 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / August 2005Using policy in a WebMethod
Hi I was wondering if there is any way to use a policy in a WebMethod that is inside of an .asmx. The key here is that I need to use a policy only in a couple of WebMethod not in all the Webservice. I know that policy aplies for a .asmx but I will like to know if it's posible to aplied only in one or two method for the webservice. Thanks Hi, A policy file contains a mapping section where you specify security requeriments for each WebMethod. For example, <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"> <endpoint uri="http://localhost/MyWebService.asmx"> <operation request ="MyWebMethod1"> <request policy="#MyPolicy1-Request"></request> <response policy="#My-Policy1-Response"></response> <fault policy=""></fault> </operation> <operation request ="MyWebMethod2"> <request policy=""></request> <response policy=""></response> <fault policy=""></fault> </operation> </mappings> ..... In this example, I didn't specify security requeriments for the webmethod "MyWebMethod2" (The policy attribute is empty). Regards, Pablo Cibraro www.lagash.com > Hi I was wondering if there is any way to use a policy in a WebMethod that > is [quoted text clipped - 5 lines] > > Thanks Hola Pablo te copio el policycache.config ya que tengo ciertas dudas: 1) <request policy="#MyPolicy1-Request"></request> Que nombre debería de poner en lugar de "#MyPolicy1-Request". 2) Debería de eliminar el TAG de <DefaultOperation> ? 3) Debería eliminar el TAG donde dice <request policy=#Sign-Username> y entonces dejar la descripción para cada uno de mis WebMethods? Quedo a la espera de tu respuesta, Gracias <?xml version="1.0" encoding="utf-8"?> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"> <!--The following policy describes the policy requirements for the service: http://localhost/Prueba.WebServices/Convenios.asmx .--> <endpoint uri="http://localhost/Prueba.WebServices/MiWebService1.asmx"> <defaultOperation> <request policy="#Sign-SCT-Encrypt-SCT" /> <response policy="#Sign-SCT-Encrypt-SCT-1" /> <fault policy="" /> </defaultOperation> <operation requestAction="http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT"> <!--RST and RSTR messages are being processed by WSE policy engine similar to other messages. If a service policy mapping specifies policies that use SCT token for defaultOperation, there MUST be a separate mapping for RST/RSTR messages. Policies specified for RST/RSTR messages can be empty. In addition to the policy specified for RST and RSTR messages, WSE infrastructure will enforce and verify that: 1. RST Enforcement: An RST message will be signed using baseToken. If an Issuer Token is present, an entropy will be created and encrypted using the Issuer Token. If a UsernameToken is used in the message it will be encrypted using the Issuer Token. 2. RST Verification: An RST message must be signed. If the RST contains an entropy, it must be encrypted by the server token. If a UsernameToken was used in the message it must be encrypted. 3. RSTR Enforcement: An RSTR message will be signed using the server token. If the client used entropy in the RST message, a server entropy will be created and encrypted with client's entropy token. If a Username token is used in the message it will be encrypted with the client's entropy token. 4. RSTR Verification: An RSTR message must be signed using the Server Token. If an entropy is used it must be encrypted using client's entropy token. If a username token is issued in the RSTR message it must be encrypted. Implement a custom SecurityContextTokenService or SecurityContextTokenServiceClient to change the policy enforcement and/or verification behaviors. --> <request policy="#Sign-Username" /> <response policy="" /> <fault policy="" /> </operation> </endpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"> <wsp:Policy wsu:Id="Sign-SCT-Encrypt-SCT"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <!--The Integrity assertion is used to ensure that the message is signed with SCT. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific SCT claims.--> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> <wssp:Claims> <!--By specifying the Role, the policy system can verify that the token contains a specific role, such as "Admin". Roles can be groups a user is a member of, or they can be customized for each token.--> <wse:Role value="wsdesa\BancoPopular" /> </wssp:Claims> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer> <wssp:Claims> <!--By specifying the SubjectName claim, the policy system can look for a certificate with this subject name in the certificate store indicated in the application's configuration, such as LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct values for this field.--> <wssp:SubjectName MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <!--The Confidentiality assertion is used to ensure that the SOAP Body is encrypted.--> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <!--The SecurityToken element within the KeyInfo element describes which token type must be used for Encryption.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> <wssp:Claims> <wse:BaseToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> <wssp:Claims> <!--By specifying the Role, the policy system can verify that the token contains a specific role, such as "Admin". Roles can be groups a user is a member of, or they can be customized for each token.--> <wse:Role value="wsdesa\BancoPopular" /> </wssp:Claims> </wssp:SecurityToken> </wse:BaseToken> <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer> <wssp:Claims> <!--By specifying the SubjectName claim, the policy system can look for a certificate with this subject name in the certificate store indicated in the application's configuration, such as LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct values for this field.--> <wssp:SubjectName MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName> <wssp:X509Extension OID="2.5.29.14" MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> </wssp:Claims> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> <wsp:Policy wsu:Id="Sign-SCT-Encrypt-SCT-1"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <!--The Integrity assertion is used to ensure that the message is signed with SCT. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific SCT claims.--> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <!--The Confidentiality assertion is used to ensure that the SOAP Body is encrypted.--> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <!--The SecurityToken element within the KeyInfo element describes which token type must be used for Encryption.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> <wsp:Policy wsu:Id="Sign-Username"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <!--The Integrity assertion is used to ensure that the message is signed with Username. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific Username claims.--> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> <wssp:Claims> <!--By specifying the Role, the policy system can verify that the token contains a specific role, such as "Admin". Roles can be groups a user is a member of, or they can be customized for each token.--> <wse:Role value="wsdesa\BancoPopular" /> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> </wsp:Policy> </policies> </policyDocument> > Hi, > A policy file contains a mapping section where you specify security [quoted text clipped - 35 lines] > > > > Thanks Hola, 1. Deberías poner "#Sign-SCT-Encrypt-SCT" 2. Si, deberías eliminarlo. La parte que protege los webmethods es esta: <endpoint uri="http://localhost/Prueba.WebServices/MiWebService1.asmx"> <defaultOperation> <request policy="#Sign-SCT-Encrypt-SCT" /> <response policy="#Sign-SCT-Encrypt-SCT-1" /> <fault policy="" /> </defaultOperation> Al tener defaultOperation, esta aplicando a todos los webmethods de "MiWebService1.asmx". Para solucionar esto, deberías especificar las distintas operaciones, como por ejemplo: <endpoint uri="http://localhost/Prueba.WebServices/MiWebService1.asmx"> <operation request="Operacion1"> <request policy="#Sign-SCT-Encrypt-SCT" /> <response policy="#Sign-SCT-Encrypt-SCT-1" /> <fault policy="" /> </operation> <operation request="Operacion2"> <request policy="" /> <response policy="" /> <fault policy="" /> </operation> 3. No, el TAG <request policy=#Sign-Username> es utilizado por la policy para enviar requests al STS (En tu caso, estás utilizando security context tokens para proteger el mensaje) Saludos. > Hola Pablo te copio el policycache.config ya que tengo ciertas dudas: > 1) <request policy="#MyPolicy1-Request"></request> Que nombre debería de [quoted text clipped - 332 lines] >> > >> > Thanks Ok Pablo, pero si yo lo que quiero es que un WebMethod use la politica1 y otro WebMethod use otro tipo de politica, pero los 2 WebMethod están dentro del mismo .asmx, eso lo puedo hacer? O debo crear otro .asmx > Hola, > [quoted text clipped - 293 lines] > > enforcement (send-side) policy.--> > > <wsp:MessagePredicate wsp:Usage="wsp:Required" Si, lo podes hacer. Tenes que definir la politica nueva y despues se lo asignas a la operación. Ejemplo, <endpoint uri="http://localhost/Prueba.WebServices/MiWebService1.asmx"> <operation request="Operacion1"> <request policy="#Sign-SCT-Encrypt-SCT" /> <response policy="#Sign-SCT-Encrypt-SCT-1" /> <fault policy="" /> </operation> <operation request="Operacion2"> <request policy="MiNuevaPolitica-Request" /> <response policy="MiNuevaPolitica-Response" /> <fault policy="" /> </operation> .... <policies ...> <wsp:Policy wsu:Id="MiNuevaPolitica-Request"> .... </wsp:Policy> <wsp:Policy wsu:Id="MiNuevaPolitica-Response"> .... </wsp:Policy> > Ok Pablo, pero si yo lo que quiero es que un WebMethod use la politica1 y > otro WebMethod use otro tipo de politica, pero los 2 WebMethod están [quoted text clipped - 319 lines] >> > enforcement (send-side) policy.--> >> > <wsp:MessagePredicate wsp:Usage="wsp:Required" Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.