Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / September 2004

Tip: Looking for answers? Try searching our database.

How to secure specific web service from client side (WSE 2.0 SP1)

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Nikhil Ukidwe - 23 Aug 2004 14:30 GMT
I have a client talking with three different web services. I want to secure
the communication for only one webservice. Since the WSE tool doesn't allow
me to mention endpoint uri at client side, I have manually changed the
policyCache.config file from:

<defaultEndpoint>
     <defaultOperation>
       <request policy="#Sign-X.509-Encrypt-X.509-8" />
       <response policy="#Sign-X.509-Encrypt-X.509-9" />
       <fault policy="" />
     </defaultOperation>
</defaultEndpoint>

To:

<endpoint uri="http://localhost/MyService1/MyService1.asmx">
     <defaultOperation>
       <request policy="#Sign-X.509-Encrypt-X.509-8" />
       <response policy="#Sign-X.509-Encrypt-X.509-9" />
       <fault policy="" />
     </defaultOperation>
</endpoint>

I thought this will secure the communication only between the client and
"MyService1" web service.
But this is throwing exception as :

Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The
message does not conform to the policy it was mapped to. at
Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpress
ion(PolicyExpression expression, SoapEnvelope message, EndpointReference
endpoint, String action, Uri requestEndpoint) at
Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope
message) at Microsoft.Web.Services2.Policy.PolicyManager.Verify(SoapEnvelope
message) at
Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessage(
SoapEnvelope envelope) at
Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
at
Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapSer
verMessage message)

What should I do to secure the communication in this case? Is there any
specific way to secure only one web service communication among many web
services?
Reply to this Message
Jeffrey Hasan - 23 Aug 2004 18:22 GMT
I would use WSE 2.0 to implement a secure conversation between the client
and the one Web service that requires secured communication. This seems like
a perfect application of the secure conversation model. My book covers
secure conversation, but there are also a number of online references.

Good luck,

Jeffrey Hasan, MCSD
President, Bluestone Partners, Inc.
-----------------------------------------------
Author of: Expert SOA in C# Using WSE 2.0 (APress, 2004)
http://www.bluestonepartners.com/soa.aspx

> I have a client talking with three different web services. I want to secure
> the communication for only one webservice. Since the WSE tool doesn't allow
[quoted text clipped - 25 lines]
> Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The
> message does not conform to the policy it was mapped to. at

Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpress
> ion(PolicyExpression expression, SoapEnvelope message, EndpointReference
> endpoint, String action, Uri requestEndpoint) at
> Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope
> message) at Microsoft.Web.Services2.Policy.PolicyManager.Verify(SoapEnvelope
> message) at

Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessage(
> SoapEnvelope envelope) at
> Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
> at

Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapSer
> verMessage message)
>
> What should I do to secure the communication in this case? Is there any
> specific way to secure only one web service communication among many web
> services?
Reply to this Message
Lucien - 23 Aug 2004 18:54 GMT
This should work. The error message rather indicates an issue with the
policy. I see a typo below: X.509-8 but that's probably not the cause since
the error is on the response. However are you sure the response message is
signed correctly with the X509 token? If you are please post the entire
policy. You can turn on policy tracing to get more detailed info on the
failure (it's in WSE 2.0 Settings tool / diagnostics).

> I have a client talking with three different web services. I want to secure
> the communication for only one webservice. Since the WSE tool doesn't allow
[quoted text clipped - 25 lines]
> Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The
> message does not conform to the policy it was mapped to. at

Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpress
> ion(PolicyExpression expression, SoapEnvelope message, EndpointReference
> endpoint, String action, Uri requestEndpoint) at
> Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope
> message) at Microsoft.Web.Services2.Policy.PolicyManager.Verify(SoapEnvelope
> message) at

Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessage(
> SoapEnvelope envelope) at
> Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope)
> at

Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapSer
> verMessage message)
>
> What should I do to secure the communication in this case? Is there any
> specific way to secure only one web service communication among many web
> services?
Reply to this Message
Nikhil Ukidwe - 25 Aug 2004 12:33 GMT
I checked the policy tracing and found that the out-going message from
client side is neither signed nor encrypted. Its a plain text message and
hence the exception is thrown in the response.
I am sending the entire policy file of client side:

============================================================================
==================
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
 <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
   <!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
   <endpoint uri="http://localhost/MyService1/MyService1.asmx">
     <defaultOperation>
       <request policy="#Sign-X.509-Encrypt-X.509-8" />
       <response policy="#Sign-X.509-Encrypt-X.509-9" />
       <fault policy="" />
     </defaultOperation>
   </endpoint>
   <!--<defaultEndpoint>
     <defaultOperation>
       <request policy="#Sign-X.509-Encrypt-X.509-8" />
       <response policy="#Sign-X.509-Encrypt-X.509-9" />
       <fault policy="" />
     </defaultOperation>
   </defaultEndpoint>-->
 </mappings>
 <policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
   <wsp:Policy wsu:Id="Sign-X.509-Encrypt-X.509-8">
     <!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
     <wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
     <!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
     <wssp:Integrity wsp:Usage="wsp:Required">
       <wssp:TokenInfo>
         <!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
         <wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
           <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
           <wssp:Claims>
             <!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
             <wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
             <wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension>
           </wssp:Claims>
         </wssp:SecurityToken>
       </wssp:TokenInfo>
       <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
     </wssp:Integrity>
     <!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
     <wssp:Confidentiality wsp:Usage="wsp:Required">
       <wssp:KeyInfo>
         <!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
         <wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
           <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
           <wssp:Claims>
             <!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
             <wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
             <wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension>
           </wssp:Claims>
         </wssp:SecurityToken>
       </wssp:KeyInfo>
       <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>
     </wssp:Confidentiality>
   </wsp:Policy>
   <wsp:Policy wsu:Id="Sign-X.509-Encrypt-X.509-9">
     <!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
     <wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
     <!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
     <wssp:Integrity wsp:Usage="wsp:Required">
       <wssp:TokenInfo>
         <!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
         <wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
           <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
           <wssp:Claims>
             <!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
             <wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
             <wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension>
           </wssp:Claims>
         </wssp:SecurityToken>
       </wssp:TokenInfo>
       <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
     </wssp:Integrity>
     <!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
     <wssp:Confidentiality wsp:Usage="wsp:Required">
       <wssp:KeyInfo>
         <!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
         <wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
           <wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
           <wssp:Claims>
             <!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
             <wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
             <wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension>
           </wssp:Claims>
         </wssp:SecurityToken>
       </wssp:KeyInfo>
       <wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>
     </wssp:Confidentiality>
   </wsp:Policy>
 </policies>
</policyDocument>
============================================================================
==================

> This should work. The error message rather indicates an issue with the
> policy. I see a typo below: X.509-8 but that's probably not the cause since
[quoted text clipped - 34 lines]
> > Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The
> > message does not conform to the policy it was mapped to. at

Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpress
> > ion(PolicyExpression expression, SoapEnvelope message, EndpointReference
> > endpoint, String action, Uri requestEndpoint) at
> > Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope
> > message) at
> Microsoft.Web.Services2.Policy.PolicyManager.Verify(SoapEnvelope
> > message) at

Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessage(
> > SoapEnvelope envelope) at
> > Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope
> envelope)
> > at

Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapSer
> > verMessage message)
> >
> > What should I do to secure the communication in this case? Is there any
> > specific way to secure only one web service communication among many web
> > services?
Reply to this Message
Lucien - 26 Aug 2004 22:09 GMT
Most likely the mapping didn't match. Does the wsa:To header has the value
"http://localhost/MyService1/MyService1.asmx"?
Note that you have 'localhost' so the policy would not get applied if the
service is not on the local machine. You have to add a 'hostname' mapping to
make it work for another machine (add 2 entires if you want both localhost
and machine name to work).

Also the policy tracing gives a more detailed log how policy was applied.
You can turn it on using the settings tool (diagnostics tab).

>I checked the policy tracing and found that the out-going message from
> client side is neither signed nor encrypted. Its a plain text message and
[quoted text clipped - 253 lines]
>> > web
>> > services?
Reply to this Message
Nikhil Ukidwe - 01 Sep 2004 13:12 GMT
Hi Lucien,

Solved the problem of securing one web service communication among many.
Solution is simple. All you have to do is secure client side just like we do
it in normal case (using <defaultEndpoint> etc.) and use proxy class with
"WSE" suffix for secured communication and normal proxy class for unsecured
communication.

Thanks a lot for your support,
Nikhil.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.