tags:

views:

719

answers:

3
Q: 

WS-Security using the ASMX file in ASP.NET 3.5

Basically I need to setup my ASMX file so that when I pull it up in a browser to display the WebMethod specification the Soap Header conforms to this format:

<soap:Header>
   <wsse:Security>
      <wsse:UsernameToken wsu:Id='SecurityToken-securityToken'>
         <wsse:Username>Username</wsse:Username>
         <wsse:Password>Password</wsse:Password>
         <wsu:Created>Timestamp</wsu:Created>
      </wsse:UsernameToken>
   </wsse:Security>
</soap:Header>

Back-story: I'm integrating with a client application that is already built (and owned by another company). Basically this client application already has their soap messages all set up from its past integrations with other companies. So we've opted to just build a web service using an ASMX file that matches the WSDL that they're already setup to consume.

Is it possible to get WS-Security working on an ASMX file or is ASMX too simplistic and I have to upgrade to WFC (which I really don't want to do)?

+1  A: 

You can implement a SOAP / WS-Security service using classic web services. Here's a tutorial from MSDN.

All of this is easier in WCF though.

EDIT:

Pulled the wrong link. Here's the one I meant to paste (CodeProject tutorial that uses WSE 2, though WSE 3 is the latest release and I have used that exclusively pre-WCF).

Eric J.  2010-03-26 22:27:19
@Eric: I looked at that link, and it's hardly a tutorial. It's just an article from 2002.
John Saunders  2010-03-27 06:28:02
@John: You're right and you're wrong. I did pull the wrong link from my bookmarks (updated post). You're wrong in stating that legacy ASMX can't support WS-Security (see updated link).
Eric J.  2010-03-27 06:58:18
+1  A: 

No, legacy ASMX web services do not support WS-Security, or any of the other WS-* standards.

Since Microsoft now considers ASMX web services to be "legacy technology", you should be doing this work using WCF.

Another answer suggests using WSE. This is even less of a solution. WSE is flat-out obsolete, and should only be used as a last resort.

John Saunders  2010-03-27 06:29:16
+2  A: 

Is it possible to get WS-Security working on an ASMX file or is ASMX too simplistic and I have to upgrade to WFC (which I really don't want to do)?

Yes, it is possible using Web Services Enhancements 3 (an add-on for Visual Studio 2005 and ASMX). See this MSDN page for a WSE-3-specific tutorial and use the usernameOverTransportSecurity assertion, noting that this is not actually secure unless the connection takes place over a protected transport (i.e. SSL).

It is, however, not recommended that you do this, and I cannot fathom why you would not "want" to "upgrade to WCF" given the choice. Please note the following very important limitations of ASMX/WSE:

  • WSE is no longer a supported product. Although it still works, it no longer receives updates or even bug fixes.

  • No version of WSE will successfully integrate into Visual Studio 2008, or even Visual Studio 2005 running on Windows Vista x64 or newer.

  • WCF goes to a lot of trouble to provide thread-safe client operations and allow proxies to exist for long periods of time (which in turn provide significant per-operation performance benefits). WSE proxies, on the other hand, are disposable non-threadsafe objects that incur a setup time with every remote method invocation (even when using Secure Conversation). This also makes them largely unsuitable for Dependency Injection and many other widely-used patterns.

These are just some of the reasons why you shouldn't use WSE anymore. The reasons why you should use WCF on the client side are manifold, including but not limited to separation of the model and proxies, consumption of REST-based services, and better handling of collection types.

Unless you really must continue to use ASMX, please reconsider your refusal to move to WCF - unless the service does a lot of unusual things with XML serialization, it takes no more than 5 minutes to make the switch.

Aaronaught  2010-03-27 14:33:12
@Aoronaught: Thanks for all the info. The reason I'm hoping to stay away from a WCF service was because I heard it was easy to setup but a pain to deploy on the server. Are you aware of whether or not there are additional setup procedures needed for WCF aside from the simple "publish" command that Visual Studio 2008 provides? We've already deployed several ASMX services and deploying was as simple as clicking "publish". If WCF is just as simple then I'd happily make the switch.
Adam  2010-03-29 15:23:04
@Adam: It should be just as simple. We don't use the VS "publish" command but our deployment is usually just a straight file copy. Perhaps somebody said it was a pain to deploy because the .NET 3.5 Framework takes a long time to install if the server doesn't already have it?
Aaronaught  2010-03-29 15:57:23
You also need to learn "WCML", or better known as "WCF Configuration Markup Language". You spend your hours staring blankly at configuration files with its ga-zillions options. For the first few days nothing works, then by magic, one tweaked setting makes the damn thing work. you put bold warnings in the config file comments to warn others to NEVER EVER touch the file again on pain of death. Otherwise WCF is a breeze. Go for it. :-)
Junto  2010-05-26 15:42:12
I appreciate this is a late comment, but having just attempted to get a WSE-style WS-security ASMX service working in WCF, unless I am missing a trick - it is the most convoluted and err difficult thing ever. So much so I have given up, as there are no useful errors to help me get it working. All help obviously welcomed though, as I would much rather use it. My biggest problem is not finding any decent documentation on the web on how to use it!
harrisonmeister  2010-06-01 20:55:47
@harrison: There's lots of help on the web; try starting [here](http://devlicio.us/blogs/ziemowit_skowronski/archive/2007/07/18/interoperability-between-wcf-and-wse-3-0.aspx). If that doesn't work for you, you should start a question explaining what you've tried and what's not working (what error you get, etc.)
Aaronaught  2010-06-01 23:29:51
@aaronaught - I have, but not many people have answered. http://stackoverflow.com/questions/2945140/implementing-ws-security-within-wcf-proxy
harrisonmeister  2010-06-02 08:41:22
@harrison: That question refers to Axis. Is it Axis or WSE? They may be similar, but they are not the same. The WSDL in that question appears to be using the WS-Security spec from 2002, which is very old and I think corresponds to WSE 2.0; WSE 3.0 and WCF are not wire-level compatible with that at all.
Aaronaught  2010-06-02 13:41:04

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps