Signed Messages in WSE

Signing a message in WSE is easy. The following code demonstrates that.

public string InvokeHelloWorld()
{
String sto = X509CertificateStore.MyStore;

// Open the certificate store
X509CertificateStore store = X509CertificateStore.CurrentUserStore(sto);
store.OpenRead();

// Find the certificate you want to use
String certname = System.Configuration.ConfigurationSettings.AppSettings["CertificateName"];
X509CertificateCollection certcoll = store.FindCertificateBySubjectString(certname);

if (certcoll.Count == 0)
{
// handle this
return null;
}
else
{
X509Certificate cert = certcoll[0];
DemoServiceWse svc = new DemoServiceWse();
SoapContext ctx = svc.RequestSoapContext;

// Use the certificate to sign the message
SecurityToken tok = new X509SecurityToken(cert);
ctx.Security.Tokens.Add(tok);
ctx.Security.Elements.Add(new MessageSignature(tok));

// Invoke the web service
return svc.HelloWorld();
}
}

The code is taken from Ingo Rammer's article Using Role-Based Security with Web Services Enhancements 2.0 with some modifications. And aslo the error handling code is omitted.

One thing that I want to point out is that: instead of inheriting from System.Web.Services.Protocols.SoapHttpClientProtocol as the non-WSE proxies do, the WSE proxies will extend Microsoft.Web.Services.WebServicesClientProtocol which contains a number of additional properties. So DemoServiceWse is a WSE proxy.

As you can see from the code, the syntax that WSE uses at the toppest level to deal with security related tasks such as authentication, signning a message, ..., is really easy. It lies in
SoapContext.Security. You first obtain a request or response SoapContext object. So you have SoapContext.Security, which is a Security object. A Security object maintains two collections: a strongly typed collection of security tokens and a strongly typed collection of security elements, and a Timestamp property. I will discuss the relationships among Tokens, elements, and SOAP headers in the forthcoming posts.