Hello,

Warning: long post.....

Our company has a policy requiring all web services be brokered via a
SoapStation secured URI. My understanding of the workflow is this:

1. Create and deploy a web service
2. Broker the web service via a secured location in SoapStation.

If I understand the nature of this "secured location" in SoapStation,
SoapStation itself performs the security check, which frees the Web Service
from having to perform any security checks on its own.

In order to properly call the secured web service, our client has to perform
the following tasks:

1. Call a Login web service passing in the necessary sign-on credentials.
This Login service passes back a Siteminder token as a string.
2. *This is the key*: add the Siteminder token to the Header of the Soap
Request
3. Call the secured web service

The architecture is this:
1. The client application is an ASP.NET 2.0 web application coded in VB.NET
2. WSE 3.0 is installed
3. The secured web service is properly referenced

The Soap Header for a properly-constructed call to the secured service has
the following attributes, with some actual (and presumably sensitive) values
replaced by phrases in brackets ([]):

<e:Header>
<act:Manifest xmlns:act="http://lg.actional.com/2003">
<act:Interaction>[some hex string]</act:Interaction>
</act:Manifest>
<wsse:Security e:role="http://schemas.xmlsoap.org/soap/actor/next"
e:mustUnderstand="false"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken ValueType="sso:SiteMinderSSOSecurityToken"
wsu:Id="[Some token ID]" xmlns:sso="http://www.actional.com">
[The actual value of the Siteminder Token is placed
here]</wsse:BinarySecurityToken>
</wsse:Security>
</e:Header>

I have been unable to construct a Soap header so far that passes the
requirements of SoapStation.

As a backgrounder, the corporate systems are mostly Java based, but the team
I am in is a long-time Microsoft group and therefore not familiar with Java.
We are new to WSE overall.

Here is a code snippet that comes closest to "success" so far. It actually
uses WSE 2.0 protocols, because a colleague of mine is trying the same thing,
but his application is written in .NET 1.1:

       Dim siteminder As New TokenService.SSOLoginService
       Dim cred As New System.Net.NetworkCredential(<sign-on credentials
here>)
       siteminder.Credentials = cred
       Dim t As String = siteminder.login()

       Dim c As New
Microsoft.Web.Services3.Security.Tokens.SecurityContextToken(t)

       Dim sig As New Microsoft.Web.Services3.Security.MessageSignature(c)
       Dim abc As New SecureWebService.MyWebService

       abc.RequestSoapContext.Security.Elements.Add(sig)
       mDataSet = abc.CallToMyWebService 'Returns a System.Data.Dataset
object

Any help on how best to proceed (especially with populating the Soap header
with the proper values) will be appreciated. I've been trying all sorts of
solutions (including non-WSE-based solutions), none of which have succeeded
so far.

Thanks in advance,
Eric