 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / September 2004Nonce and Created Values. General Questions
Hi, I am using WSE2.0sp1 for my security implementation for web services. A customer is using WebLogic to implement their calls to my service. The call fails with a "token could not be authenticated.." message. I noticed the customer did not have <wsse:Nonce></wsse:Nonce> <wsu:Created></wsu:Created> Tags in their security header. I took their message, and manually added a some nonce/created details to the header and submitted it with a soap tool. The message got validated. Web Logic (or at least my customers implemebntation using web logic) does not appear to add nonce/created elements by default. The customer however pointed out (correctly ) that the implementation of Nonce etc is only recommended. So my question is, is there a setting I can turn on which will not require the client to supply a nonce and created element?? The network is on a private, secure network. I had initially thought this may be the <replayDetection> element but this didn't work when I added to my config file. Also I have a couple of basic questions. 1. If users use a password (either plain text or digest), must a nonce value be included also? 2. Why did WSE2.0 not have the appropriate namespaces i.e. the wsse, and wsu using the oasis uri? Any help on this is greatly appreciated. 1. Nonce and Created are only required for a password that is hashed, that is, they form part of the hash algorithm Base64(SHA-1(Nonce + Created + Password)) 2. Don't know what you mean. WSE2 does use the correct namespaces for wsse and wsu ?? > Hi, > I am using WSE2.0sp1 for my security implementation for web services. A [quoted text clipped - 25 lines] > > Any help on this is greatly appreciated. Why does wse2.0sp1 create them by default? Why do my web service method calls fail if I don't include them from any soap tool? Are you saying that in theory if I submit a message that just has a username in the username token it should be ok? I tried this. I commented out the part of web.config where I had referenced my UsernameToken Manager implementation, submitted a simple request from a soap tool with no nonce value and it ALWAYS fails. What precisely do I need to do to just accept a username in the usernameToken. I had originally thought it was through submitting the XMLElement to the username token object, but again I had problems with this. Any help again is greatly appreciated, this issue has set me WAY back. > 1. Nonce and Created are only required for a password that is hashed, that > is, they form part of the hash algorithm Base64(SHA-1(Nonce + Created + [quoted text clipped - 32 lines] > > > > Any help on this is greatly appreciated. > Hi, > I am using WSE2.0sp1 for my security implementation for web services. A [quoted text clipped - 25 lines] > > Any help on this is greatly appreciated. 1. If you used SendHashed, the Nonce *must* be present since it part of the digest algorithm. If you have Username Token replay detection enabled, the WSE receiver will *always* demand that a Nonce be present in the token. Disabling this in your configuration file (see the wse.config file in the WSE install directory for details), should allow you to pass a PlainText or SendNone UsernameToken without a Nonce. 2. WSE 2.0 *does* use the OASIS WSS 1.0 Namespace URI's.  SignatureThis posting is provided "AS IS", with no warranties, and confers no rights. I understand that it must be present if used with hashed password. My question is how do I prevent the default of sending it! I have tried the replayDetection setting server side to not require it, sent a message without the nonce detail and still got an "invalid token". As part of this I also commented out any detail in the config of my UsernameToken Manager implementation. I assume this is correct. > > Hi, > > I am using WSE2.0sp1 for my security implementation for web services. A [quoted text clipped - 34 lines] > > 2. WSE 2.0 *does* use the OASIS WSS 1.0 Namespace URI's. > I understand that it must be present if used with hashed password. My > question is how do I prevent the default of sending it! > I have tried the replayDetection setting server side to not require it, sent > a message without the nonce detail and still got an "invalid token". As part > of this I also commented out any detail in the config of my UsernameToken > Manager implementation. I assume this is correct. There is no way to prevent WSE sending the Nonce; it's defined in the WSS specification, other implementations ought to be able to accept it, particularly since it's not a complex construct like some others in WSS. Commenting out your UsernameTokenManager means that you'll be running with the WSE default implementation, this expects to process a UsernameToken that contains a plain text password that can be authenticated against a Windows Domain. If your token doesn't include the plain text password (for example), then it will be rejected by the server. If you don't want this default UsernameTokenManager you must override it with your own implementation (there's an example in the product samples). There are several messages associated with invalid tokens, including ones like "The security token could not be authenticated or authorized". If you're getting this fault, it's likely because the token either doesn't have the password or the password cannot be validated against the domain. If this isn't the fault that you're getting, perhaps you can turn on detailedErrors in the config and post details of the fault to help me understand where the failure occurs. SignatureThis posting is provided "AS IS", with no warranties, and confers no rights. I have the exact same issue. I have set the replaydetection setting in my config file to false, and the constructor of my usernamemanager implementation sets everything to base implementation passing in XMLNode. I only override the ValidateToken method. public myUsernameTokenManager(XMLNodeList nodes) : base(nodes) protected override string validateToken(usernametoken p_token) However I get an error stating: The token must contain both a nonce and timestamp .... > > I understand that it must be present if used with hashed password. My > > question is how do I prevent the default of sending it! [quoted text clipped - 23 lines] > turn on detailedErrors in the config and post details of the fault to > help me understand where the failure occurs. > I have the exact same issue. > [quoted text clipped - 8 lines] > > The token must contain both a nonce and timestamp .... The only place this exact error is issued is if replayDetection is enabled for the UsernameToken and the incoming token does not contain a Nonce and Created. Of course, if you have used the Hashed Password option, or you have signed with the UsernameToken, then the Nonce and Created will be required since they are used for key generation. The replayDetection setting is read from configuration, if you have a custom UsernameTokenManager you must implement the constructor that accepts the configuration node list (as you appear to have done above): public MyUsernameTokenManager(XmlNodeList configData) : base(configData) { ... } The configuration entry in your app.config / web.config, for the default UsernameTokenManager, would be: <microsoft.web.services2> <security> <securityTokenManager xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken" <replayDection enabled="false" windowInSeconds="300" /> </securityTokenManager> </security> </microsoft.web.services2> If you want a custom UsernameTokenManager, you should also specify the type="" attribute on the <securityTokenManager> element. I hope this helps. -- This posting is provided "AS IS", with no warranties, and confers no rights. I set up a new project from scratch, and implemented your suggestion. It works. 1. I did a AuthenticateToken override 2. Set the replayDetection to false 3. Sumitted messages both from my web service client and SOAP Tool. 4. All worked. I will try to add this to my current solution. Many thanks for the help, it is greatly appreciated. > > I understand that it must be present if used with hashed password. My > > question is how do I prevent the default of sending it! [quoted text clipped - 23 lines] > turn on detailedErrors in the config and post details of the fault to > help me understand where the failure occurs.
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.