WS-Security using the ASMX file in ASP.NET 3.5 - asp.net

Basically I need to setup my ASMX file so that when I pull it up in a browser to display the WebMethod specification the Soap Header conforms to this format:
<soap:Header>
<wsse:Security>
<wsse:UsernameToken wsu:Id='SecurityToken-securityToken'>
<wsse:Username>Username</wsse:Username>
<wsse:Password>Password</wsse:Password>
<wsu:Created>Timestamp</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
Back-story: I'm integrating with a client application that is already built (and owned by another company). Basically this client application already has their soap messages all set up from its past integrations with other companies. So we've opted to just build a web service using an ASMX file that matches the WSDL that they're already setup to consume.
Is it possible to get WS-Security working on an ASMX file or is ASMX too simplistic and I have to upgrade to WFC (which I really don't want to do)?

Is it possible to get WS-Security working on an ASMX file or is ASMX too simplistic and I have to upgrade to WFC (which I really don't want to do)?
Yes, it is possible using Web Services Enhancements 3 (an add-on for Visual Studio 2005 and ASMX). See this MSDN page for a WSE-3-specific tutorial and use the usernameOverTransportSecurity assertion, noting that this is not actually secure unless the connection takes place over a protected transport (i.e. SSL).
It is, however, not recommended that you do this, and I cannot fathom why you would not "want" to "upgrade to WCF" given the choice. Please note the following very important limitations of ASMX/WSE:
WSE is no longer a supported product. Although it still works, it no longer receives updates or even bug fixes.
No version of WSE will successfully integrate into Visual Studio 2008, or even Visual Studio 2005 running on Windows Vista x64 or newer.
WCF goes to a lot of trouble to provide thread-safe client operations and allow proxies to exist for long periods of time (which in turn provide significant per-operation performance benefits). WSE proxies, on the other hand, are disposable non-threadsafe objects that incur a setup time with every remote method invocation (even when using Secure Conversation). This also makes them largely unsuitable for Dependency Injection and many other widely-used patterns.
These are just some of the reasons why you shouldn't use WSE anymore. The reasons why you should use WCF on the client side are manifold, including but not limited to separation of the model and proxies, consumption of REST-based services, and better handling of collection types.
Unless you really must continue to use ASMX, please reconsider your refusal to move to WCF - unless the service does a lot of unusual things with XML serialization, it takes no more than 5 minutes to make the switch.

No, legacy ASMX web services do not support WS-Security, or any of the other WS-* standards.
Since Microsoft now considers ASMX web services to be "legacy technology", you should be doing this work using WCF.
Another answer suggests using WSE. This is even less of a solution. WSE is flat-out obsolete, and should only be used as a last resort.

You can implement a SOAP / WS-Security service using classic web services. Here's a tutorial from MSDN.
All of this is easier in WCF though.
EDIT:
Pulled the wrong link. Here's the one I meant to paste (CodeProject tutorial that uses WSE 2, though WSE 3 is the latest release and I have used that exclusively pre-WCF).

Related

Which technology should I use for on demand background service?

Recently I built MEF WCF service, hosted on IIS 8, which receives the command, performs long background process with SAP ECC and Local DB, then returns the status. So user interface input and output is only the string.
In Internet there are many blog post about WCF Dead and that it's better to use WEB API, and in the future ASP.NET Core, which is even better...
My question is, is there the sense to update the project to ASP.Net Web Api or wait to ASP.Net Core, or it's better to use another technics for this type of work?
Having more people talking about a technology does not means another similar one is completely dead; as an example look here to find about incoming WCF implementation for .Net Core.
Of course, this is a subset, as for Web API, MVC or Entity Framework are not uspporting today all features that their Full 4.x versions do.
Short answer: you can keep you WCF implmentation and come back later.
Longuest answer: look at what features WCF for .NET Core contains (especially for bindings) to see if porting would be easy, or if you need alreday to tihnk about moving to something else.

Is ASMX technology completely obsolete

Some time ago, about 2 years ago, I was working on web portal that was developed in .NET 2.0. and had plenty of asmx pages.
The other day, one of my coleagues that was more adept at ASP .NET said: "ASMX is old and ugly, we shoud rewrite it". So we did it, as far as I remember we moved to ashx handler.
But now, as I'm preparing to pass 70-515, I came across one some materials that still suggest to learn asmx services (with respect to AJAX). So is that approach still valid in new ASP .NET 3.5/4.0 web projects? If so, then when & where should I use it?
Or perhaps 2 years ago, I was soo ignorant, that we used some kind of old version of asmx and we moved to new asmx.
P.S. As I was entering tag "asmx" I saw a message: "asmx is obsolete" : https://stackoverflow.com/tags/asmx/info
If you can work with WCF then yes the ASMX services are obsolete because the WCF can fully replace them with more performance and flexibility (multiple binding), functionality. If you can write a WCF service then if you will be requested to create an ASMX service for some reason there will be no problem for you to do it.
And moving from ASMX to ASHX was not a smart move because they are not for replacing each other.
Oddly we moved from ASMX to WCF and then back to ASMX. WCF has quite a few downsides, most of all is cross-platform compatibility issues. If everyone consuming your service is on .NET this isn't an issue, but not all other frameworks have supported the full stack, and frequently they just can't do what WCF produces. We also found that dealing with security and testing was a pain in WCF. If your webservice is marked secure, it has to be secure in WCF, even in your testing environment, which means getting actual SSL certs for each developer. A tremendous pain to be sure.
ASMX and WCF are technologies to build web services in .NET. WCF was introduced in .NET 3.0. Its goal is to provide a standard abstraction over all communication technologies and is a recommended way of implementing web services in .NET.
What are the differences between WCF and ASMX web services?
ASHX is a way to write HTTPHandlers in .NET. For more information on what are HTTPHandler
http://forums.asp.net/t/1166701.aspx/1
ASMX services are supported in .NET. However migrating to WCF is recommended. Also, you should write all new services in WCF.
Yes, asmx is obsolute with WCF service. you can use asmx when you are working with < 4.0 aspx.
ashx will not be exact replace of asmx.
If you have coding format issue / standard / plenty of code then you can go with MVC Web API 2 (4.0 itself). but compare to WCF you must ensure what will be the recipient's response expectation
("WCF is the evolution of the web service(ASMX) and support various protocols like TCP, HTTP, HTTPS, Named Pipes, MSMQ. but Web api only for HTTP(s)").

asmx to WCF or Web API

I have an application that I'm building and for the moment, I built some web services using ASMX. In the end, the application will be deployed on azure. The web services are really simple in that all they do is call a class in the AppCode folder that handles all the work.
Is it going to be better/easier/faster/more performant to move my web services to WCF or to Web API?
Thanks for your suggestions.
PS: I want to add that the web services will need to work in HTTPS. At the moment, they're on HTTP because I'm in development mode.
One-liner: if you have already got a working code and it is risky to move it to another technology stay with the working code.
Depends who is answering.
Web API embraces HTTP and gives you flexibilities not possible with ASMX and WCF. If you care about HTTP, content-negotiation, media types and you need your service to be called from any client (including AJAX) then Web API.
If you need to be able to use WS* security standards (e.g. using X509 certificates, ADFS, etc), possibly change your binding, serve to different clients using different bindings, extensibility, etc use WCF.
If you already have a working code, and all you care about is RPC and your clients are always going to use ASMX then stick with ASMX.
Performance
No benchmark but my gut feeling, in descending order: Web API, ASMX, WCF
Easier
In descending order: ASMX (since you know it), Web API, WCF
Faster development
If you know them all, Web API and ASMX then WCF
PS: it is good to pick up new technologies. The way things are going (and since you are already moving to Azure) it is important to invest on new technologies.

Using RIA Services directly within an ASP.NET MVC 2.0 project

I am starting a new project which will need a ASP.NET MVC 2.0 website, a Silverlight section and a Windows Phone 7 UI.
My plan was to use WCF RIA Services to create a set of services which would be used in all different UI projects. With the Silverlight project I would use the standard tool integration, the Windows Phone looks like it may have to be WCF Services exposed by the RIA Domain Services, but I'm not sure about the ASP.NET MVC website.
My initial thoughts I would simple reference the class library containing the Domain Services and use them directly. Could this be considered a viable approach to using RIA Domain Services in a ASP.NET MVC website?
Kind Regards
Michael
I know a long time has passed since this question was asked, but since I had to make such a decision, I might as well document it for the benefit of others.
I work in an environment where lots of legacy and new apps co-exist, with the legacy apps being phased out. So we've had to build interoperability between everything from MS Access, to web service end points in C#, VB, Web Forms, MVC 3, even Flex, Reporting Services...the list goes on.
One of the biggest pain points in a multiple-client scenario is the maintenance of interoperability over time. As data, requirements and delivery mechanisms change, keeping things smooth ends up taking a lot of resources.
My approach has been to create one and only one mechanism for reading a given source of data by defining 1) a model, 2) a serialization/deserialization layer and 3) a service layer. All projects that need to use XY_Data must use the XY_Service to get XY_Objects via the XY_Serializer. Direct db calls or stored procs, etc are allowed in the XY_Application. This allows me to drop in replacement DLLs (versioned) with bug fixes and upgrades without restarting anything. I hardly ever do a full publish.
So yes, what you're suggesting will work. I would recommend only that you rigorously enforce the single-source-of-truth and DRY policies both in your data and your APIs.

REST on IIS

I'm wondering how many folks using the Microsoft development stack (IIS and/or ASP.NET) are actually using REST? If so, what forms of rest are being used?
REST can be categorized a zillion ways, but for the purpose of this question I'll categorize it as follows:
Radically REST: Using all the
HTTP methods PUT/POST/GET/DELETE
Moderate REST: Using GET/POST
REST Hybrid: Uses just the GET or
POST HTTP method, but follows
RESTful principles of addressability
and state.
In a class I'm teaching we've been trying to implement a "radically RESTful" service on IIS, but we've been having difficulty implementing the PUT method. There doesn't seem to be a lot of buzz on implementing PUT on IIS so I'm wondering how many people are actually using full blown REST? Are you using REST?
I'm involved in a project that uses WCF REST on IIS, but of course I'd recommend having a look at the framework I built: OpenRasta is a .net open-source stack that makes implementing REST much easier.
Google is your friend. The main site is http://trac.caffeine-it.com/openrasta.
I think part of the reason for the lack of buzz around REST on the IIS stack has been Microsoft's original adoption of SOAP as the way, truth and light when it came to web services - especially with Windows Communication Foundation being heavily SOAP focused.
They went on to release the WCF REST Starter Kit, to follow on from the release of .NET 3.5, and also the ADO.NET data services that are part of .NET 3.5 SP1.
As Magnus points out, Microsoft have since released the ASP.NET Web API which builds on the features of the ASP.NET MVC platform to provide a unified approach to RESTful services on IIS.
ASP.NET Web API is a framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. ASP.NET Web API is an ideal platform for building RESTful applications on the .NET Framework.
The WCF Rest Toolkit mentioned in the answer from "Zhaph - Ben Duguid" is now deprecated.
It has now been replaced with the WCF Web API project.
Edit: Which is now also deprecated and replaced by ASP.NET Web API!
It depends how you approach it.
By default IIS will limit verbs to ASP.NET pages to GET, HEAD, POST and DEBUG. You are, of course, free to tell it to accept PUT as well by editing the handler mapping. Assuming you wanted your own extension you'd do something like
<httpHandlers>
<add path="*.example" type="System.Web.UI.PageHandlerFactory" verb="GET, HEAD, POST, PUT, DELETE, DEBUG"/>
</httpHandlers>
If you want to remap .aspx you, of course, can in much the same way, assuming the server is configured to allow you/
I'm pretty sure the Microsoft ADO.NET Data Services uses RESTful services. It might be worth checking out... aside from being restful, it's a really cool tech.
Here's an extract from a white paper on it:
The goal of Microsoft® ADO.NET Data Services is to enable applications to expose data as a data service that can be consumed by web clients within corporate networks and across the internet. A data service is reachable via regular HTTP requests, using standard HTTP verbs such as GET, POST, PUT and DELETE to perform CRUD operations against the service. The payload format used by the service is controllable by the application, but all options are simple, open formats such as JSON and Atom/APP.
Here's a white paper and it's home page (at least what I think is it's home page)
HTHs,
Charles
What version of IIS? In IIS6 you need to enable WebDAV to enable PUSH requests to get through (no, I don't think that makes much sense either :-)). I don't think that's the case in IIS7 though.
I'm using the .Net class, HttpListener, which is the IIS web server engine(http.sys) without the IIS admin tools. I am handling all of the HTTP verbs. You can add attach the ASP.Net runtime to this if you like, but you don't need to.
In fact in a few cases we implemented a version of PATCH as an experiment. Once you get down to the basics, the verb is simply a string in one of the HTTP headers.
You actually cannot categorize REST in a zillion ways. There are may ways of using HTTP to build distributed applications but there is only one definition of REST.

Resources