Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / September 2006

Tip: Looking for answers? Try searching our database.

WS-Security 1.0 with WSE 3.0

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Don Rixtown - 07 Sep 2006 17:22 GMT
I'm trying to call a WSE 2.0 web service from a WSE 3.0 client. The
articles I've read say that this should work if you stick to using
features of ws-Security 1.0.

Every time I call the web service I get this exception:
Microsoft.Web.Services2.Security.SecurityFault: The signature or
decryption was invalid

Does anyone have any suggestions on how to restrict WSE 3.0 to only use
WS-Security 1.0 features?

Here is some sample code from the WSE 3.0 client:

UsernameToken token = new UsernameToken("username", "password");
MessageSignature signature = new MessageSignature(token);

service.RequestSoapContext.Security.Tokens.Add(token);
service.RequestSoapContext.Security.Elements.Add(signature);
service.RequestSoapContext.Security.Timestamp.TtlInSeconds = 60;

(The last 3 lines have obsolete warnings.)

I know the message is being signed. If I send the wrong password I get
an error of "The computed password digest doesn't match that of the
incoming username token."

Any pointers would be appreciated.

Thanks,
Don

Signature

Don Rixtown
don[dot]rixtown[at]gmail[dot]com

Reply to this Message
Pablo Cibraro [MVP] - 11 Sep 2006 15:41 GMT
Hi Don,

Signing a message with a username token is not a supported scenario in WSE
3.0, because it is not considered secure. You should use one of the
pre-defined turn-key scenarios, that's why you receive the obsolete
warnings. This article describes more in detail that problem and how to only
use the WS-Security 1.0 features,
http://wcf.netfx3.com/content/WindowsCommunicationFoundationWCFInteroperabilitya
ndMigrationwithWSE20.aspx

Regarding the invalid signature, you are currently signing the message with
the user's password (a symmetric key), so the service should receive the
same password to verify the signature. Therefore, you should send the
password as plain-text, otherwise, if the service only receives a hash of
the original password, it will not able to verify the signature. Does it
make sense ?

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

> I'm trying to call a WSE 2.0 web service from a WSE 3.0 client. The
> articles I've read say that this should work if you stick to using
[quoted text clipped - 26 lines]
> Thanks,
> Don
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.