Wednesday, January 02, 2008

How do i authenticate web service requests before invoking web methods ?

How do i pass user name, password when calling web services ? or
How do i authenticate the web service request before invoking web methods ?

There are several ways to do this and one of the most easiest way is to pass user name, password as input parameters to web method called. but na, that is not a good way to implement as this information is at the periphery of the core business functionality of the web service exposed. Hence keeping this out makes more sense.

Another way to control anonymous access can be achieved through IIS (web server) settings. Just uncheck the anonymous access or limit the IPs that can hit your web services or validate it against your windows account group... but again you may want to implement partial anonymous access! Few web methods can be accessed by everyone, few have restricted access.

In that case, better way to do this is to pass this information into SOAP header (SOAP web services communicate through SOAP messages - which include SOAP envelope (inc. namespace and root element), SOAP Header (this is optional) and SOAP body (contains web method, input parameters and response result)

Working with SOAP Headers in order to have a Web service accept a SOAP header we need to perform the following three tasks:
1> Define a SOAP header class in the Web service project

public class AuthenticationHeader : SoapHeader
public string Username;
public string Password;

2> Add a public member variable of the SOAP header class created in step (1) to the Web service class

[WebService(Namespace= )]
public class MyWebService : System.Web.Services.WebService
public AuthenticationHeader AuthHeader;
... The Web service's methods would be defined down here ...

3> Add the SoapHeader attribute to the Web method(s) that need to be able to programmatically access the value of the header

Once we perform these three steps at the Web service's end, our next task is to configure the client so that it can invoke a Web service method and pass along data for the appropriate SOAP header(s). The first step, as we've discussed in earlier installments of this article series, is to create a proxy class on the client. This will auto-generate the SOAP header class defined in the Web service project and will add a public property to the proxy class through which an instance of the SOAP header can be affixed to outgoing messages.

To actually pass along a populated SOAP header when calling a Web method the client needs to first create an instance of the proxy's SOAP header class, populate its values, and then assign this header class instance to the appropriate proxy class property. Finally, calling one of the Web service's methods will invoke the method, passing along the SOAP header.

[WebMethod(), SoapHeader("AuthHeader")]
public string GetMessage()
// Only allow valid user/password to access this secret message...
if (AuthHeader.Username == "user" && AuthHeader.Password == "password")
return "This is the secret message!!!";

In order to send a SOAP header to the Web service method, the client should do the following:
1> Create an instance of the proxy class,
2> Create an instance of the SOAP header class and populate its values,
3> Affix the SOAP header to the proxy class by assigning the SOAP header class instance created in step (2) to the proxy class's AuthHeaderValue property, and, finally
4> Call the Web service method

The following code illustrates these four steps. The GetMessage() Web method is invoked from the client passing along a username/password pair of scott and password.

// step 1, create the proxy class
localhost.MyWebService proxy = new localhost.MyWebService();
// step 2, create and populate the header class
localhost.AuthenticationHeader authInfo = new localhost.AuthenticationHeader();
authInfo.Username = "user";
authInfo.Password = "password";
// step 3, affix the SOAP header to the proxy
proxy.AuthHeaderValue = authInfo;
// step 4, call the method
string result = proxy.GetMessage();
The value returned from GetMessage() will contain the appropriate message, based on the username/password sent via the SOAP header.

Conclusion - If you want to know more or learn real sweet about the whole web services or SOAP basics and details visit
Scott Mitchell's article on He has written 11 part series about .net web services. Hope that helps! Thanks - Dipesh


Tatva said...

good post..helpful

msbyuva said...


Abdur said...

please give an example bro, am not able to implement so..... am just a pro to this field so plz plz plz help me out....

Namo Nikumbh said...

I have already implemented this but can you please tell me how to test this service from Test Form of the web service.