Digest Authentication in .NET

July 25, 2007

I’ve seen a million .NET web service client examples that don’t implement security. Here’s one that does. It’s a simple snippet on digest authentication. It’s really simple, and I wish more people would default to using it.

Using digest authentication means the actual values will not be sent for the username and password. Instead the username and password are encrypted using an algorithm (like MD5) and a hash of the two sent over the wire. Nifty huh?

The first thing you need to do is modify your WSE3 policy configuration file. The policy for your web service (in this example mine is MyWebServicePolicy) needs two entries; 1) usernameOverTransportSecurity and 2) requireActionHeader. Your file should look something like this….

<policies
xmlns=http://schemas.microsoft.com/wse/2005/06/policy>
<
extensions>
<
extension
name=usernameOverTransportSecurity
type=Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 />
<
extension
name=requireActionHeader
type=Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 />
</
extensions>
<
policy
name=MyWebServicePolicy>
<
usernameOverTransportSecurity />
<
requireActionHeader />
</
policy>
</
policies>

Next you need to add three lines of code to digest and send the username & password…

//Creates the username/password digest token
UsernameToken userToken = new
UsernameToken(“exampleUserName”, “examplePassword”, PasswordOption.SendHashed);

//Creates web service credentials using the token
CredentialSet credentials = new Microsoft.Web.Services3.Security.CredentialSet(userToken);

//Assigns the username/password to the web services proxy
myWebServiceProxy.RequestSoapContext.Credentials.SetCredentials(credentials);

myWebServiceProxy should be the variable for the stub that .NET’s WSE 3 automatically created for your web service. …I think you need to use WSE3 (Web Service Enhancements v3) for this to work properly.

I think digest authentication is the beez-knees, and stupid easy…I’m left wondering why I didn’t always use this technology? …Oh, and while researching this code I ran into a really cool snibit. Some guy (Peter Bromberg) created a nice little example on how to implement digest authetnication in ASP.NET. Click here for Pete’s article…

http://www.eggheadcafe.com/articles/20030701.asp

Advertisements

6 Responses to “Digest Authentication in .NET”

  1. marta Says:

    Hi,

    Thank You for your post. It is very helpful. I have some question:

    You put credentials (hashed password and username) in SOAP,, so it is message layer security,, while HTTP digest (the same as http basic) is on transport layer security,,

    Probably I do not understand difference between message and transport layer security,,so please explain me why your example tells how to implement HTTP Digest?

  2. marta Says:

    Sorry,,

    one more question :

    Where is set “nonce” (HTTP authentication attribute)in this code? How client get it form server? and where he use it to create hash password?

    thanks in adwance

    //Creates the username/password digest token
    UsernameToken userToken = new
    UsernameToken(“exampleUserName”, “examplePassword”, PasswordOption.SendHashed);

    //Creates web service credentials using the token
    CredentialSet credentials = new Microsoft.Web.Services3.Security.CredentialSet(userToken);

    //Assigns the username/password to the web services proxy
    myWebServiceProxy.RequestSoapContext.Credentials.SetCredentials(credentials);

  3. 8r13n Says:

    1) About SOAP/message layer security vs HTTP digest/transport layer security…

    In this case SOAP is running over HTTP. C# is going to allow me to set the credentials for the web service proxy to use HTTP Digest. C# is going to build the actual HTTP request with these credentials along with the SOAP message.

    The receiving server is going to authenticate me based on the hash and process my request.

    But sometimes you don’t want the server to be able to read the SOAP message. With SOAP message layer security the security information is stored within the SOAP itself. In this case the message might be safely passed through various servers before ending up at the solution which authenticates/processes the SOAP and responds.

    In many cases both transport and message layer security is implemented. Personally I recommend implementing security at every level based on the sensitivity of the information. It’s a lot more difficult for intruders to get through several layers than it is to knock through just one.

    Does this answer your question?

  4. 8r13n Says:

    2) About the “nonce” that’s part of the low level authentication MS C# libraries create for me when they send my SOAP over HTTP. That’s why it’s not in my code, because MS does that for me.

    Checkout this article on Wikipedia which contains an example conversation with the HTTP conversation in plain text…

    http://en.wikipedia.org/wiki/Digest_access_authentication

  5. marta Says:

    Yes,

    thank You a lot 🙂

  6. How to Get Six Pack Fast Says:

    Not that I’m impressed a lot, but this is a lot more than I expected for when I stumpled upon a link on SU telling that the info is quite decent. Thanks.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: