How to: Secure a Web Service Without Using a Policy File

The policy for a Web service can be specified in code when the deployment environment is known ahead of time and is not likely to change. Typically, it is more flexible to allow an administrator to define the policy for an application when it is deployed using a policy file, but WSE does allow you to specify the policy in code. For more details about securing a Web service using a policy file, see How to: Secure a Web Service Using a Policy File.

To secure a Web service without using a policy file

1. Open the Web service project in Visual Studio 2005.

2. Add references to the Microsoft.Web.Services3 assembly.

   1. In Solution Explorer, right-click the project name, and then click Add Reference.
   2. Click the .NET tab, click Microsoft.Web.Services3.dll.
   3. Click OK to close the dialog box.

3. Add the Imports statements or using directives that are shown in the following code example to the top of the file for the new class.

   Imports System
   Imports System.Web
   Imports System.Web.Services
   Imports System.Web.Services.Protocols
   Imports System.Security.Cryptography.X509Certificates
   Imports Microsoft.Web.Services3.Design
   Imports Microsoft.Web.Services3
   

   using System;
   using System.Web;
   using System.Web.Services;
   using System.Web.Services.Protocols;
   using System.Security.Cryptography.X509Certificates;
   using Microsoft.Web.Services3.Design;
   using Microsoft.Web.Services3;
   

4. Define the policy for the Web service.

   1. Add a class that derives from the Policy class.
      The following code example creates a class named ServicePolicy that derives from the Policy class.

      Public Class ServicePolicy
          Inherits Policy
      

      public class ServicePolicy : Policy
      {
      

   2. In the default constructor, add one or more policy assertions to the policy.
      The Policy class has an Assertions property that is an ordered list of policy assertions for the policy. That is, the policy assertions are applied to a SOAP message in the order in which they are added to the Assertions property. For each policy assertion that is added, the security credentials for that assertion must also be specified.
      The following code example adds a <mutualCertificate11Security> Element policy assertion and specifies an X509TokenProvider for both the client and Web service's security credentials.

      Public Sub New()
          ' Create a new instance of the MutualCertificate11 turnkey security assertion.
          Dim assertion As New MutualCertificate11Assertion()
          ' Specify a security token provider for the Web service's security credentials.
          assertion.ServiceX509TokenProvider = New X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer")
      
          ' Add the policy assertion to the policy.
          Me.Assertions.Add(assertion)
      
      End Sub
      

      public ServicePolicy()
          : base()
      {
          // Create a new instance of the MutualCertificate11 turnkey security assertion.
          MutualCertificate11Assertion assertion = new MutualCertificate11Assertion();
          // Specify a security token provider for the Web service's security credentials.
          assertion.ServiceX509TokenProvider = new X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer");
      
          // Add the policy assertion to the policy.
          this.Assertions.Add(assertion);
      }
      

5. Apply the policy to the Web service by applying the PolicyAttribute attribute to the Web service.

   When a policy is specified in a class instead of a policy file, the policy is specified by passing the type that derives from Policy to the PolicyAttribute attribute.

   The PolicyAttribute attribute can be applied to the class that is implementing the Web service methods. This applies the policy to all Web service methods (operations) within that class.

   The following code example specifies that all Web service methods within the Service class adhere to the ServicePolicy policy.

   <WebService([Namespace]:="http://tempuri.org/"), _
    WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1), _
    Policy(GetType(ServicePolicy))> _
   Public Class Service
       Inherits System.Web.Services.WebService
   

   [WebService(Namespace = "http://tempuri.org/")]
   [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
   [Policy(typeof(ServicePolicy))]
   public class Service : System.Web.Services.WebService
   

Example

The following code example specifies that all Web service methods within the Service class adhere to the ServicePolicy policy. The ServicePolicy policy specifies uses the <mutualCertificate11Security> Element turnkey security assertion to specify the policy.

Imports System
Imports System.Web
Imports System.Web.Services
Imports System.Web.Services.Protocols
Imports System.Security.Cryptography.X509Certificates
Imports Microsoft.Web.Services3.Design
Imports Microsoft.Web.Services3

<WebService([Namespace]:="http://tempuri.org/"), _
 WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1), _
 Policy(GetType(ServicePolicy))> _
Public Class Service
    Inherits System.Web.Services.WebService
    Public Sub New()

    End Sub 'New

    <WebMethod()> _
    Public Function HelloWorld() As String
        Return "Hello World"

    End Function 'HelloWorld
End Class 'Service 
Public Class ServicePolicy
    Inherits Policy
    Public Sub New()
        ' Create a new instance of the MutualCertificate11 turnkey security assertion.
        Dim assertion As New MutualCertificate11Assertion()
        ' Specify a security token provider for the Web service's security credentials.
        assertion.ServiceX509TokenProvider = New X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer")

        ' Add the policy assertion to the policy.
        Me.Assertions.Add(assertion)

    End Sub
End Class 'ServicePolicy

using System;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
using System.Security.Cryptography.X509Certificates;
using Microsoft.Web.Services3.Design;
using Microsoft.Web.Services3;

[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[Policy(typeof(ServicePolicy))]
public class Service : System.Web.Services.WebService
{
    public Service () {}

    [WebMethod]
    public string HelloWorld() {
        return "Hello World";
    }
    
}
public class ServicePolicy : Policy
{
    public ServicePolicy()
        : base()
    {
        // Create a new instance of the MutualCertificate11 turnkey security assertion.
        MutualCertificate11Assertion assertion = new MutualCertificate11Assertion();
        // Specify a security token provider for the Web service's security credentials.
        assertion.ServiceX509TokenProvider = new X509TokenProvider(StoreLocation.LocalMachine, StoreName.My, "CN=WSE2QuickStartServer");

        // Add the policy assertion to the policy.
        this.Assertions.Add(assertion);
    }
}

See Also

Tasks

How to: Secure a Web Service Using a Policy File

Reference

PolicyAttribute
Policy