How to: Secure a Web Service Without Using a Policy File
The policy for a Web service can be specified in code when the deployment environment is known ahead of time and is not likely to change. Typically, it is more flexible to allow an administrator to define the policy for an application when it is deployed using a policy file, but WSE does allow you to specify the policy in code. For more details about securing a Web service using a policy file, see How to: Secure a Web Service Using a Policy File.
To secure a Web service without using a policy file
Open the Web service project in Visual Studio 2005.
Add references to the Microsoft.Web.Services3 assembly.
- In Solution Explorer, right-click the project name, and then click Add Reference.
- Click the .NET tab, click Microsoft.Web.Services3.dll.
- Click OK to close the dialog box.
Add the Imports statements or using directives that are shown in the following code example to the top of the file for the new class.
Imports System Imports System.Web Imports System.Web.Services Imports System.Web.Services.Protocols Imports System.Security.Cryptography.X509Certificates Imports Microsoft.Web.Services3.Design Imports Microsoft.Web.Services3
using System; using System.Web; using System.Web.Services; using System.Web.Services.Protocols; using System.Security.Cryptography.X509Certificates; using Microsoft.Web.Services3.Design; using Microsoft.Web.Services3;
Define the policy for the Web service.
Add a class that derives from the Policy class.
The following code example creates a class namedServicePolicy
that derives from the Policy class.Public Class ServicePolicy Inherits Policy
public class ServicePolicy : Policy {
In the default constructor, add one or more policy assertions to the policy.
The Policy class has an Assertions property that is an ordered list of policy assertions for the policy. That is, the policy assertions are applied to a SOAP message in the order in which they are added to the Assertions property. For each policy assertion that is added, the security credentials for that assertion must also be specified.
The following code example adds a <mutualCertificate11Security> Element policy assertion and specifies an X509TokenProvider for both the client and Web service's security credentials.Public Sub New() ' Create a new instance of the MutualCertificate11 turnkey security assertion. Dim assertion As New MutualCertificate11Assertion() ' Specify a security token provider for the Web service's security credentials. assertion.ServiceX509TokenProvider = New X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer") ' Add the policy assertion to the policy. Me.Assertions.Add(assertion) End Sub
public ServicePolicy() : base() { // Create a new instance of the MutualCertificate11 turnkey security assertion. MutualCertificate11Assertion assertion = new MutualCertificate11Assertion(); // Specify a security token provider for the Web service's security credentials. assertion.ServiceX509TokenProvider = new X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer"); // Add the policy assertion to the policy. this.Assertions.Add(assertion); }
Apply the policy to the Web service by applying the PolicyAttribute attribute to the Web service.
When a policy is specified in a class instead of a policy file, the policy is specified by passing the type that derives from Policy to the PolicyAttribute attribute.
The PolicyAttribute attribute can be applied to the class that is implementing the Web service methods. This applies the policy to all Web service methods (operations) within that class.
The following code example specifies that all Web service methods within the
Service
class adhere to theServicePolicy
policy.<WebService([Namespace]:="http://tempuri.org/"), _ WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1), _ Policy(GetType(ServicePolicy))> _ Public Class Service Inherits System.Web.Services.WebService
[WebService(Namespace = "http://tempuri.org/")] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] [Policy(typeof(ServicePolicy))] public class Service : System.Web.Services.WebService
Example
The following code example specifies that all Web service methods within the Service
class adhere to the ServicePolicy
policy. The ServicePolicy
policy specifies uses the <mutualCertificate11Security> Element turnkey security assertion to specify the policy.
Imports System
Imports System.Web
Imports System.Web.Services
Imports System.Web.Services.Protocols
Imports System.Security.Cryptography.X509Certificates
Imports Microsoft.Web.Services3.Design
Imports Microsoft.Web.Services3
<WebService([Namespace]:="http://tempuri.org/"), _
WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1), _
Policy(GetType(ServicePolicy))> _
Public Class Service
Inherits System.Web.Services.WebService
Public Sub New()
End Sub 'New
<WebMethod()> _
Public Function HelloWorld() As String
Return "Hello World"
End Function 'HelloWorld
End Class 'Service
Public Class ServicePolicy
Inherits Policy
Public Sub New()
' Create a new instance of the MutualCertificate11 turnkey security assertion.
Dim assertion As New MutualCertificate11Assertion()
' Specify a security token provider for the Web service's security credentials.
assertion.ServiceX509TokenProvider = New X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer")
' Add the policy assertion to the policy.
Me.Assertions.Add(assertion)
End Sub
End Class 'ServicePolicy
using System;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
using System.Security.Cryptography.X509Certificates;
using Microsoft.Web.Services3.Design;
using Microsoft.Web.Services3;
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[Policy(typeof(ServicePolicy))]
public class Service : System.Web.Services.WebService
{
public Service () {}
[WebMethod]
public string HelloWorld() {
return "Hello World";
}
}
public class ServicePolicy : Policy
{
public ServicePolicy()
: base()
{
// Create a new instance of the MutualCertificate11 turnkey security assertion.
MutualCertificate11Assertion assertion = new MutualCertificate11Assertion();
// Specify a security token provider for the Web service's security credentials.
assertion.ServiceX509TokenProvider = new X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer");
// Add the policy assertion to the policy.
this.Assertions.Add(assertion);
}
}
See Also
Tasks
How to: Secure a Web Service Using a Policy File