SecurityToken assertion policy in WSE 2.0 SP3 Configuration Editor

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

asanford - 21 Sep 2005 18:28 GMT

Hello,

Using the WSE 2.0 (SP3) Configuration Editor, I can't seem to find a way to
create a policy file with a SecurityToken assertion (I don't want encryption
or signing.) Must I create this policy file by hand, or am I missing
something?

Thanks!

Reply to this Message

Steven Cheng[MSFT] - 22 Sep 2005 05:19 GMT

Hi Asanford,

Welcome to MSDN newsgroup.
Regarding on the question of the policy assertion on SecurityToken only ,
based on my reseach on the current version of the WSE (2.0 SP3), the
declarative based policy assertion only contains data encrytion and data
signing, and the SecurityToken assersion are also used together with those
two (defined under the <integrity> or <confidentiality> element). There is
no single alone element for Token Info assertion.

for your scenario, if you do need to do validating on security Token (in
the request's context) only(without encrypting or signing the message), I
think we need to use code to programmatically retrieve token from the
Request context and validate it. Or alternatively ,we can implement a
custom SecurityTokenManager ( derived from UsernameTokenManger or
X509CertificateTokenManager....) and override the verify method.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
Thread-Topic: SecurityToken assertion policy in WSE 2.0 SP3 Configuration
Editor
thread-index: AcW+0dLFlP2JkZexS96E/4MmEQYEgg==
X-WBNR-Posting-Host: 65.115.47.2
From: "=?Utf-8?B?YXNhbmZvcmQ=?=" <asanford2000@hotmail.com>
Subject: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Editor
Date: Wed, 21 Sep 2005 10:28:04 -0700
Lines: 8
Message-ID: <C3E577D9-8EC2-4894-8D7E-C6A4D077C984@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4949
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hello,

Using the WSE 2.0 (SP3) Configuration Editor, I can't seem to find a way to
create a policy file with a SecurityToken assertion (I don't want
encryption
or signing.) Must I create this policy file by hand, or am I missing
something?

Thanks!

Reply to this Message

asanford - 22 Sep 2005 18:31 GMT

Hi, Steven,

Thanks for your response. MSDN does seem to indicate the WSE 2.0 does in
fact support writing declarative policy files that support the SecurityToken
assertion (independent of the integrity and confidentiality assertions), in
the following article:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wse2
wspolicy.asp
-search the article for the following phrase: "Sending a UsernameToken".
So, I'm assuming that this article is correct, and I don't actually need to
check for the existance of the token in code (of course, I still would need
to write a custom token manager if I wanted to do custom authentication.) I
was just curious if there was some way to author such a policy using the
editor, rather than hand coding it. Any ideas?

BTW, I did try to create a hand edited policy to enforce the securityToken
assertion, but I can't get it to work. Perhaps this means that WSE 2.0
doesn't support such policies, despite the article to the contrary?

Thanks!

> Hi Asanford,
>
[quoted text clipped - 57 lines]
>
> Thanks!

Reply to this Message

Steven Cheng[MSFT] - 23 Sep 2005 10:11 GMT

Thanks for your further followup Asanford,

First, I agree with you that from the article you provided:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/
wse2wspolicy.asp

the WSE2.0's policy assersion should allow pure token assertion without
enrypting or signing. However, the current document and policy schema of
the wse2.0 (sp3) seems be inconsistent with that aritcle. I'll contacting
some other XML webservices guys to see whether the 2.0 did haven't
implemented this error and I'll update you as soon as I got any new update.

Thanks for your understanding.

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
Thread-Topic: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
thread-index: AcW/m2bHKLw4pJIESu20JFGpUW4VWg==
X-WBNR-Posting-Host: 65.115.47.2
From: "=?Utf-8?B?YXNhbmZvcmQ=?=" <asanford2000@hotmail.com>
References: <C3E577D9-8EC2-4894-8D7E-C6A4D077C984@microsoft.com>
<l3#guzyvFHA.580@TK2MSFTNGXA01.phx.gbl>
Subject: RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
Date: Thu, 22 Sep 2005 10:31:01 -0700
Lines: 89
Message-ID: <1E21A95B-39B1-425A-B633-36F289C1A0B4@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4958
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements

Hi, Steven,

Thanks for your response. MSDN does seem to indicate the WSE 2.0 does in
fact support writing declarative policy files that support the
SecurityToken
assertion (independent of the integrity and confidentiality assertions), in
the following article:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/
wse2wspolicy.asp
-search the article for the following phrase: "Sending a UsernameToken".
So, I'm assuming that this article is correct, and I don't actually need to
check for the existance of the token in code (of course, I still would need
to write a custom token manager if I wanted to do custom authentication.)
I
was just curious if there was some way to author such a policy using the
editor, rather than hand coding it. Any ideas?

BTW, I did try to create a hand edited policy to enforce the securityToken
assertion, but I can't get it to work. Perhaps this means that WSE 2.0
doesn't support such policies, despite the article to the contrary?

Thanks!

"Steven Cheng[MSFT]" wrote:

> Hi Asanford,
>
[quoted text clipped - 57 lines]
>
> Thanks!

Reply to this Message

Steven Cheng[MSFT] - 26 Sep 2005 09:56 GMT

Hi Asanford,

Sorry for keep you waiting. After some further consulting our
Webservice/wse guys, we are confirmed that the description about the
security policy in WSE 2.0 in the following msdn article

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/
wse2wspolicy.asp

is correct and it's the documenation which didn't include these topics.
And we can only put security token assertion in service's policy document
like:
====================
<policyDocument
xmlns="http://microsoft.com/wse/2003/06/PolicyDocument">

<mappings>
<endpoint uri="http://localhost/policyapp/secureservice.asmx">

<operation
requestAction=
"http://develop.com/policyapp/secureservice/passtoken???¡±>
<request policy="#PresentAUserNameToken"/>
</operation>
</endpoint>
</mappings>

<policies
xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">

<wsp:Policy wsu:Id="PresentAUserNameToken">
<SecurityToken wsp:Usage="wsp:Required"
xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">
<TokenType>
http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-1.0#UsernameToken
</TokenType>
</SecurityToken>
</wsp:Policy>

</policies>

</policyDocument>

===============================

This policy require that clientside provide a Usernametoken in the request'
security Context. also, since the WSE 2.0 's configuration wizard dosn't
provide buildin design-time support for generate this kind of policy, I
manually modify the autogenerated one( which contains <integrited> settings
) to the above one like what is in the msdn article. I've tested it in my
side and the policy assertion did work for webservice serverside enabeld
WSE2.0 and policy.

One thing we must pay attention is that for Usernametoken, the default
serverside WSE UsernameTokenManager only support usernametoken send with
PlainText password, otherwise it'll fail to verify the token. So that's you
need to send plaintext password for username token in client proxy (wse2
enabled) if you haven't configured a custom UsernameTokenManager in server
application.

Also, for security token embeded in soap message, it dosn't quite make
sense if they're not encrypted or digit signed , so the WSE2 configure
wizard only provide secuired options in design-time configuration.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 143414896
References: <C3E577D9-8EC2-4894-8D7E-C6A4D077C984@microsoft.com>
<l3#guzyvFHA.580@TK2MSFTNGXA01.phx.gbl>
<1E21A95B-39B1-425A-B633-36F289C1A0B4@microsoft.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_0001_E2C06C1E"
Content-Transfer-Encoding: 7bit
From: stcheng@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Fri, 23 Sep 2005 09:11:11 GMT
Subject: RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
Message-ID: <P1FZJ7BwFHA.580@TK2MSFTNGXA01.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
Lines: 306
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4962
NNTP-Posting-Host: tomcatimport2.phx.gbl 10.201.218.182

Thanks for your further followup Asanford,

First, I agree with you that from the article you provided:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/
wse2wspolicy.asp

the WSE2.0's policy assersion should allow pure token assertion without
enrypting or signing. However, the current document and policy schema of
the wse2.0 (sp3) seems be inconsistent with that aritcle. I'll contacting
some other XML webservices guys to see whether the 2.0 did haven't
implemented this error and I'll update you as soon as I got any new update.

Thanks for your understanding.

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

> Hi Asanford,
>
[quoted text clipped - 3 lines]
> declarative based policy assertion only contains data encrytion and data
> signing, and the SecurityToken assersion are also used together with

those

> two (defined under the <integrity> or <confidentiality> element). There

> no single alone element for Token Info assertion.
>
[quoted text clipped - 21 lines]
> From: "=?Utf-8?B?YXNhbmZvcmQ=?=" <asanford2000@hotmail.com>
> Subject: SecurityToken assertion policy in WSE 2.0 SP3 Configuration

Editor

> Date: Wed, 21 Sep 2005 10:28:04 -0700
> Lines: 8
[quoted text clipped - 18 lines]
>
> Using the WSE 2.0 (SP3) Configuration Editor, I can't seem to find a way

> create a policy file with a SecurityToken assertion (I don't want
> encryption
> or signing.) Must I create this policy file by hand, or am I missing
> something?
>
> Thanks!

Reply to this Message

Steven Cheng[MSFT] - 28 Sep 2005 12:22 GMT

Hi Asanford,

Does the info in my last reply helped a little? If there're anything else I
can help, please feel free to post here.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

--------------------
X-Tomcat-ID: 132879987
References: <C3E577D9-8EC2-4894-8D7E-C6A4D077C984@microsoft.com>
<l3#guzyvFHA.580@TK2MSFTNGXA01.phx.gbl>
<1E21A95B-39B1-425A-B633-36F289C1A0B4@microsoft.com>
<P1FZJ7BwFHA.580@TK2MSFTNGXA01.phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_0001_F243C027"
Content-Transfer-Encoding: 7bit
From: stcheng@online.microsoft.com (Steven Cheng[MSFT])
Organization: Microsoft
Date: Mon, 26 Sep 2005 08:56:12 GMT
Subject: RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
Message-ID: <IWV9sgnwFHA.580@TK2MSFTNGXA01.phx.gbl>
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
Lines: 506
Path: TK2MSFTNGXA01.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.dotnet.framework.webservices.enhancements:4971
NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122

Hi Asanford,

Sorry for keep you waiting. After some further consulting our
Webservice/wse guys, we are confirmed that the description about the
security policy in WSE 2.0 in the following msdn article

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/
wse2wspolicy.asp

is correct and it's the documenation which didn't include these topics.
And we can only put security token assertion in service's policy document
like:
====================
<policyDocument
xmlns="http://microsoft.com/wse/2003/06/PolicyDocument">

<mappings>
<endpoint uri="http://localhost/policyapp/secureservice.asmx">

<operation
requestAction=
"http://develop.com/policyapp/secureservice/passtoken???">
<request policy="#PresentAUserNameToken"/>
</operation>
</endpoint>
</mappings>

<policies
xmlns:wsu=
"http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">

<wsp:Policy wsu:Id="PresentAUserNameToken">
<SecurityToken wsp:Usage="wsp:Required"
xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">
<TokenType>
http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-username-token-profile-1.0#UsernameToken
</TokenType>
</SecurityToken>
</wsp:Policy>

</policies>

</policyDocument>

===============================

This policy require that clientside provide a Usernametoken in the request'
security Context. also, since the WSE 2.0 's configuration wizard dosn't
provide buildin design-time support for generate this kind of policy, I
manually modify the autogenerated one( which contains <integrited> settings
) to the above one like what is in the msdn article. I've tested it in my
side and the policy assertion did work for webservice serverside enabeld
WSE2.0 and policy.

One thing we must pay attention is that for Usernametoken, the default
serverside WSE UsernameTokenManager only support usernametoken send with
PlainText password, otherwise it'll fail to verify the token. So that's you
need to send plaintext password for username token in client proxy (wse2
enabled) if you haven't configured a custom UsernameTokenManager in server
application.

Also, for security token embeded in soap message, it dosn't quite make
sense if they're not encrypted or digit signed , so the WSE2 configure
wizard only provide secuired options in design-time configuration.

Thanks,

Steven Cheng
Microsoft Online Support

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Signature

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

> Hi Asanford,
>
[quoted text clipped - 3 lines]
> declarative based policy assertion only contains data encrytion and data
> signing, and the SecurityToken assersion are also used together with

those

> two (defined under the <integrity> or <confidentiality> element). There

Editor

> Date: Wed, 21 Sep 2005 10:28:04 -0700
> Lines: 8
[quoted text clipped - 18 lines]
>
> Using the WSE 2.0 (SP3) Configuration Editor, I can't seem to find a way

> create a policy file with a SecurityToken assertion (I don't want
> encryption
> or signing.) Must I create this policy file by hand, or am I missing
> something?
>
> Thanks!

Reply to this Message

SecurityToken assertion policy in WSE 2.0 SP3 Configuration Editor

Free Magazines