ahh – another lost post – why oh why?

ok here’s the short version… I just spent all day working with SOAP and encryption and xmldocuments. Don Box just wrote a post that addresses a misconception that I had when working on my solution today. “What caught my attention was the implication that there are somehow two classes of XML – documents and something else.” Because I was dealing with SOAP I thought I had to send a “real” xmldocument, not whatever xml is created magically when you send a dataset from a webservice. So I converted my dataset to an xmldocument object, sent that back to my client then took the resulting xmlNode, converted back to an xmldoc and then back to a dataset.

Another thing I wanted to point out about his post was that it addressed my little nit with the fact that the xmldoc is transformed into an xmlNode somewhere in the pipe. In his post, Don says that “it’s exceedingly tricky for a SOAP envelope to contain an XML Document due to the problems of embedding XML inside of XML (embedded DOCTYPE, ID collisions, non-nesting CDATA sections, etc.).” OK, I can live with the transformation! 

So, if you have missed his post, definitely read it if you are not 100% solid on SOAP and would like some clarity. 

(add: as per this and this, I modified my webservice to return a plain old dataset in the encrypted soap header – as I would for any other dataset returned by a web service – rather than turning it into an xmldocument first. Actually, also check out this from Sean Wildermuth, which is what convinced me over a year ago that it is a-o-k to return datasets from webservices)

Well! That was educational!

I now have a web service that grabs a dataset of super-secret information from sql server, converts it to an xmldocument and returns it to my client as the body of an encypted Soap message. It’s possible to encrypt different pieces of the soap message. And I had to deal with that p.i.a. transformation of an xmldoc to an xmlnode on it’s way through the pipe. But at least I remembered that from the last time I encountered it!

My smart client retrieves this encrypted message (thanks to the last key of remembering to modify the web service proxy by replacing
Inherits System.Web.Services.Protocols.SoapHttpClientProtocol
with
Inherits Microsoft.Web.Services.WebServicesClientProtocol)

I was able to pull this part off with both Bill’s book and Jeannine’s article (see previous blog for details) close at hand.

Once I had the data safely in my client’s clutches I still had another task which was to persist the data for off-line use. Of course, if the data is sensitive enough to need to encrypt it on the way through the pipe, I didn’t want to just create a little xml file that could be opened up in notepad! So I used a System.Security.CryptoStream (and a little help from this article) to encrypt the data, yet again, along with WriteXML to persist the data. The application that needs the data offline then got a reverse engineering job to do a dataset readxml and decrypt the data.

Phew! I am whooped. Now on to WSE2 where I have been promised I’ll be hitting my head wondering why I wasted all of that time with this WSE solution. Though the true answer is that I needed to use it in production and the WSE2 tech preview is not licensed for production use. That’s why.

Inspired by Rory Blyth’s post on what .NET techonology we fear the most (hands down for me, it’s WSE) and a need to return login data from a web service in a secure manner, I am about to finally (finally!) use WSE. I have just installed WSE1 SP1 SDK on my dev machine and the runtime on my webserver. (add: and the WSE Settings Tool!!)

I have at my disposal Bill Evjen’s Web Service Enhancements book and this MSDN article (Encrypting SOAP Messages Using Web Services Enhancements) by Jeannine Hall Gailey.

My plan to grab the data via a dataset, writexml to an xmldoc and then send the xmldoc back to the client inside an encrypte soap body. (BTW – I am not looking for instruction, correction, hints, etc – I want to do this myself!!)

I am a perfect guinea pig for WSE. I even concede: the person who they are writing Indigo for. Once I get past this, then I can confidently say “if *I* can do it, anyone can!”.

P.S.  I’m well aware that WSE2 is right around the corner and I’m SOSOSO far behind with this but WSE2 is not for production. So I’ll cust my teeth on with WSE1 and then look at the tech preview of 2.