 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / September 2006Requiring username token in WSE 2.0
Hello, How do I enforce that UsernameToken be passed with SOAP request to Web Service. I looked at the following thread: http://groups.google.com/group/microsoft.public.dotnet.framework.webservices.enh ancements/browse_thread/thread/3b659d7a27f280b7/724037e2293a2fb4%23724037e2293a2 fb I tried using the policy file but I keep getting following exception: Message "System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: An error occured processing an outgoing fault response\n --- End of inner exception stack trace" Any ideas? Regards, dev209 Hi, Did you configure the policy on the client side and server side as well ?. In addition, you have to create a username token by code in the client application and add it to the message. UsernameToken token = new UsernameToken("user", "password", PasswordOption.SendPlainText); proxy.RequestContext.Security.Add(token); Regards, Pablo Cibraro > Hello, > [quoted text clipped - 14 lines] > Regards, > dev209 Hello Pablo, I did not configure the policy on client side. I added the policy file on server side only. In my client I am adding UsernameToken. Do I need to configure policy on client side? Web Service that I have implemented verfies the UsernameToken. It works fine as long as the client send UsernameToken. If client does not send UsernameToken it grants access to method without any checks. Regards, dev209 > Hi, > [quoted text clipped - 27 lines] > > Regards, > > dev209 Hi, Yes, you also need to configure the policy on the client side. There is something I did not understand, "If client does not send UsernameToken it grants access to method without any checks". Is that one of your requeriments or it is a problem that your are having now ?. Regards, Pablo. > Hello Pablo, > [quoted text clipped - 42 lines] >> > Regards, >> > dev209 Hello, I am authenticating client by UsernameToken. The problem that I am facing is if client does not send UsernameToken than there is no authentication and client gets access to the WebService method. Here is the section of web.config file where I added the polcy file name: <microsoft.web.services2> <policy> <cache name="policyCache.config" /> </policy> <diagnostics> <policyTrace enabled="false" /> </diagnostics> <security> <securityTokenManager type="XXXXXXXX" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken" /> </security> <tokenIssuer> <autoIssueSecurityContextToken enabled="true" /> </tokenIssuer> </microsoft.web.services2> Here are the content of policyCache.config file: <policyDocument xmlns="http://microsoft.com/wse/2003/06/PolicyDocument"> <mappings> <defaultEndpoint> <!-- Corresponds to the PassToken operation --> <defaultOperation> <request policy="#PresentAUserNameToken" /> <response policy="" /> </defaultOperation> </defaultEndpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wsp:Policy wsu:Id="PresentAUserNameToken"> <SecurityToken wsp:Usage="wsp:Required" xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext"> <TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</TokenType> </SecurityToken> </wsp:Policy> </policies> </policyDocument> Regards, Dev209 Update on my problem: I update my policy file on Server Side using the policy file shown in this article: http://dotnet.org.za/stuartg/articles/6277.aspx <?xml version="1.0" encoding="utf-8"?> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings> <endpoint uri="http://localhost/TermLifeAgency/TLAStatusService.asmx"> <defaultOperation> <request policy="#SignedUsername" /> </defaultOperation> </endpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <!-- This policy ensures that the message is signed with a UsernameToken --> <wsp:Policy wsu:Id="SignedUsername"> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Integrity> </wsp:Policy> <!-- This policy ensures that the message is signed with a X509 certificate --> </policies> </policyDocument> When I invoke the WebService without passing UsernameToken I get the following exception: {"Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The message does not conform to the policy it was mapped to.\n at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpression(PolicyExpression expression, SoapEnvelope message, EndpointReference endpoint, String action, Uri requestEndpoint)\n at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope message)\n at Microsoft.Web.Services2.Policy.PolicyManager.Verify(SoapEnvelope message)\n at Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessage(SoapEnvelope envelope)\n at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope)\n at Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapServerMessage message)" } System.Exception When I pass UsernameToken with correct username/password. I can see that it invokes AuthenticationManager but after that it throws the same exception. I verfied that username and password are correct by removing Policy file. Any suggestion would be greatly appreciated. Thanks, Dev209 Hi, For some reason, the message sent by the client application does not meet some requeriments in your service policy. Is the endpoint Uri correct ?. You can see more details about why the policy can not be enforced in the WSE trace files. Regards, Pablo Cibraro. > Update on my problem: > [quoted text clipped - 67 lines] > Thanks, > Dev209 Hello, Along with adding UsernameToken I also added signature using token ws.RequestSoapContext.Security.Elements.Add(new MessageSignature(token)); I got it to work. Question: I am new to WSE and all the policy elements. Any idea as to what part of policy file is requiring that client request should have UsernameToken and message signed by UsernameToken? Thanks for your help. Best Regards, Dev209 Hi, It is this part, <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Integrity> In a nutshell, this section says: "I am expecting a message signed (Integrity element) with a UsernameToken (SecurityToken element). Only the body should be signed (MessageParts)". You can also define a confidentiallity element if your service expects an encrypted message, which is not the case. Regards, Pablo Cibraro. > Hello, > [quoted text clipped - 12 lines] > Best Regards, > Dev209 Hello, Thanks for your help. If the requirement was to only have UsernameToken with request than should I be using the following only: <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> Best Regards, Dev209 Hi, I tried using the following policy setting to enforce the requirement of Username token in the soap header but it does not work. I am still able to explore the web service and invoke the methods. <?xml version="1.0" encoding="utf-8"?> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"> <!--The following policy describes the policy requirements for all services who do not have a mapping in this file.--> <defaultEndpoint> <defaultOperation> <request policy="#Sign-Username" /> <response policy="#Encrypt-Username" /> <fault policy="" /> </defaultOperation> </defaultEndpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"> <wsp:Policy wsu:Id="Sign-Username"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <!--The Integrity assertion is used to ensure that the message is signed with Username. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific Username claims.--> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> </wsp:Policy> <wsp:Policy wsu:Id="Encrypt-Username"> <!--The Confidentiality assertion is used to ensure that the SOAP Body is encrypted.--> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <!--The SecurityToken element within the KeyInfo element describes which token type must be used for Encryption.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1 .0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> </policies> </policyDocument> Can somebody help on this. Thanks & Regards, Oberoi > Hello, > [quoted text clipped - 7 lines] > Best Regards, > Dev209
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.