I must be really stupid or something, because I cannot get this to work at
all.

I have the following in my policy file:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">

<extensions>

<extension name="authorization"
type="Microsoft.Web.Services3.Design.AuthorizationAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />

<extension name="compressionAssertion"
type="Evolution.Web.Services.CompressionAssertion, Evolution.Web.Services"/>

<extension name="usernameAssertion"
type="Evolution.Web.Services.UsernameServiceAssertion,
Evolution.Web.Services" />

<extension name="wse3Trace" type="WSETracingFilter.WSEFilterAssertion,
WSETracingFilter, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=aa253a6b9020c4eb"/>

</extensions>

<policy name="RegistrationPolicy">

<authorization>

<allow role="Registration"/>

<deny role="*"/>

</authorization>

<protection>

<request signatureOptions="IncludeAddressing, IncludeTimestamp,

IncludeSoapBody" encryptBody="true" />

<response signatureOptions="IncludeAddressing, IncludeTimestamp,

IncludeSoapBody" encryptBody="true" />

<fault signatureOptions="IncludeAddressing, IncludeTimestamp,

IncludeSoapBody" encryptBody="false" />

</protection>

<requireActionHeader />

<compressionAssertion compressionMode="BZip2" compressionLevel="Maximum"
threshold="128"/>

<usernameAssertion />

</policy>

</policies>

I use my own usernameAssertion that works great so long as the person passes
the assertion with the web service request. However if the person just goes
into their browser and navigates to the web service's page, even with the
stuff at the top for authorization, it merrily allows access and processes
the request no problem.

I really really really need to get this working so that you have to pass
credentials and the documentation is ZERO HELP.  What am I doing wrong? My
security assertion that I wrote simply never gets called in the case where
the user uses their browser for the request.  The authorization stuff in my
policy file does ABSOLUTELY NOTHING as far as I can tell. What gives?

All I want is to force it to use my custom assertion at all times, no matter
what. I don't give a damn about roles or anything like that, all I care is
that the user validates against my login and password table with a
UserNameToken. Nothing else. Even my UserNameTokenManager doesn't get called
at all when the requst is from a web browser.

Are there any samples to getting this stuff working? Any very specific
suggestions on what I'm doing wrong and how to specfically fix it? Anything,
please.  WSE is about as easy as quantum mechanics while you've got a 3.0%
blood alcohol reading. And that's when you're sober, which this stuff makes
you want to go out and drink!

Please help,

James Hancock