You could try Web Services Enhancements (WSE) 3.0. This adds support for an old version of WS-Security (the 2004 version I think - WCF supports the 2005 and 2007 versions). It sits on top of ASMX without disturbing it, and does still work in .NET 3.5 / WS2008.
Now for the downsides:
- VS2008 does not support adding or updating WSE-enabled web references in client code. It will happily create the normal ASMX proxy class, but not the extra WSE proxy class that is required for authentication. Any existing WSE proxy code you have does compile OK, but will be deleted if you try to update the web reference in the IDE. If you possess a copy of VS2005, you could use it to maintain or at least create the web reference on the client side.
- AFAIK, the WSE implementation of WS-Security is not 100% forward-compatible with the WCF implementations. You will need to do some compatibility testing of your own with WCF to make sure.
Example
Specifying credentials on the client:
void SetUsernameCredential(WebServicesClientProtocol service, string userName, string password) {
UsernameToken token = new UsernameToken(userName, password, PasswordOption.SendHashed);
service.SetClientCredential(token);
}
Authenticating credentials on the server:
public class MyUsernameTokenManager : UsernameTokenManager {
protected override string AuthenticateToken(UsernameToken token) {
// Authenticate here.
// If succeess, return an authenticated IPrincipal and the user's password as shown.
// If failure, throw an exception of your choosing.
token.Principal = principal;
return password;
}
}
Reading credentials on the server:
IPrincipal principal = RequestSoapContext.Current.IdentityToken.Principal;