 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / February 2006WSE 3.0 Username basic question
Hello, I want to restrict access to an ASP.NET web service using a WS-Security Username and password. I'm *not* using SSL, ceretificates, Kerberos, Windows accounts, or anything of the kind. I simply want to 1) detect whether or not the <wsse:UsernameToken> element is present. If not, automatically reject the request. If so, check for an acceptable password. To accomplish this, I've written a custom UsernameTokenManager, which looks like this: Imports Microsoft.VisualBasic Imports Microsoft.Web.Services3.Security.Tokens Namespace Brook Public Class MyUserNameTokenManager Inherits UsernameTokenManager Protected Overrides Function AuthenticateToken(ByVal token As UsernameToken) As String Dim blah As String blah = "" If token.Username = "brook" Then blah = "monkey" End If Return blah End Function End Class End Namespace Furthermore, I have updated my web.config file with the following: <security> <securityTokenManager> <add type="Brook.MyUserNameTokenManager" namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" localName="UsernameToken" qname="wsse:UsernameToken" /> </securityTokenManager> </security> Now, the good news is that this works flawlessly- a client sending a request to the service with an incorrect username/password is returned an error. The problem is that clients sending requests with *no* WS-Security information (just a plain old SOAP message) are allowed through. How do I configure my service to reject messages that are missing the <wsse:UsernameToken> security information in the soap header? I'm thinking the answer might be in the use of a policy file, but I haven't had any success on this front. Thanks Brook Hi Brook, You should add an authorization assertion to the policy assigned to the web service. Something like this: <policy name="usernameTokenSecurity"> <authorization> <allow role="SomeRole"/> </authorization> <usernameForCertificateSecurity establishSecurityContext="true" renewExpiredSecurityContext="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature" requireDerivedKeys="true" ttlInSeconds="60"> <serviceToken> <x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" /> </serviceToken> <protection> <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" /> <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" /> </protection> </usernameForCertificateSecurity> <requireActionHeader /> </policy> In this case, only the users assigned to the role "SomeRole" will able to execute the service. The authorization assertion also supports user names instead of roles. Regards, Pablo Cibraro http://weblogs.asp.net/cibrax > Hello, > [quoted text clipped - 56 lines] > > Brook Pablo Thanks for the suggestion; however, I do not wish to use certificates, nor do I wish to use any form of Windows authentication. I only want to use WS-Security usernames and passwords; i.e. <wsse:UsernameToken> and <wsse:Password> in the <wsse:Security> tag. The message should be rejected if <wsse:Security> tags are missing; it should also be rejected if the username and password don't match. That is why I went with the custom UsernameTokenManager. Thanks Brook Ok, use the UsernameOverTransport assertion + Authorization assertion + your Custom username token manager. Does it make sense ?. Regards, Pablo. > Pablo > [quoted text clipped - 10 lines] > > Brook Pablo Your tip pointed me in the right direction; it turns out that all I need is the UsernameOverTransport assertion + Custom UsernameTokenManager. My web.config looks like this: <microsoft.web.services3> <security> <securityTokenManager> <add type="Brook.MyUsernameTokenManager" namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" localName="UsernameToken" /> </securityTokenManager> </security> <policy fileName="wse3policyCache.config" /> </microsoft.web.services3> And my policy file: <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <policy name="BrookSecurityPolicy"> <usernameOverTransportSecurity /> </policy> </policies> This configuration did exactly what I wanted- rejected anything that didn't have a wsse:UsernameToken tag in the SOAP header, and only allowed valid username/password combinations. Interestingly enough, the authorization assertion caused all kinds of problems (perhaps because I was connecting to the service from a Java client), but getting rid of it didn't seem to hurt me. Thanks again for the help! Brook Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.