 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / April 2006WSE 3.0 UsernameToken SendNone problem
I implemented a web service with WSE 3.0. For security requirement, i used custom UsernameToken that lookup paaswords from database. Anyway, when I test web method from client. Cases; 1-) Direct Call : [code] WSETest.ServiceWse service = new WSETest.ServiceWse(); try { string result = service.TestMethod("sample message text"); MessageBox.Show(result); } catch (Exception ex) { MessageBox.Show(ex.Message); } [code] This work perfecly, giving no username token exception. 2-)Call With Token (SendPlainText): [code] WSETest.ServiceWse service = new WSETest.ServiceWse(); try { UsernameToken token = new UsernameToken(textBoxUsername.Text, textBoxPassword.Text, PasswordOption.SendPlainText); service.SetPolicy("Client"); service.SetClientCredential(token); string result = service.TestMethod("sample message text"); MessageBox.Show(result); } catch (Exception ex) { MessageBox.Show(ex.Message); } [code] This work perfecly, when client supply true username password pair returning web method result, else returning logon failure. 2-)Call With Token (SendNone): [code] WSETest.ServiceWse service = new WSETest.ServiceWse(); try { UsernameToken token = new UsernameToken(textBoxUsername.Text, textBoxPassword.Text, PasswordOption.SendNone); service.SetPolicy("Client"); service.SetClientCredential(token); string result = service.TestMethod("sample message text"); MessageBox.Show(result); } catch (Exception ex) { MessageBox.Show(ex.Message); } [code] The problem is here, web method is working perfecly without any login exception without true username passwor pair. I could not imagine the problem. I am trying increase security level of service with sendnone option. Hi, The default UsernameTokenManager provided by WSE only supports the option "SendPlainText". If you want to support other option, you will have to develop a custom UsernameTokenManager. You can find some good samples about how to develop custom username token managers here (Web Service Security Patterns project) : http://www.gotdotnet.com/codegallery/codegallery.aspx?id=67f659f6-9457-4860-80ff -0535dffed5e6 Regards, Pablo Cibraro. http://weblogs.asp.net/cibrax >I implemented a web service with WSE 3.0. > [quoted text clipped - 67 lines] > I could not imagine the problem. I am trying increase security level of > service with sendnone option. Thanks Pablo for your Quick response. I almost write custom UsernameTokenManager. Check below. [code] protected override string AuthenticateToken(UsernameToken token) { return "Test"; } [code] Of course this is sample application and always password is "Test". Anyway, problem is still exists :( > Hi, > [quoted text clipped - 83 lines] >> I could not imagine the problem. I am trying increase security level of >> service with sendnone option. That is really strange. Did you configure that token manager in the web.config file ?. I mean, is WSE calling to your custom token manager ?. Thanks Pablo. > Thanks Pablo for your Quick response. > [quoted text clipped - 99 lines] >>> I could not imagine the problem. I am trying increase security level of >>> service with sendnone option. Of couse, look below configurations. And please remember, Service is working as expected in two case: For tokenless soap call, throwing exceptiong. With usernameToken that password option is set to SendPlain or SendHashed. Till now everting is perfect. But when i call web method with usernametoken and set password option to sendnone the server side does not checking credentials. I thing the problem is in my mind, about SendNone concept. I assume, when I choose sendnone option, wse is creting a username token hashed with password in client. This token when comes to server, service is using shared secred (password in this case) resolving hashed username token. If nonce, timestamps etc... is true, server accepting this usernametoken is true. As a result, there is no security check in my service when calling username token thats password option is set to SendNone :( Here is server side setting: [code] <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="Server"> <usernameOverTransportSecurity /> <requireActionHeader /> </policy> </policies> [code] Here is Web.Config setting [code] <?xml version="1.0" encoding="utf-8"?> <configuration> <configSections> <section name="microsoft.web.services3" type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configSections> <system.web> <webServices> <protocols> <clear /> <add name="HttpSoap12" /> <add name="HttpSoap" /> <add name="Documentation" /> </protocols> <soapExtensionImporterTypes> <add type="Microsoft.Web.Services3.Description.WseExtensionImporter, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </soapExtensionImporterTypes> <soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </webServices> <compilation> <assemblies> <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> </assemblies> </compilation> </system.web> <microsoft.web.services3> <security> <securityTokenManager> <add type="CustomUsernameTokenManager" namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" localName="UsernameToken" /> </securityTokenManager> </security> <policy fileName="wse3policyCache.config" /> <diagnostics> <trace enabled="true" input="C:\Documents and Settings\Lopuhov\My Documents\Visual Studio 2005\Projects\Lopuhov.WSE.Reference\input.webinfo" output="C:\Documents and Settings\Lopuhov\My Documents\Visual Studio 2005\Projects\Lopuhov.WSE.Reference\output.webinfo" /> <detailedErrors enabled="true" /> </diagnostics> </microsoft.web.services3> </configuration> [code] And here is clinet side settings: [code] <policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"> <extensions> <extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> <extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </extensions> <policy name="Client"> <usernameOverTransportSecurity /> <requireActionHeader /> </policy> </policies> [code] > That is really strange. Did you configure that token manager in the > web.config file ?. I mean, is WSE calling to your custom token manager ?. [quoted text clipped - 105 lines] >>>> I could not imagine the problem. I am trying increase security level of >>>> service with sendnone option. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.