Web Services Enhancements 2.0: Security and Policy (VB.NET) - Sending a UsernameToken

(Page 3 of 7 )

Since the SecureInvoiceServiceA project is now configured to use WSE 2.0, it's ready to process security tokens sent by the client application. The first step is to add code to SoapInvoiceClient to send a UsernameToken to the service.

1. Open login.vb and inspect the code behind the Login button.
   
2. Add the following WSE 2.0 namespaces to the top of the file:
   
   ...
   Imports Microsoft.Web.Services2 Imports Microsoft.Web.Services2.Security Imports Microsoft.Web.Services2.Security.Tokens
   ... 
   
   
3. Add a new public field of type Microsoft.Web.Services2.Security.Tokens.UsernameToken to the Login Form class. It should look something like this:
   
   ...
   Public Class LoginForm 
      Inherits System.Windows.Forms.Form 
      Public Token As UsernameToken = Nothing
      ...
   End Class
   ... 
   
4. When the user fills in the form (providing his/her username and password) and presses the Login button, you need to instantiate a UsernameToken object with the supplied username and password. For now, use the PasswordOption.SendPlainText to send the password in plain text. We'll cover other options later.
   
    ...
   Public Class LoginForm 
      Inherits System.Windows.Forms.Form
      Public Token As UsernameToken = Nothing
      ...
      Private Sub button1_Click(ByVal sender As
   Object, _
          ByVal e As System.EventArgs) Handles button1.Click
         Me.Token = New UsernameToken(Me.textBox1.Text, _  
           Me.textBox2.Text, PasswordOption.SendPlain
   Text)
         Me.Close()
      End Sub 'button1_Click
   End Class
   ... 
   
5. Return to InvoiceManagerForm.vb.
   
6. Inspect the code behind the Set User button (on the InvoiceManagerForm). It simply displays the form defined in login.vb. Add a new line of code to display the username on the form
   as illustrated here (we've provided a label named labelLogin):
   
   ...
   Private Sub btnLogin_Click(ByVal sender As Object,
   _
       ByVal e As System.EventArgs) Handles btnLogin.Click 
       login.ShowDialog()
       labelLogin.Text = String.Format("Username: {0}", _ 
          login.Token.Username)
   End Sub 'btnLogin_Click
   ... 
   
   
7. Add the following namespaces to the top of the InvoiceManagerForm.vb file:
   
   ...
   Imports Microsoft.Web.Services2 Imports Microsoft.Web.Services2.Security Imports Microsoft.Web.Services2.Security. Tokens
   ... 
   
8. Now you need to configure the proxy class with the UsernameToken created for the user. Add a new method to InvoiceManagerForm called ConfigureProxy that looks like this:
   
   ...
   Private Sub ConfigureProxy(ByVal proxy As  
    WebServicesClientProtocol) proxy.RequestSoapContext. Security.Tokens.Add(login.
   Token)
   End Sub 'ConfigureProxy
   ...
   
   
9. This method adds the UsernameToken to the SOAP request. The UsernameToken allows the service to perform authentication when it receives the message.
   
10. Locate the btnApprove_Click method in InvoiceManagerForm and call ConfigureProxy before invoking the Approve operation as illustrated here:
    
    ...
    Private Sub btnApprove_Click(ByVal sender As
    Object, _
        ByVal e As System.EventArgs) Handles btnApprove.Click
        Try
            Dim proxy As New ApproveInvoiceWse 
           ConfigureProxy(proxy)
            proxy.Approve(dataGrid1( _  
            dataGrid1.CurrentRow Index,
    0).ToString())
            ViewInvoices()
        Catch ex As Exception 
            MessageBox.Show(ex.Message, "Invoice Error", _  
           MessageBoxButtons.OK, MessageBoxIcon.Exclamation)
        End Try
    End Sub 'btnApprove_Click
    ...
    
11. Build and run SecureInvoiceClient. 
    
12. Press Set User. Specify the admin account's credentials (that you created earlier) and press OK. Press View, select an invoice and press Approve. Verify that it works.
    
    Note: WSE 2.0 automatically authenticates the supplied UsernameToken against the local machine accounts.
    
13. Open the output trace file (OutputTrace.webinfo) in the application directory (SecureInvoiceClientbin) and locate the UsernameToken information in the last SOAP request. Notice the UsernameToken is being sent in plain text, including the password.
    
    Note: in practice, you don't want to send passwords in plain text, unless you're sending the message over a secure channel like HTTPS. You can also send a hashed version of the password or no password at all, but then you have to write some code to assist in the authentication process. We'll cover more on this later.
    
    
14. Try changing the user account to something else (e.g., username: bob, password: bob), press Approve again, and verify that it doesn't work. You should get an authentication error.
    
    Note: notice that the View operation worked even though you didn't send a UsernameToken in the request. WSE 2.0 automatically authenticates a UsernameToken when supplied in plain text, but it's not required by default. You can require security tokens programmatically or through a declarative policy file.

 

Next: Requiring a UsernameToken >>
 

More Visual Basic.NET Articles
More By MSDN Virtual Labs

Comments On: Web Services Enhancements 2.0: Security and Policy (VB.NET)

· This lab is excerpted from a larger document titled "Web Services Enhancement 2.0:...    · I wonder that where I can find SecureInvoiceA.sln you mentioned in Web Services...    · Please check our link to the Microsoft Virtual Labs website, ...    · i havent got the SecureInvoiceA.sln...i checked in the link u provided...can u...    · Microsoft must have moved a few things around -- try this:...    · Web Services Enhancements 2.0: Security and Policy (VB.NET), The reason for going...    · Can you specify the location of SecureInvoiceClient project.Urgent reply soon   >>> Post your comment now!