Getting Web Service Properties

[Keith Chadwick]

Is it possible within a web service to get its properties as a string. For
instance

public class wscommon
<System.Web.Services.WebService(Namespace:="test")> _
<webmethod(EnableSession:=true, MessageName:="MyService",
Description:="Example Service Description")> _
public function MyService()

Dim serviceNamespace as string = ?
Dim serviceMessageName as string = ?

end function

end class


I am creating a db model that reflects my service architecture and I wish to
tie it into my ACL db model as a further security level so I need to get the
namespace and messagename. If I can I can simply hard code into each
service when it does a call to check if the caller is allowed. I would
prefer to reference the actual namespace and service method though.

Cheers
Keith

 

[Dan Rogers]

Hi Keith,

No, this isn't going to work. Remember, this is not a remote object (a la
CORBA). It's an object facade placed over top of a message oriented
communications protocol. The notion of the service as an instance, you
need to start unlearning as a way of thinking. It's not an object (data
and logic encapsulated together). Instead, think of each method as a
stateless, autonomous operation that takes all of the data it needs as its
input, and returns everthing the caller will need to know about the result
of the operation as the return type.

One thing you can do if you need to return more than one thing (which may
be what you are asking here) from a single method is to declare a class -
just a data class, and have that class be the return types. That class can
have properties or fields (depending on your preference/requirements), and
thus allow the service to create an instance of the compound data object,
populate it's fields, and then return that fully populated instance as it's
sole return type.

Later calls to the same service typically would have no knowledge of prior
requests - although you may use a mechanism such as a database or a
data-bag passed back and forth, to simulate stateful server side objects.

I hope this helps

Dan Rogers
Microsoft Corporation
--------------------

 

[Keith Chadwick]

Actually think you misunderstood.

Since my application will be 100% web service based I want to be able to
control who calls what with what method. So when a user requests to become a
consumer of the web services I get some information from them, such as IP
and this information is stored in my database. The dfd in the db for this is
very simply Consumer to service_methods. This information is snapshoted
into the consumers session as xml. When a request is made to my web servers
I check with my userSession custom class and ask it if they user is allowed
to called this web service from a) userHostaddress b) method POST/GET and
delivery mechanism SOAP or no SOAP, etc.

So my code looks like this in my web services:

dim director as new aeDirector

' Guarentee sesssion for user
if not director.user.checkSession(guid) then
if not director.user.loginbyGuid(guid) then
... "get the hell out of dodge"
end if
end if

' check if user allowed to call this service
if not director.user.checkWSCall("wsclassname","wsmethodname") then
... "get the hell out of dodge"
end if

... now do what the web service is supposed to do as we have cleared our
checking

aeDirector is my custom class that manages session. User is a another class
within director which provides me a interface into the xml data that is
stored in session.

Any way, the line 'checkWSCall("wsclassname","wsmethodname")' is what I am
asking. Think of a form where I can use me.something. When you define a
web method can you say something like me.MessageName which is the name of
the web method you defined in the <webmethod> call.

Its no big deal just wondering if that information is available, that is
all.

Your gonna tell me its in the WDSL arn't ya

Cheers
Keith

 

[Dan Rogers]

Hi Keith,

Ahhh. I see. An aside is this sure doesn't seem very secure to me, but if
this is how you want to do it, that's yours to deal with.

As for being able to see the methods name, you can get things like the soap
action value, etc. You can also reflect on the class you are in to see a
list of your methods etc... For instance,
Me.Context.Current.Request.Headers lets you see the HTTP headers for the
current request.

Lots of really interesting things to discover in the base classes members.

Have you thought about using web service security (WS-Security) for this
kind of thing? Look at the security samples in the WSE 2.0 SP1 toolkit.
These seem to be pretty similar to what you are trying to invent, and are
already well tested to work across platform, etc.

Hope this helps

Dan
--------------------

 

[Keith Chadwick]

Ahhh another SDK to digest for the weekend. Ok will have a look. Perhaps
try and integrate them.

Cheers
Keith

 

[Keith Chadwick]

You know it is somewhat gratifying to find a limitation and 'begin' a design
to cover the limitation only to discover you folks thought it was a good
idea to do as well

This is why developers who never ask never learn!

Cheers and thanks
Keith

 

[Keith Chadwick]

Hmm, not very secure you say. The information that is returned from my web
services all runs under SSL so does this not mean it is encrypted?

Also to do a simply request like fetch a contact via HTTP Get would be
something like this:

fetchcontact?uid=C55CBD32-E664-4BC6-9D88-2E53AAA08562&clientkey=3AA3FBF0-2762-4B11-838D-6DDB799E251D&address=AQEAAAAAAGnzAQAAAAAA0CoAAAAA

Where uid is the callers 'current' login key and clienkey is the private key
of the client record in the db. The db design also must allow that uid key
access to the client via the database relationships . This private key is
routinely changed within the database as well.

Is this not secure enough considering it is over SSL? I am sending data
over the wire but never anything like credit card information even though
that is stored in the database.

Been reading the WSE and it seems to me that all of my messages would have
start using soap if I wish to embed certificates and the like and I do not
wish to do this.

Cheers
Keith

 

[Dan Rogers]

Hi Keith,

As I said, it is ultimately your choice. You can get pretty far going in
the direction you are, and if your only need is for wire privacy, then I
cannot fault your approach. My concerns stem from experience - rolling
your own security approach is almost never secure, and places you in the
infrastructure business. Heck to convert over or get converts as/when you
choose to open it up to broader # of consumers.

Dan
--------------------

From: "Keith Chadwick" <[email protected]>
References: <[email protected]>

<T#[email protected]>