I’ve seen a million .NET web service client examples that don’t implement security. Here’s one that does. It’s a simple snippet on digest authentication. It’s really simple, and I wish more people would default to using it.

Using digest authentication means the actual values will not be sent for the username and password. Instead the username and password are encrypted using an algorithm (like MD5) and a hash of the two sent over the wire. Nifty huh?

The first thing you need to do is modify your WSE3 policy configuration file. The policy for your web service (in this example mine is MyWebServicePolicy) needs two entries; 1) usernameOverTransportSecurity and 2) requireActionHeader. Your file should look something like this….

type=Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35 />
type=Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35 />
usernameOverTransportSecurity />
requireActionHeader />

Next you need to add three lines of code to digest and send the username & password…

//Creates the username/password digest token
UsernameToken userToken = new
UsernameToken(“exampleUserName”, “examplePassword”, PasswordOption.SendHashed);

//Creates web service credentials using the token
CredentialSet credentials = new Microsoft.Web.Services3.Security.CredentialSet(userToken);

//Assigns the username/password to the web services proxy

myWebServiceProxy should be the variable for the stub that .NET’s WSE 3 automatically created for your web service. …I think you need to use WSE3 (Web Service Enhancements v3) for this to work properly.

I think digest authentication is the beez-knees, and stupid easy…I’m left wondering why I didn’t always use this technology? …Oh, and while researching this code I ran into a really cool snibit. Some guy (Peter Bromberg) created a nice little example on how to implement digest authetnication in ASP.NET. Click here for Pete’s article…


Why would you ever want to bypass certification verification? …Well, maybe if you’re testing a web service that’s under development and you don’t own a valid certificate yet like me.

It took a while to figure this out. I was convinced it would be something simple, and it was…

The code below implements a custom certificate validation method that does nothing. You could customize the TrustAllCertificatesCallback method to execute your own meaningful validation, my example simply validates every request. Notice my nifty TODO comment? I wrote this as a temporary fix and I was a little paranoid I’d forget to take this line out.

I’ve only tested this with WSE3 (Microsoft Web Service Enhancements v3) on the client side talking to a Java implementation of Axis2 on the server side. …But this should work with WSE3/.Net on whatever.

    static class Program
        /// <summary>
        /// The main entry point for the application.
        /// </summary>

        static void Main()
            ServicePointManager.ServerCertificateValidationCallback =
            Application.Run(new Form1());

        public static bool TrustAllCertificatesCallback(
            object sender, X509Certificate cert,
            X509Chain chain, SslPolicyErrors errors)
            return true;

It’s BedTime!

June 5, 2007

So, the other day I opened my laptop bag and whipped it out only to realize that my laptop had been left on, again, and was now totally hot and mostly drained.

I’m the proud owner of a newer Vista laptop (a tricked out Lenovo T60p).  I get 3 hours and 30 minutes out of every charge running at High Performance (instead of that limited Power Saver mode most people use).  …And yet somehow I only get to enjoy 2 hours of that because I leave the laptop on in my bag for the majority of the day.  I know I just have to hit that sleep button but I have thousands of other things on my mind.  That’s when I realized something had to be done.  This needed to be automated.  I sat down and started coding. A few hours later I ran BedTime for the first time.

BedTime, the program I wrote, monitors the laptop accelerometer.  Accelerometers are commonly used to automatically shutdown the hard drive when a laptop moves suddenly.  They’re very precise and easy to work with thanks to some great DLL APIs.  The DLL reports the pitch, roll and hard drive status.  My program monitors this data and automatically triggers sleep mode when it suspects the laptop is being moved, and not being used.  …Like when I leave my laptop in my bag and walk around for a few hours.

It works EXACTLY how I wanted it to.  Now I can forget the Sleep button forever, my laptop will automatically go to sleep for me.  There is a 10MB overhead (caused by some .NET 2.0 overhead I should get rid of) but I have 3GB, and I think most owners of new laptops boast about the same amount of memory, so this shouldn’t be a problem.

I already know this program will only run on newer laptops because older systems don’t have accelerometers.  …That’s part of why their hard drives blow up.  (…That reminds me; If you own an older system please backup regularly.  I’ve been there before, with a crashed drive, just once.  I never happened again because it was horrible and now I do my best to warn others.  PS: If you buy a new laptop with an accelerometer Vista makes backups a cinch.  …And yes, Bill made me say that, but Gates rocks and I would never leave Vista for XP, a filthy penguin or some fruity OS).

I’m currently testing this application on a daily basis and working on a patent for the concept and copyright for the code.  I hope to be looking for beta users soon, so please let me know if you have a newer laptop with an accelerometer (like a Lenovo, Apple, etc.) and are interested.  Even if you have an off-brand you have an accelerometer if your laptop advertises having an “Airbag” or “Active Protection System” for hard drive.

Here’s some screenshots…

This dialog appears when you double-click the BedTime icon…

This is the Settings dialog. It allows the user to configure the amount of movement to allow, etc…

This is the dialog that appears before the laptop automatically goes to sleep…

…Of course, all laptops have those settings to automatically launch Sleep mode after a specific amount of time with no user activity.  My problem with that feature had always been that if I set the feature for 15 minutes it would launch while I was distracted and become annoying. I’m still using that feature now in tandem with BedTime.  I have it set to 30 minutes.  I use that more like a failsafe.

My laptop, and many others, also support automatically launching Sleep mode when the laptop lid closes.  I disabled that because I close the lid when I move from one seat to the next, e.g. when I’m going from the office desk to the kitchen counter.  I didn’t *always* want it to go to sleep.  Now BedTime automatically launches in those situations and I have a chance to abort Sleep mode by the time I get to my destination.

Future versions of BedTime will likely only operate when the lid is closed, or at least support that option.  Now that I’ve been paying attention to how I move my laptop I realize it’s usually closed when I want BedTime to go into effect.  …BedTime does this perfectly, but it also triggers sometimes when I pick up the laptop, or move it to plug in devices, insert a DVD, etc.

What do you think of the idea and design?  I was going for a sexy-but-all-business look.  This interface was probably inspired by the way Vista launches the security authorization dialogs.  I think it deserves the whole screen because it is only on your screen just before it puts your laptop to bed (Sleep mode).  And, if you can see it you probably want to hit abort.  It runs as an “Always-on-top” Windows Form so it blocks the user from interacting with anything else.  …How do you feel about that?  But if BedTime is on your screen you want to click Abort and get rid of it, not hide it.  Pressing Alt+F4, Escape, Alt+A, Enter or clicking on the button will all abort Sleep mode.  …Do you think it would be overkill to abort on any keystroke?  …So far, based on my user experience, I think that makes sense.

Well, I think this little project will be a work-in-process for more than a minute.  The idea is a little ahead of its time since most laptops don’t have the required hardware.  …But that WILL change.  Every new laptop will have more and more accelerometers. That is happening as we speak because they are proving to be more and more useful (my program for example).

I think other factors will also increase their popularity (and lower their price by increasing manufacturing volumes).  ….Did you know most new digital cameras have one, even the new iPhone has one!  That’s why the iPhone can change the display from landscape to portrait when the user rotates the phone. …Why don’t ALL Windows Mobile phones have them? …? …? Bill?

Well who knows what will happen. Either way this was fun to write and has improved my battery life and user experience. Here’s a video of me using the software…

Hack the Planet,