 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / April 2006Role Based Security
I wrote a sample application using the document http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx?pull =/library/en-us/dnwse/html/wserolebasedsec.asp now I would like to write something similar for WSE 3.0 and I can't find any simple coding information on what is required. I would like to see how to secure a simple HelloWorld web service using X509v3 and username tokens. I believe what I need is the usernameForCertificate security assertion but I do not know what code needs to be written. I have already added the following attributes to the web service. I'm at a loss to figure what is needed next. Please help? using System; using System.Web; using System.Web.Services; using System.Web.Services.Protocols; using Microsoft.Web.Services3; [WebService(Namespace = "http://tempuri.org/")] [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)] [Policy("ClientPolicy")] public class Service : System.Web.Services.WebService { public Service () { //Uncomment the following line if using designed components //InitializeComponent(); } [WebMethod] public string HelloWorld() { return "Hello World"; } } Hi Mark, Welcome to the MSDN newsgroup. Regarding on the rolebased security through username authentication over certificate secured channel, I think your consideration on using the "usernameForCertificate" assertion is correct. #<usernameForCertificateSecurity> Element http://msdn.microsoft.com/library/en-us/wse3.0/html/17147edb-2682-4aee-b73c- b9775e11261d.asp?frame=true \Also, there is an existing sample project demonstrating the usernameForCertificate assertion in WSE 3.0's quickstart sample. I think you can find it on your WSE 3.0's installed directory. Generally each of the sample application in it contains two program, one using the declarative style( configure the security in config file), another is programming style which do the secure work through code: #WSE QuickStarts http://msdn.microsoft.com/library/en-us/wse3.0/html/4f3d3030-0e8b-41cb-9db8- 205df18fc6b9.asp?frame=true Hope this helps. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.  SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) Is there a specific writeup on the usernameForCertificate sample? I have not found any specific documentation on it. Can you recommend a book that covers the specifics of WSE 3.0 with C# code? > Is there a specific writeup on the usernameForCertificate sample? I have > not found any specific documentation on it. Can you recommend a book > that covers the specifics of WSE 3.0 with C# code? Hi Mark, You would probably find WSE 3 Hands On Lab - Security [1] very useful and there is indeed an example how to use WSE Security mechanism. Also many samples are available in Samples directory where WSE is installed. [1] http://www.microsoft.com/downloads/details.aspx?FamilyID=9acd1f8e-97e2-43e2-b484 -a74a014a8206&DisplayLang=en In the WSSecurityUsernamePolicyService quickstart requires a client provided UserNameToken and an X509v3 Server certificate WSE2QuickStartServer is used for signing the soap message. Is the certificate used for anything else but signing and encryption of the message? Then on the web service UserNameTokenManager gets the username token and validates it. Is this correct? Thanks for your response Mark, As for the UsernameForCertificate assertion sample, it use username Token as the security token for authentication. And for webservice's message transport security, it use certificate to secure the SOAP message(we can choose to sign or encrypte the message). The QuickStart sample provide two certificate which can be used for testing. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) In setting up my own HelloWorld Web Service I have the service configured via the policy settings tool and the client in code. I'm getting an error on the line serviceProxy.SetPolicy (policy); Error 4 'HelloWorldClient.HelloWorldService.Service' does not contain a definition for 'SetPolicy' C:\Documents and Settings\mpayne.DAESOFT.000\My Documents\Visual Studio 2005\Projects\HelloWorldWebService\HelloWorldClient\Program.cs 84 26 HelloWorldClient What am I missing? Hi Mark, You mean it report compile time error on the client proxy's SetPolicy method? If so, have you checked whether the WSE has been enabled for the client. Also, you can check into the generated proxy code to see whether the WSE specific proxy is correctly generated. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. SignatureGet Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.) My usernameForCertificate HelloWorld web service and client are working as I expect. On the Server side, within the web service how do I access the userNameToken and X509SecurityToken? Hi Mark, For accessing the security token in server-side, you can use the following means: UsernameToken token =RequestSoapContext.Current.Credentials.UltimateReceiver.GetClientToken<User nameToken>(); Also, this works when you dosn't establishSecurityContext in the WSE configuration, if so, we should use the RequestSoapContext.Current.Credentials.GetSecurityContextToken(); to get the token since it is cached in the security context. Here is a former thread also mentioned on this: http://groups.google.com/group/microsoft.public.dotnet.framework.aspnet.webs ervices/browse_thread/thread/6ac8bc84e9e14915/7555e653d6f8f9e0?lnk=st&q=webs ervice+Steven+Cheng+UltimateReceiver&rnum=1&hl=en#7555e653d6f8f9e0 Hope this helps. Regards, Steven Cheng Microsoft Online Community Support ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.