XML Web Services Security

We have seen how it easy it is to write the web service using SOAP as the message protocol, but not how we go about making sure that the web service is secure? Well this downloadable 32 page article will show you how! Here is a taste:

What is a SOAP Fault message?

A SOAP Fault message is used to carry error and/or status information within a SOAP message response. The SOAP Fault element has four sub elements, they are as follows:

  • faultcode – this value is usually either client or server, it lets the receiver know whose “fault” the error was
  • faultstring – this is where the human-readable error message goes, very similar to the Message property of the Exception class
  • faultactor – this element lets the receiver know who caused the error within the message path, unless the message is being routed, this will either be blank or the URI of the web service method
  • detail – this is where all of the detailed error information goes, such as an error stack trace

Here is what a valid SOAP Fault message might look like:

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
        The user (timm) could not be authenticated.
      <detail>System.Exception: Authentication failed for user (timm)
        at CustomAuthentication.AuthenticationModule.Authenticate()
        at CustomAuthentication.AuthenticationModule.OnBeginRequest
        (Object source, EventArgs eventArgs)

The .NET Framework makes it very easy to both send and consume SOAP Fault messages from web service clients and web service methods. Any time you throw a SoapException inside of a web service, it is automatically serialized into a valid SOAP Fault message. Conversely, any time a web service client receives a SOAP Fault message, that message is then de-serialized back into a SoapException.

Want to read all of this great article written by Tim McCarthy? Click here to download the PDF of the article. After that, click here to download the sample code. Enjoy!