Hi Howard,

Thank you for posting in the MSDN newsgroup.

From your description, you're developing an ASP.NET webservice which is
secured through the WSE 3.0 policy assertions. However, since there are
multiple client service consumers which may be authenticated against
different mode(username or kerberos token), you're wonding what is the
better means to applied both the two authentication mechanism into the your
server-side service, correct?

Based on my understanding, WSE policy assertion is statically bound to a
webservice at compilation time(for server-side service) and a single
service(an asmx endpoint)  can only  to configured to use a single
authentication mechanism.  

For your scenario, you have multiple client applications which will use
different security token for authentication(also you mentioned that some
client has already been released and hard to rebuild or redeploy), I think
you can consider creating two separate service endpoints(two asmx ), and
configure them to use different security policy respectively.

Also, since WSE's security feature (authenitcation, encrypting, signing )
is done at message level rather than transport level, it won't rely on the
underlying hosting environment(like IIS...), you can put the two service
endpoints in a single ASP.NET webservice application.

Just some of suggestion. If you have any other consideration or ideas,
please feel free to post here.

Regards,

Steven Cheng
Microsoft MSDN Online Support Lead

==================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

It is possible to create a policy choice assertion filter that can choose
among several configured policies. It is quite straightforward to implement.
While you can implement it, the lack of official support for such a mechanism
will probably mean a lack of support in tools and related technologies (e.g.,
attempting to exchange that security policy metadata is probably not going to
work using out-of-the-box tools). You can do it, but you'll be swimming
against the tide.

The support for multiple policies at a single endpoint was supported in some
earlier versions of WSE, where the policy description was much more complex,
but it was notably absent from the simplified turnkey security policy
mechanism in WSE 3.0.

Howard - how have you got on with this one?

I ran into this tonight and whilst both work great for me independently, i'd
rather just be able to say "if token is KerberosToken ... else if token is
UserToken ..."

I can see you can derive from SecurityPolicyAssertion, so cuold this not be
used to manually do this work depending on the token you are provided with?

Sounds like a heck of a lot of work, but the alernative of having
"internal.asmx" and "external.asmx" just doesn't feel right considering they
are the same "thing".

Sure, at the moment the differentiator is their authentication process, but
who know what other differentiators may come along and it sounds crazy to
create further endpoints to support this.

I'd rather (if possible) have something akin to a polymorphic security
assertion which is smart enough based on some config to use the "provider"
that does the security work (or whatever may come along). Then maybe i'm
missing something.

I'd be real interested in how you are getting/got on.

Regards,
Steven
http://stevenR2.com

Hi,
      I am also facing a simlar issue with a single web service that needs to support multiple policies. It would be helpful to know as to how you solved this.
Regrads,
Arun

Posted from http://www.topxml.com/renntp using reNNTP: the website based NNTP reader.