Write Secure Web Services (Continued)

Set the client to On and the server to Always. Clicking on OK updates the web.config file with the metadata, sets the service to accept only MTOM, and requires that the client send only MTOM messages. Next, you want to configure the security and policy. Navigate to the Policy tab in the WSE Settings 3.0 window, then click on the Add button and type in "ServerPolicy" as the name. After clicking on OK, the new WSE Security Setting Wizard pops up to walk you through the setup. The wizard is intuitive and makes it easy to set up any type of turnkey security solution. The first window you see asks you what you want to secure (a client or a service), while the next asks which type of security you want to use (Anonymous, Username, Certificate, or Windows); select Certificate. The final few steps require you to select who can authenticate and to specify where the certificates are located. The wizard then creates a new policy file called wse3policyCache.config, which it adds to your solution. This file contains all the configuration information that you selected in the wizard in XML form.

Enable MTOM and the turnkey Security in your Web service by decorating the SecureMTOMService class with [Policy("ServerPolicy")]. This tells your class to use the policy file you created in the wizard.

Build Your Client App
So far, you've created a Web service that uses MTOM and WS-Security. You still need to create a client application to test out the new functionality. Start by adding a new Windows Form project to your solution called WSE_Client. Rename the default form to something meaningful, such as MTOMTest, and add three buttons called btnGetPDF, btnSelcetFile, and btnInsert. Next, add a textbox called txtFile and drop a WebBrowser control and an OpenFileDialog control on the form (see Figure 2).

That's it for the UI controls. Next, add a new Web reference to the SecureMTOM Web service. I prefer choosing the Web reference from the "local machine" as opposed to the "current solution" when working with these pre-release bits. Previously, you created a ServerPolicy; now you need to go through the same process for the client. Navigate to the WSE Settings 3.0 tool and enable the project for WSE 3.0. Note that you cannot enable the Soap Protocol Factory because this isn't an ASP.NET Web service.

Continue with the same steps you did for the server until you get to the Policy tab. On that tab, click on Add type "ClientPolicy" rather than "ServerPolicy." Select "Secure a client" and "Certificate" for the authentication mode when the WSE security wizard comes up. The next steps ask you to select the locations of the Client certificate and the Server certificate. This prompts the wizard to update the app.config file, as well as generate a policy file like the server setup. You need to create a proxy to the SecureMTOM Web service when adding the implementation code for the btnGetPDF and btnInsert. If you set up the Web service correctly, you see a new creatable object hanging off the localhost Web reference, called SecureMTOMServiceWSE. Use this object to instantiate the reference. After the proxy has been instantiated, set the SoapVersion to default, call SetPolicy, and set RequireMtom to True:

localhost.SecureMTOMServiceWse
        myService = new WSE_Client.localhost.
                SecureMTOMServiceWse();

myService.SoapVersion = 
        SoapProtocolVersion.Default;

myService.SetPolicy("ClientPolicy");

myService.RequireMtom = true;

Complete the btnGetPDF by creating a Byte array and calling the GetPDF Web service to retrieve a file from the database. Next, use the FileStream object to write the file to disk and use the WebBrowser control to display the PDF in your client application. You can complete the btnInsert by creating a FileStream object to open a file, then use a BinaryReader to read the file into a Byte[]. Finally, call the InsertPDF Web method. You can make this example a little more useable by using the txtFile control as the source for the GetPDF and the InsertPDF calls, and using the btnSelect control with the OpenFileDialog control to browse for files (to insert), populating the txtFile control with the file path.

That's it for the sample. It's basic, but it should point the way forward for taking advantage of the security functionality in WSE 3.0. Some ideas for extending the example include using secure sessions, streaming the binary data, creating more robust policy files, using Kerberos and other security models, and modifying the data model so it's closer to what you would see in a real-world Web services application.

About the Author
Vijay P. Mehta works in enterprise architecture for a Fortune 500 company in Indiana, where he uses VS.NET to design, develop, and architect enterprise solutions. Reach him at .