Tom Richards .NET Weblog

"Advanced" webservices

Like I've mentioned before, I have been trying to get beyond the VS.NET wizard idea of webservices.  I have incorporated some WS-Securiy and have moved on to WS-Trust and others.

Besides all the Understanded ws-policy articles and the standard a good article is:

http://msdn.microsoft.com/webservices/understanding/advancedwebservices/default.aspx?pull=/library/en-us/dnwebsrv/html/wsoverview.asp

Somehow I hadn't put the idea of  “composability” into my webservice efforts.  Makes more sense.  This is one of the problems in trying to learn this stuff by your self - no one to share ideas with.

WS-Security, WSE and other standards

I had good feedback on my last post regarding WS-Security.  My project is not “real-world” in that it is just academic - my learning project. I wanted to explore WebService life beyond the VS.NET wizard so I'm doing all kinds of things that I wouldn't necessarily do in real life.

Some of the objects of this project are:

• Find something interesting enough that I will pursue it on my own time.
• Go beyond the basic VS.NET wizard generated “RPC“ like webservices
• Learn more WSDL and how to extend it
• Message based webservices using industry standard schemas and wsdl.
• UDDI
• Learn WS-XYZ standards - at the WS-Security, WS-Attachment level
• I would really like to get a handle on “best practices“ - part of standards I hope.
• Interop with Java, other clients and web services.   The WS-I basic profile stuff.
• ... more

I think that I'm doing fairly well. I get stuck on certain things and then make a jump forward.  

Still more on WSE and WS-Security

The wse 2.0 samples have helped tremendously.  The ws-security is beginning to make some sense.  I am still having trouble with some of the samples, especially those involving X509. I think that is user error.  I don't really need to encrypt the messages but I want to know - so I will make the WSE samples work.

I was confused about how the password digest was created.  There was a comment in one of the articles I read about it being the hash of a combination of the password, nonce and creation date. I finally found a spec at http://www.oasis-open.org/committees/wss/documents/WSS-Username-11.pdf

A tool that I've found very useful is SoapScope at http://www.mindreef.com.  I purchased a copy to help me look at messages and it's been worth it.

I have implemented username signing in my DosEquis “learning” project.  I already had an authentication scheme in place using a custom soap header, ala Yasser Shohoud' book.

One thing that I don't understand though is how a person perusing my web service site or wsdl would know about ws-security.  I was looking at the microsoft.com webservice stuff and was wondering the same thing.  If my client app had obtained a reference to a webservice via UDDI how would it know or be able to find out.  More things that I don't understand about “real-world” webservices.

The next big thing is to start working with DIME.  My DosEquis project will be collecting, processing and returning large amounts of data.

I also plan to start using the WS-I tools on my webservices.  I have listened to Yasser Shohoud's web cast http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20030724WEBSVCSYS/manifest.xml and just need to “code“.

More wse and Ws-Security

I moved on to the wse samples (UsernameSigningService) and found the problem described in my last post.  I will go thru the samples before trying any more experiments. 

As I said RTM.

WS-Security and WSE Experiments

Installing the ms webservices sdk got me thinking about ws-security.  I've read a number of articles and tried to read the spec but really needed to code.

So I started with WS-Security Authentication and Digital Signatures with Web Services Enhancements http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/wssecauthwse.asp

I built a simple webservice and test client based on the code in the article.  Didn't work because the service isn't getting a SoapContext, ie

(I wish I knew how to insert code snippets so they would look better)

[WebMethod]

public string HelloWorld()

{

string response = "";

SoapContext reqContext = RequestSoapContext.Current;//wse 2.0

if(reqContext == null)

{

throw new ApplicationException("Non-SOAP request");

}

Always throws.  The client code is just:

Test1.localhost.SvcWse svc = new Test1.localhost.SvcWse();

UsernameToken userTok = new UsernameToken("Username", "Password", PasswordOption.SendHashed);

svc.RequestSoapContext.Security.Tokens.Add(userTok);

svc.Url = "http://trichards/WS-Security_Svc1/Svc.asmx";

Console.WriteLine(svc.HelloWorld());

More RTM is required.  Not asking for help here.  This is just part of the learning process.  Sometimes I just need to play around for a while and then re-read what I thought that I had read.

Microsoft.com WebServices

I have been on a quest to find “real-world“ examples of significant web services.  I have looked at an played with google and amazon's web service sdks.  Now I have something from MS:

http://msdn.microsoft.com/webservices/building/livewebservices/mscomservices/default.aspx

The SDK seemed to install on my work computer fine but didn't really.  The help doesn't work.

All went well at home though, on both an XP and Win2003 machines, using VS.NET 2003. except that I didn't realize that WSE 1.0 must be installed - I had 2.0.  After that the the examples all worked well and were interesting to play with.  I have downloaded WSE, but hadn't really done anything yet.  I also have looked at a number of WS-Security articles. 

These are things that I “need to know” but haven't found time - we have been releasing a Beta at work.   Need to get back to priorities.