling clients In WCF programming, you create this contract by first defining an interface and decorating that interface with a number of attributes Figure 9 -7 shows an... attribute class is used to mark individual fields and properties that you want to serialize You use this class in conjunction with the DataContract class The WCF Service Application Visual Studio and ASP.NET define the WCF Service Application project template This template defines a Web project that serves to host the WCF service This project contains a reference to System.ServiceModel.dll, which contains . files and host- ed by ASP .NET. The first is to use one of the standard ASP .NET security methods to authen- ticate and authorize users. This option is similar to securing any ASP .NET resources such. Windows-based security models used by ASP .NET. ASP .NET Security There a number of ways you can use the authentication and authorization methods of ASP .NET to secure your XML Web services. Thankfully,. additional context. NOTE NOTE NOTE SETTING UP ASP .NET SECURITY Confi guring and setting up ASP .NET security is similar for both Web services and ASP .NET pages. Therefore, it is covered in Chapter