Web Services Authentication

Web ServicesIdentity Authentication

Introduction

With the emergence of Web services, their applications are becoming more and more popular with developers. The following is a practical example to illustrate the purpose of this Article.

Assume there is an Online Shopping System LiveShopping. On LiveShopping, when the customer has chosen the item he wants to buy, it is time to pay the bill. LiveShopping can be paid by credit card directly. In addition, it is assumed that LiveShopping's electronic payment is in cooperation with VeriSign. That is to say, LiveShopping is a customer of VeriSign. Suppose VeriSign provides some Web Services for LiveShopping. Assume that these methods are:

1) VerifyCC (string cc_no, string expire_date, float amt)

2) ProcessCC (string transaction_type, string cc_no, string expire_date, float amt, CardHolder holder)

Method 1 is used to verify whether the credit card is valid, and method 2 is a Transaction. The amt amount is deducted from the credit card.

Parameter description

Cc_no credit card number

Expire-date Effective date

Amt amount

Transaction_type transaction type, such as sale and force

Registrant Information

 

There is a problem here. If VeriSign does not have authentication, how can we know that the customer is LiveShopping. In other words, if there is no authentication, everyone can use these two methods. Therefore, authentication is essential.

2. Implement Identity Authentication

There are many authentication methods. Here we will introduce a very simple method and implement it in. NET.

You can apply the Soap header Implementation of WebService. That is to say, the authentication information, such as the user name and password, can be transmitted using the Soap header.

First, from the client perspective, you can have an intuitive understanding of its applications. The Code is as follows:

Private void button#click (object sender, System. EventArgs e)

{

AuthHeader auth = new AuthHeader ();

WebServices webService = new WebServices ();

Auth.username‑this.txt Name. Text. Trim ();

Auth.Password=this.txt Pwd. Text. Trim ();

WebService. authHeader = auth;

String rtStr = webService. GetPassword ();

This.txt Return. Text = rtStr;

}

To explain, AuthHeader is the implementation of the Soap header mentioned above. Its definition is as follows:

Public class AuthHeader: SoapHeader

{

Public string UserName;

Public string Password;

}

Continue to see how WebServices is implemented. The Code is as follows:

Public class WebServices: System. Web. Services. WebService

{

Public AuthHeader authHeader;

[SoapHeader ("authHeader")]

[WebMethod (Description = "This method will return the sensitive data")]

Public string GetPassword ()

{

If (authHeader. UserName. Equals ("user") & authHeader. Password. Equals ("pwd "))

{

Return "pwd ";

}

Return "Invalid Authentication ";

}

}

We can find that an AuthHeader Public Member is added. This allows the caller to transmit verification information. Another important point is the SoapHeader attribute, which defines the Soap header. For details, see MSDN.

In GetPassword (), you can add your code. The first step is to verify the information. If the verification succeeds, continue to complete your tasks. If the verification fails, exit.

Step 3

To make the application more secure, we can encrypt the data. For example, we can encrypt the authentication information. You can encrypt the data on the client and then decrypt the data on the server. Encryption and decryption are another topic, which is not described here.

In terms of performance, encryption and decryption will reduce the performance. Therefore, it is generally considered a compromise to encrypt and decrypt sensitive data, such as passwords. Unless it is a high-security application, it is another matter.