Total Pageviews

Monday, April 22, 2013

Soap Header Authentication for Web Services in ASP.NET

Hi All,

I will be discussing web service authentication in this article, where you can host your web service publically but it can only be accessed by passing pre-assigned username, password and secure parameter. 

So speaking simple SOAP web services, following are the steps that will make your publically available web service, a secured web service.

When you choose to create a new web service(for .NET 2.0/3.0/3.5), you will see the following Service1.asmx code-behind. (Note: I've added "System.Web.Services.Protocols" namespace and "#region" tag in the default code.

This is an example of default web service code which will let HelloWorld() method to be consumed without any authentication, once this web service is published over the App Server(local IIS or over Internet).

By adding couple of lines of code we can make the existing web service to be secure( enforcing username and password via SOAP Header).

So let's pick some username and password for the web service and place it within <appSettings> tag in Web.config file. 

    <add key="ff_username" value="user1"/>
    <add key="ff_password" value="User!123"/>

Now to implement this username and password, we need to modify the current web service code as shown in highlighted boxes below:

Now this web service is secured with customer username and password. After a successful build you can deploy/publish this web service on your IIS(local or Internet).


You can create a "Test Project" where you can add the service reference by right clicking on "Web Reference"--> choosing "Add Web Reference" and providing the URL of your currently deployed web service.

Assuming that you have given the web reference name of your web service(under Test Project) as "prod", it should look something as shown below.

Now in the code-behind of your "Default.aspx.cs", create the web service instance and consume the HelloWorld() and display it in Label.Text as shown below:

As stated in commented text, if your web service fails the authentication it will display "Authentication Failed" otherwise it will display "Hello World".

Cheers :-)


  1. Hi,
    Thank yo very much for the detailed information. Your information was very very very very helpful.

    Thank you so much.

    Apostille Certificate

  2. Where is the validateLogin type defined?

    1. Hi driftwood,

      validateLogin class is defined inside Service1 class.
      This will come after Authentication region #end tag.

      The code snippet is :

      /// To Validate the user against the user/password provided in web.config
      public class validateLogin : SoapHeader
      public string Username;
      public string Password;


  3. can you suggest me how to add a custom SOAP header in request?

  4. Thanks for sharing fabulous information. It' s my pleasure to read it.I have also bookmarked you for checking out new posts. by HRM 531 Week 1

  5. Hi,
    Great article! Thanks for the information, I think others will find this useful.
    Authentication Services