Build Secure Web Services With SOAP Headers and Extensions

原文如下：

https://www.developer.com/microsoft/dotnet/build-secure-web-services-with-soap-headers-and-extensions/

文章详细说了SOAPHeader使用的两种方式。我认为文中进行的验证都几乎就是明文传送的。加上一个body签名我认为是必要的。

string sign = HttpContext.Current.Request.Headers["sign"];

文章的内容，再加上上面这一句，我就能改造了。

摘录我最想要的Extensions部分。

<%@ WebService Language="C#" Class="QuoteService" %>

using System;
using System.Web.Services;
using System.Web.Services.Protocols;

[WebService (
    Name="Quote Service",
    Description="Provides instant stock quotes to registered users"
)]
public class QuoteService
{
    public AuthHeader Credentials;

    [AuthExtension]
    [SoapHeader ("Credentials", Required=true)]
    [WebMethod (Description="Returns the current stock price")]
    public decimal GetQuote (string symbol)
    {
        if (symbol.ToLower () == "msft")
            return 55.0m;
        else if (symbol.ToLower () == "intc")
            return 32.0m;
        else
            throw new SoapException ("Unrecognized symbol",
                SoapException.ClientFaultCode);
    }
}

public class AuthHeader : SoapHeader
{
    public string UserName;
    public string Password;
}

[AttributeUsage (AttributeTargets.Method)]
public class AuthExtensionAttribute : SoapExtensionAttribute
{
    int _priority = 1;

    public override int Priority
    {
        get { return _priority; }
        set { _priority = value; }
    }

    public override Type ExtensionType
    {
        get { return typeof (AuthExtension); }
    }
}

public class AuthExtension : SoapExtension
{
    public override void ProcessMessage (SoapMessage message)
    {
        if (message.Stage == SoapMessageStage.AfterDeserialize) {
            //Check for an AuthHeader containing valid
            //credentials
            foreach (SoapHeader header in message.Headers) {
                if (header is AuthHeader) {
                    AuthHeader credentials = (AuthHeader) header;
                    if (credentials.UserName.ToLower () ==
                        "jeff" &&
                        credentials.Password.ToLower () ==
                        "imbatman")
                        return; // Allow call to execute
                    break;
                }
            }

            // Fail the call if we get to here. Either the header
            // isn't there or it contains invalid credentials.
            throw new SoapException ("Unauthorized",
                SoapException.ClientFaultCode);
        }
    }

    public override Object GetInitializer (Type type)
    {
        return GetType ();
    }

    public override Object GetInitializer (LogicalMethodInfo info,
        SoapExtensionAttribute attribute)
    {
        return null;
    }

    public override void Initialize (Object initializer)
    {
    }
}