 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / January 2006WSE 3.0 Policy files
Hi all, I am using WSE 2.0 SP3 to send my request and receive the response across the wire to an web service. Currently I am mainitaining a single policy file (as used in the case of WSE Adapter 2.0 ) for all my communications The differentiator is that i specify the target uri and the SOAP action to let WSE know what action needs to be taken for the specific Web request or response. Now I want to use WSE 3.0. As you know, there is change in the Policy file schema is changed in WSE 3.0, so i need to migrate the polciy files to align with WSE 3.0. Can I achieve the same concept of a single policy file as i used to do earlier with WSE 2.0. But here how do i specify the for a particular URI and Particular action? I will be great if anyone of you can give out some pointers on the same or provide some other discussions realted to the same. Regards Immu This is an interesting question. Even though I love the new policy, I am also having issues with not knowing how to control the endpoint address, as we can in WCF, in config. Although I have not used the routing in wse, I think that you could leverage that to redirect your requests to the right server. You point all of your requests the address of the router, it inspects the message and forwards the message to the proper endpoint. This is not as simple as doing it all in the config, but I believe it will help you achieve your goal. Check for "How to Route Soap Messages Based on their Content" in the WSE 3 docs. hth julie > Hi all, > [quoted text clipped - 19 lines] > Regards > Immu Hi, In WSE 2.0, there was one policy file per application and that policy applied to all inbound and outbound messages. In that case, the URI was necessary to apply different security requirements. In WSE 3.0, you can have many policies and choose any of them at runtime, for example: MyServiceProxy p = new MyServiceProxy(); p.Url = myUrl; if(myUrl == "http://localhost/service1/service.asmx") p.SetPolicy("MyPolicy1"); else if(myUrl == http://localhost/service2/service.asmx p.SetPolicy("MyPolicy2"); The security requeriments for an action can be specified in the policy (Using the requestAction attribute) <kerberosSecurity requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" requireDerivedKeys="true" ttlInSeconds="300"> <token> <!-- By default this sample does not work until you have changed the TargetMachineName value --> <!-- Change the TargetMachineName value to the machine name with the Web Service e.g. targetPrincipal="host/server1" --> <kerberos targetPrincipal="http/test" impersonationLevel="Impersonation" /> </token> <protection> <!--Default Action --> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> <protection requestAction="MyAction1"> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> <protection requestAction="MyAction2"> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </kerberosSecurity> I hope this can help you. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax http://www.lagash.com > This is an interesting question. Even though I love the new policy, I am > also having issues with not knowing how to control the endpoint address, [quoted text clipped - 38 lines] >> Regards >> Immu but then you have to hard code your endpoints :-( with the routing (which is more painful, for sure) at least it's configurable... > Hi, > In WSE 2.0, there was one policy file per application and that policy [quoted text clipped - 100 lines] >>> Regards >>> Immu Hi all, Thanks for your replies. I agree Julie, it is a pain in hardcoding the endpoints in your application. Currently i am using a application that is only takes in request and based in the endpoint uri, it applies the polices. The policy file looks something like this. Just an example <policyDocument XMLS> <mappings> <endpoint uri="http://xyz/wsewebservice/service1.ashx"> <operation requestAction="StringInStringOut"> <request policy="#-token1" /> <response policy="" /> <fault policy="" /> </operation> </endpoint> <endpoint uri="http://abc/wsews/service.ashx"> <operation requestAction="IntInIntOut"> <request policy="#-token2" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> </mappings> <policies XMLS DEFINITIONS> <wsp:Policy wsu:Id="token1"> </wsp:MessagePredicate> <wssp:Integrity wsp:Usage="wsp:Required" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wssp:TokenInfo> <OneOrMore xmlns="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </OneOrMore> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> </wsp:Policy> <wsp:Policy wsu:Id="token2" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)</wsp:MessagePredicate> <wssp:Integrity wsp:Usage="wsp:Required" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wssp:TokenInfo> <OneOrMore xmlns="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </OneOrMore> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> <wssp:Confidentiality wsp:Usage="wsp:Required" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wssp:KeyInfo> <OneOrMore xmlns="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:Claims> <wssp:SubjectName>CN=WSE2QuickStartClient</wssp:SubjectName> </wssp:Claims> </wssp:SecurityToken> </OneOrMore> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> </policies> </policyDocument> Can I achieve this kind of flexibility in the policy file, using WSE 3.0 policy. Regards Immu Hi, The policies in WSE 3.0 are not as flexibles as the policies in WSE 2.0. WSE 3.0 uses a set of policies for fixed scenarios called turn-key scenarios. (i.e, UsernameForCertificate, Kerberos, MutualX509, etc). In this case, your policy matches the scenario UsernameForCertificate, which uses a UsernameToken as client token and a X509 Certificate as service token. (The client token is used as identity and the service token is used to protect the message) Regards, Pablo Cibraro http://weblogs.asp.net/cibrax http://www.lagash.com > Hi all, > [quoted text clipped - 94 lines] > Regards > Immu Hi All, Thanks for all your replies. I am aware of the Turnkey Security scenarios. But my concern here is 1. How do i specify the endpoint url this policy have to apply? 2. How do i specify the particular SoapMethod(SoapAction) policy have to apply? 3. Suppose i dont want to use any of thesame turnkey scenarios and still want adhere to my existing style of security. then how do i achieve it. It will be great if any one can pour out your valuable inputs on the same Regards Immu We have a similar issue with reliable messaging. We want to apply RM to some, but not all, of our messages. The policy change makes this more complicated in WSE3.  SignatureDr. R.A. Knutson Magenic Technologies > Hi All, > [quoted text clipped - 12 lines] > Regards > Immu Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.