Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / March 2006

Tip: Looking for answers? Try searching our database.

Migrating WSE UsernameToken from 2.0 to 3.0

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Benjamin - 22 Mar 2006 12:33 GMT
Hi!

We implemented WSE Security in WSE 2.0 simply using a UsernameToken.

   Public Sub ConfigureProxy(ByVal proxy As WebServicesClientProtocol)
       'WS-Security: "Authentication" & "Authorization" with UsernameToken
(no need to send password because of signing below)
       Dim token As UsernameToken = New UsernameToken(Me.txtUsername.Text,
Me.txtPassword.Text, PasswordOption.SendNone)
       proxy.RequestSoapContext.Security.Tokens.Add(token)

       'WS-Security: "Signing" with UsernameToken (keep message integrity)
       Dim derivedToken As New DerivedKeyToken(token)
       proxy.RequestSoapContext.Security.Tokens.Add(derivedToken)
       proxy.RequestSoapContext.Security.Elements.Add(New
MessageSignature(derivedToken))

       'WS-Security: "Encryption" with UsernameToken (ensure
confidentiality, not "very" secure)
       proxy.RequestSoapContext.Security.Elements.Add(New
EncryptedData(derivedToken))
   End Sub

VS2005 says gives the error "SoapContext.Security is obsolete. Consider
deriving from SendSecurityFilter or ReceiveSecurityFilter and creating a
custom policy that generates these filters."

How to upgrade this code in practice?

Best regards
Benjamin
Reply to this Message
Pablo Cibraro - 22 Mar 2006 14:42 GMT
Hi Benjamin,

WSE 3.0 provides something called turn-key assertions for common security
scenarios.
The scenario that you are using (Encrypting the message with a
UsernameToken) is not supported by those turn-key assertions.
As a result, you need to develop a custom security assertion. If you do not
want to do this, then you should use the assertion "UsernameForCertificate".
(There is a quickstart in the WSE code that shows how to use this
assertion).

This article in my weblog gives a brief description about the WSE
architecture and how to build a custom security assertion.

http://weblogs.asp.net/cibrax/archive/2005/07/19/419921.aspx

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

> Hi!
>
[quoted text clipped - 27 lines]
> Best regards
> Benjamin
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.