Web Method Parameters

J

JMZ

I know the parameters for a web method call get serialized into the SOAP
message when the call is made, but what I need to know is:

If the SOAP message includes a digital signature (from an
X509SecurityToken), are the parameters signed as well? That is, if one of
the parameters was tampered with during transit, would WSE detect it when it
verifies the signature during its CheckSignature call?

The reason I need to know is that our web service is our portal for
sensitive file uploads, and we use X509Certificates from the CurrentUser
store for the signature. But, I am having great difficulty in retrieving the
body XmlElement with the GetBodyObject() method, after having successfully
serialized the file contents into it with the SetBodyObject() method in the
client. Every attempt to get the body element throws an exception.

However, seeing that the parameters get serialized into the SOAP message
automatically (and deserialized in the web service), if the parameters are
getting signed with the rest of the SOAP message, then there's no point in
using the SetBodyObject() method.

We are conducting the transaction over SSL, as well.

Thanks in advance.
 
D

Dan Rogers

Hi,

When you call a web service using WSE and WS-Security, you specify which
fields are included in the signature. Since a request message body is
entirely the parameters, the answer that will put your fears to rest is
that yes, the body is what gets signed, typically. To test this, you can
keep a trace of a message that you send normally, save it, alter the data
in the parameters being sent, and test for whether the signed request (with
altered content) makes it thru to your service without detection when you
play the message back via a playback tool (raw TCP/IP or HTTP Post will do
in most cases).

If you are conducting your transaction over SSL, you'll have to capture the
payload before it gets encrypted on the wire to verify this, as the SSL
encryption will prevent capture/alteration/playback quite effectively all
by itself.

I hope this helps,

Dan Rogers
Microsoft Corporation
--------------------
 
J

JMZ

Dan,

Thanks very much for the info.

Maybe you can also explain why the GetBodyObject() method gives me trouble.
After having used SetBodyObject to serialize a string into the body (after
calling CreateBody), my web service throws a null reference excpetion when
calling GetBodyObject to get the string back out.

Any ideas?

Thanks again.
 
D

Dan Rogers

Do you know which parameter is causing the null reference exception? Is it
possible that the string is NOT an XML element (this would be unusual,
since XML is not strings...

Dan
--------------------
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to pass the parameters (soap message) to a web service... 0
Different Serialization Technique In .NET 0
Making class-typed method parameters optional without overloading? 6
method parameters empty? XML namespace prefix issue? 1
How to set SOAP values inside constructor with parameters - help 0
Add custom HTTP Header to all Web Service responses 2
Deriving Web Method Signature from WSDL file 1
Web Method Attributes 0

Members online

No members online now.
Total: 36 (members: 1, guests: 35)
Robots: 250

Forum statistics

Threads
473,995
Messages
2,570,236
Members
46,822
Latest member
israfaceZa

Latest Threads

Top