1
votes

I know there are plenty of discussions relating to connecting a classic ASP client to a SOAP web service, but I'm interesting in connecting to a HTTPS enabled SOAP service.

We have an existing SOAP Web service written in WCF and it works great...for .NET clients. We've had a request from a new customer, "We use classic ASP - how do we connect to your Web Service API?" I didn't have a clue where to start, and it started to dawn on me that I had no idea what the structure of the actual SOAP messages are.

I've seen the examples of classic ASP chatting to SOAP web services on the web, but none which exchange messages over HTTPS. We're using message level security on the WCF bindings.

Is this a lost cause - does WS-Security prevent classic ASP from interfacing with a HTTPS SOAP Service?

Thanks in advance.

3
what is the https certificate (self signing ? or verified)dvhh

3 Answers

3
votes

Option 1: tell your client what year it is, and suggest that there are costs associated with using obsolete technologies, and that one of those costs is that you will not be supporting "Classic ASP".

Option 2: Write some C# code to produce COM wrappers to your services. The Classic ASP code (or VB6 or VBA or whatever) can call COM objects without having any idea they're using modern code developed with modern tools.

1
votes

After a bit of investigation I came up with the following:

  1. WCF Message security can't be used with classic ASP

  2. I created a second endpoint on the service which had the following bindings:

      <basicHttpBinding>
      <binding name="SecureBasic" >
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName"/>
      </security>
      </binding>
     </basicHttpBinding>"
    

Few notes about this -

  1. You'll need to use HTTPS (i.e. install a self-certificate)

  2. It's not the preffered method of security to use over the internet - ideally you should use Message security.

  3. I used a customer username and password validator to authentciate the client request

The following ASP code works well calling this service:

        soapServer = "YourSOAPAddress"
        soapMessage = "Put Your SOAP Message in here use Charlies / Fiddler to determine the message"
        Set xmlhttp = CreateObject("MSXML2.ServerXMLHTTP.3.0") 
        xmlhttp.setOption(2) = 13056
        xmlhttp.open "POST", soapServer, False
        xmlhttp.setRequestHeader "SOAPAction",   "urn:Alpha.Services.API.DeviceService/IDeviceService/GetDevices"
        xmlhttp.setRequestHeader "Content-Type", "text/xml; charset=utf-8"
        xmlhttp.send(soapMessage)   
        Response.Write "<br>Finished calling Web Service."
        Response.Write "<br>Status = " & xmlhttp.statusText
        Response.Write "<br>ResponseText = " &  xmlhttp.responseText

For client systems that use a language that does not support WS-Security (such as ASP) this is one possible solution.

-1
votes

Classic ASP should have no problem working with WS-Security Enabled Web Services. It's just going to be slightly more difficult than you would think. As for the HTTPS part of the equation? That should be transparent to your service. Connecting to something over HTTPS works the same as HTTP.

If all else were to fail, you could resort to manually crafting the SOAP Envelope and putting all of the security details in by hand.

Luckily there's no need for that. Microsoft released the Microsoft SOAP Toolkit to make working with Web Services easier. You should be able to handle your situation fairly easily using that.