Authentication for Web Services (using SOAP headers)

I recently put up a few web services for a client of mine, which returned some sensitive data. I needed to find a simple way to authenticate the users of these web services. This is the approach I took.

I've started using web services fairly often in the applications that I've been developing, in most cases the information they pass is suitable for the public domain. However a recent project forced me to look into different authentication methods.

My requirements were that, it had to be simple for the client applications to authenticate, also that the web based administration system had to be used. This prevented me from using the Windows authentication (which is fairly easy to use for the clients of this web service.) By using SOAP headers to pass username and password information, it greatly simplifies any authentication request.

Using the code

I wanted to make it really easy for the client to understand:

protected System.Web.UI.WebControls.DataGrid dgData;
    
private void Page_Load(object sender, System.EventArgs e)
{
    //simple client
    AuthWebService.WebService webService = new AuthWebService.WebService();
    AuthWebService.AuthHeader authentication = new 
                              AuthWebService.AuthHeader();

    authentication.Username = "test";
    authentication.Password = "test";
    webService.AuthHeaderValue = authentication;

    //Bind the results - do something here
    DataSet dsData = webService.SensitiveData();

    dgData.DataSource = dsData;
    dgData.DataBind();    

}

Basically all the client needs to do is create an authentication object, fill out the username and password, then pass them to the web service object. The web service code is also pretty simple, the .NET framework lets you create custom SOAP headers by deriving from the SoapHeader class, so we wanted to add a username and password:

using System.Web.Services.Protocols;

public class AuthHeader : SoapHeader
{
    public string Username;
    public string Password;
}

The next step is to identify the web services that need the authentication, in the example I've included it's the methodSensitiveData. To force the use of our new SOAP header we need to add the following attribute to our method:

[SoapHeader ("Authentication", Required=true)]

So our full definition for our web service method is:

public AuthHeader Authentication;


[SoapHeader ("Authentication", Required=true)]
[WebMethod (Description="Returns some sample data")]
public DataSet SensitiveData()
{
    DataSet data = new DataSet();
            
    //Do our authentication
    //this can be via a database or whatever
    if(Authentication.Username == "test" && 
                Authentication.Password == "test")
    {
        //they are allowed access to our sensitive data
        
        //just create some dummy data
        DataTable dtTable1 = new DataTable();
        DataColumn drCol1 = new DataColumn("Data", 
                System.Type.GetType("System.String"));
        dtTable1.Columns.Add(drCol1);

        DataRow drRow = dtTable1.NewRow();
        drRow["Data"] = "Sensitive Data";
        dtTable1.Rows.Add(drRow);
        dtTable1.AcceptChanges();

        data.Tables.Add(dtTable1);
    
    }else{
        data = null;
    }            

    return data;
}

I should also mention that when I say SOAP headers, I actually mean the soap:Header element in a SOAP request, it has nothing to do with the HTTP headers sent with the request. The SOAP request looks something like:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <AUTHHEADER xmlns="http://tempuri.org/">
      <USERNAME>string</USERNAME>
      <PASSWORD>string</PASSWORD>
    </AUTHHEADER>
  </soap:Header>
  <soap:Body>
    <SENSITIVEDATA xmlns="http://tempuri.org/" />
  </soap:Body>
</soap:Envelope>

I've included both the client and the web service in the attachment.

Download a sample here