SOAP request authentication in VB.NET

Question

I'm trying to write a SOAP request to a 3rd party web service in VB. I've added a service reference which automatically added the following to the web.config:

<basicHttpBinding>
        <binding name="Soap11">
          <security mode="None">
            <transport clientCredentialType="None" proxyCredentialType="None"
              realm="" />
            <message clientCredentialType="UserName" algorithmSuite="Default" />
          </security>
        </binding>
      </basicHttpBinding>

Now I have to write the following request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>
       <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
           <wsse:UsernameToken>
               <wsse:Username>username</wsse:Username>
               <wsse:Password>password</wsse:Password>
           </wsse:UsernameToken>
       </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <sch:Request>
      </sch:Request>
   </soapenv:Body>
</soapenv:Envelope>

I don't have a clue what to do next. I don't know how to provide the authentification details. All I've done is the following:

    Dim myClient As New MyServiceReference.Client
    Dim myRequest As New MyServiceReference.Request
    Dim myResponse As New MyServiceReference.Response

    myClient.ClientCredentials.UserName.UserName = "Bob"
    myClient.ClientCredentials.UserName.Password = "Dole21"

    myResponse = myClient.Lookup(myRequest)

Obviously, not a lot. This has produced the following (according to fiddler).

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Lookup xmlns="http://example.com/schemas"/></s:Body></s:Envelope>

Any help would be greatly appreciated. How do I add the authentication headers to the SOAP request? I've tried changing

security mode="Transport"

but it throws up a "The provided URI scheme 'http' is invalid; expected 'https'." error.

score 2 · Accepted Answer · edited May 23 '17 at 12:06

I managed to do it after a couple of weeks of trial and error. It's actually answered quite well here except it's presented slightly convolutedly.

Before I give the code I think a few words of advice for those starting out with SOAP requests in .NET:

Avoid asmx and "web service" solutions when looking up solutions. asmx is legacy technology.
Download SoapUI. It's an open source soap testing tool.
Get Fiddler to log HTTP(S) traffic between your computer and the third party web service.

Ok, so here's the code:

    Dim myRequest As New ServiceReference1.LookupRequest
    Dim myResponse As New ServiceReference1.LookupResponse
    Dim address As New EndpointAddress("https://example.com/Service")

    Dim binding = New BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential)
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None
    binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName

    Dim myClient As New ServiceReference1.Client(binding, address)
    myClient.ClientCredentials.UserName.UserName = "username"
    myClient.ClientCredentials.UserName.Password = "password"

    myResponse = myClient.Lookup(myRequest)

Then , you need to change your web.config to include

<client>
     <endpoint ...>
            <headers>
                <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <wsse:UsernameToken>
                        <wsse:Username>USERNAME</wsse:Username>
                        <wsse:Password>PASSWORD</wsse:Password>
                    </wsse:UsernameToken>
                </wsse:Security>
            </headers>
     </endpoint>
 </client>

When I ran the client it produced a (more verbose) SOAP request with the client credentials in the header which communicated with the web service:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <s:Header>
      <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
      <a:MessageID>urn:uuid:979816ec-0f1e-4052-a4e6-2449805178e2</a:MessageID>
      <a:ReplyTo>
         <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
      </a:ReplyTo>
      <a:To s:mustUnderstand="1">https://example.com/Service</a:To>
      <o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
         <u:Timestamp u:Id="_0">
            <u:Created>2014-04-24T14:44:59.601Z</u:Created>
            <u:Expires>2014-04-24T14:49:59.601Z</u:Expires>
         </u:Timestamp>
         <o:UsernameToken u:Id="uuid-7c02f0c6-107d-45ac-b682-f0462211da21-3">
            <o:Username>username</o:Username>
            <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</o:Password>
         </o:UsernameToken>
      </o:Security>
   </s:Header>
   <s:Body>
      <t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
         <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
         <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
         <t:Entropy>
            <t:BinarySecret u:Id="uuid-45689ab6-30d3-4db6-a08e-99179e0dc65f-3" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">fQHEdTa+AGk8uAH5xbUkP+kfNkoTdEl5uwpWOf8QFug=</t:BinarySecret>
         </t:Entropy>
         <t:KeySize>256</t:KeySize>
      </t:RequestSecurityToken>
   </s:Body>
</s:Envelope>

This solution helped us to fix an issue we were facing for 2 weeks. — Muhammad Irfan Azam, Dec 18 '18 at 07:31

score 0 · Answer 2 · answered Jul 30 '15 at 15:45

If your service client supports the constructor new ServiceReference.Client(endpointConfigurationByName As String) then you can configure all stuff within the application config:

<client>
 <endpoint address="http://someserver", binding="Soap11", name="myService">
        <headers>
            <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <wsse:UsernameToken>
                    <wsse:Username>USERNAME</wsse:Username>
                    <wsse:Password>PASSWORD</wsse:Password>
                </wsse:UsernameToken>
            </wsse:Security>
        </headers>
 </endpoint>

After doing that you can create a new Client instance providing the configuration name:

Dim myClient As New ServiceReference1.Client("myService")

whenever myClient sends a SOAP request, it will send the configured header along with it.

You can have more than one endpoint in your configuration to support several instances/stages

SOAP request authentication in VB.NET

2 Answers2