 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / November 2004want to ignore/bypass WSE2 policy for local requests...
hi, i have a wse2 web service up and running and it serves lots of windows clients, with a custom username token manager. great. i now have some new webforms on the same server that wish to use the web services. the problem is that the webforms can't obey the policy rules because it doesn't know at runtime any user account info, i want to work around this. i don't want to hard code in a 'SYSTEM' user + password only for use with the web service because someone could open the dll in notepad and use those credentials to abuse the web service. i tried to set up 2 different policies for the same web service, with the difference being the address used to access it. using the address: http://localhost/WinDB.asmx for the web forms, and a blank policy in policyCache.config. for the winclients then, they use the normal http://shuttle/WinDB.asmx adress with the #username-token-signed policy or whatever. it doesn't work though. requests made through the local address get a "Server was unable to process request. --> The message must contain a wsa:To header" error. policyCache.config extract: <endpoint uri="http://localhost/WinDB.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <endpoint uri="http://shuttle/winDB.asmx"> <defaultOperation> <request policy="#username-token-signed" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsp:Policy wsu:Id="username-token-signed" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp() i also tried using the 127.0.0.1 IP address in the policyCache but it didn't change anything. i really appreciate any suggestions anyone might have. tim \\ email: tim at mackey dot ie // \\ blog: http://tim.mackey.ie // 67d0ebfec70e8db3 Tim- Are all of these really pointing to the same webserver? I'm sure you can't trick it like that! <g> I have no idea if it's possible to base an endpoint policy on it's start point - wouldn't that be cool. But unless someone can give you a cool solution that I don't know about (which is wholly possible), you might just have to have separate web services. julie hi, i have a wse2 web service up and running and it serves lots of windows clients, with a custom username token manager. great. i now have some new webforms on the same server that wish to use the web services. the problem is that the webforms can't obey the policy rules because it doesn't know at runtime any user account info, i want to work around this. i don't want to hard code in a 'SYSTEM' user + password only for use with the web service because someone could open the dll in notepad and use those credentials to abuse the web service. i tried to set up 2 different policies for the same web service, with the difference being the address used to access it. using the address: http://localhost/WinDB.asmx for the web forms, and a blank policy in policyCache.config. for the winclients then, they use the normal http://shuttle/WinDB.asmx adress with the #username-token-signed policy or whatever. it doesn't work though. requests made through the local address get a "Server was unable to process request. --> The message must contain a wsa:To header" error. policyCache.config extract: <endpoint uri="http://localhost/WinDB.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <endpoint uri="http://shuttle/winDB.asmx"> <defaultOperation> <request policy="#username-token-signed" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsp:Policy wsu:Id="username-token-signed" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp() i also tried using the 127.0.0.1 IP address in the policyCache but it didn't change anything. i really appreciate any suggestions anyone might have. tim \\ email: tim at mackey dot ie // \\ blog: http://tim.mackey.ie // 67d0ebfec70e8db3 hi Julie, thanks for the reply. i thought that since the endpoint uri's are case-sensitive, it would work to configure 2 different policies, one for lower-case and one for upper-case. do i understand it right that the lowercase one should apply to any clients that have a reference to it with that case? and then any other clients (i.e. my web pages) with a reference to the upper-case version, should use the different policy. would it be possible in my custom security token manager to check somehow if the request is coming from the server itself and then accept the request somehow? thanks tim 67d0ebfec70e8db3 Tim- Are all of these really pointing to the same webserver? I'm sure you can't trick it like that! <g> I have no idea if it's possible to base an endpoint policy on it's start point - wouldn't that be cool. But unless someone can give you a cool solution that I don't know about (which is wholly possible), you might just have to have separate web services. julie "Tim Mackey" <tim@scootasp.net> wrote in message news:2uq7ctF2doraaU1@uni-berlin.de... hi, i have a wse2 web service up and running and it serves lots of windows clients, with a custom username token manager. great. i now have some new webforms on the same server that wish to use the web services. the problem is that the webforms can't obey the policy rules because it doesn't know at runtime any user account info, i want to work around this. i don't want to hard code in a 'SYSTEM' user + password only for use with the web service because someone could open the dll in notepad and use those credentials to abuse the web service. i tried to set up 2 different policies for the same web service, with the difference being the address used to access it. using the address: http://localhost/WinDB.asmx for the web forms, and a blank policy in policyCache.config. for the winclients then, they use the normal http://shuttle/WinDB.asmx adress with the #username-token-signed policy or whatever. it doesn't work though. requests made through the local address get a "Server was unable to process request. --> The message must contain a wsa:To header" error. policyCache.config extract: <endpoint uri="http://localhost/WinDB.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <endpoint uri="http://shuttle/winDB.asmx"> <defaultOperation> <request policy="#username-token-signed" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsp:Policy wsu:Id="username-token-signed" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp() i also tried using the 127.0.0.1 IP address in the policyCache but it didn't change anything. i really appreciate any suggestions anyone might have. tim \\ email: tim at mackey dot ie // \\ blog: http://tim.mackey.ie // 67d0ebfec70e8db3 I would only be able to answer that by experimenting with it myself which I wish I had the time for right now but don't. Otherwise I can only hypothesize. I'll keep an eye on this thread to see if someone else can help out and if not I will try this when I have the time. hi Julie, thanks for the reply. i thought that since the endpoint uri's are case-sensitive, it would work to configure 2 different policies, one for lower-case and one for upper-case. do i understand it right that the lowercase one should apply to any clients that have a reference to it with that case? and then any other clients (i.e. my web pages) with a reference to the upper-case version, should use the different policy. would it be possible in my custom security token manager to check somehow if the request is coming from the server itself and then accept the request somehow? thanks tim 67d0ebfec70e8db3 "Julie Lerman" <jlermanATNOSPAMPLEASEthedatafarm.com> wrote in message news:%23Tw5wxbwEHA.1988@TK2MSFTNGP12.phx.gbl... Tim- Are all of these really pointing to the same webserver? I'm sure you can't trick it like that! <g> I have no idea if it's possible to base an endpoint policy on it's start point - wouldn't that be cool. But unless someone can give you a cool solution that I don't know about (which is wholly possible), you might just have to have separate web services. julie "Tim Mackey" <tim@scootasp.net> wrote in message news:2uq7ctF2doraaU1@uni-berlin.de... hi, i have a wse2 web service up and running and it serves lots of windows clients, with a custom username token manager. great. i now have some new webforms on the same server that wish to use the web services. the problem is that the webforms can't obey the policy rules because it doesn't know at runtime any user account info, i want to work around this. i don't want to hard code in a 'SYSTEM' user + password only for use with the web service because someone could open the dll in notepad and use those credentials to abuse the web service. i tried to set up 2 different policies for the same web service, with the difference being the address used to access it. using the address: http://localhost/WinDB.asmx for the web forms, and a blank policy in policyCache.config. for the winclients then, they use the normal http://shuttle/WinDB.asmx adress with the #username-token-signed policy or whatever. it doesn't work though. requests made through the local address get a "Server was unable to process request. --> The message must contain a wsa:To header" error. policyCache.config extract: <endpoint uri="http://localhost/WinDB.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <endpoint uri="http://shuttle/winDB.asmx"> <defaultOperation> <request policy="#username-token-signed" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsp:Policy wsu:Id="username-token-signed" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part"> wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp() i also tried using the 127.0.0.1 IP address in the policyCache but it didn't change anything. i really appreciate any suggestions anyone might have. tim \\ email: tim at mackey dot ie // \\ blog: http://tim.mackey.ie // 67d0ebfec70e8db3 hi julie, i was feeling a bit out of my depth earlier, but i tried it anyway and it works! i have 2 endpoints with different policies on the same web service (only difference is the case): <endpoint uri="http://localhost/winDB.asmx"> <defaultOperation> <request policy="#username-token-signed" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <endpoint uri="http://localhost/WINDB.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> the problem in my situation was all my web methods call a checkAuth() method that throws soap faults for any invalid requests. i put the following lines of code at the top of this method to allow requests made on the same server to go through: // allow local ws requests to bypass security if(HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"].ToString() == "127.0.0.1") return; yee haw! this saves me a lot of work, and is quite cool. to think, i once complained about the case-sensitivity of endpoints! thanks for your help. tim Tim, imho [and Hervey or anyone in the WSE Team can correct me if I am wrong], the case-sensitiveness is probably a bug somewhere in IIS/WSE. As of the "customization" of startpoints, are you writing any client policies at all ?  SignatureThank you. Regards, Softwaremaker ================================== hi julie, i was feeling a bit out of my depth earlier, but i tried it anyway and it works! i have 2 endpoints with different policies on the same web service (only difference is the case): <endpoint uri="http://localhost/winDB.asmx"> <defaultOperation> <request policy="#username-token-signed" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <endpoint uri="http://localhost/WINDB.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> the problem in my situation was all my web methods call a checkAuth() method that throws soap faults for any invalid requests. i put the following lines of code at the top of this method to allow requests made on the same server to go through: // allow local ws requests to bypass security if(HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"].ToString() == "127.0.0.1") return; yee haw! this saves me a lot of work, and is quite cool. to think, i once complained about the case-sensitivity of endpoints! thanks for your help. tim hi softwaremaker i quote lucien who posted "URI's are treated case sensitive as defined in specifications/RFC (except for the host name part)." on 28 June 2004. i don't have any client policies, i leave it all up to the server. obviously my windows forms clients need to send a securitytoken if they want to conform to the server WSE policy which is username-token-signed. i know it seems like a bit of a hack, but provided you know what you're doing, i think it is a very useful feature. i would like to note for the record that it doesn't matter for the web pages using the web service with no policy, whether the web service proxy derives from Microsoft.Web.Services2.WebServicesClientProtocol or System.Web.Services.Protocols.SoapHttpClientProtocol. this is because WSE doesn't apply any special policy on the server (for the selected reference, in uppercase) and i have code in the web services to skip any checks for missing security headers. does anyone else not think this is really useful? how many times do we write web services and encounter further uses for them. in my case, the further use is on the web site itself. i think for efficiency reasons alone, the option to trust clients from a specific IP (127.0.0.1) and bypass the heavy security overhead of WSE2 messages is a great benefit. i understand all the overhead is necessary, but having the flexibility to work around it where appropriate is excellent in my view. tim Hi Tim, Yeah...I read that reply between you and Lucien a while ago and have always thought it was some kind of bug in IIS. Seems like the bug changed the casing of the URIs Anyways, I have gone thru the WS-Addressing specs but didnt come across that statement. Maybe I will look through it in greater detail later. It is good that it solves your problem but I seriously doubt if that specs/RFC is meant for cases such as yours. I would still prefer to think there is a much better solution to your problem. Let me think of other ways once I get my hear cleared. SignatureThank you. Regards, Softwaremaker ================================== > hi softwaremaker > i quote lucien who posted "URI's are treated case sensitive as defined in [quoted text clipped - 24 lines] > > tim hi softwaremaker, actually i did come up with a better solution. i could just call the web methods directly as part of an instance of the web service class. i didn't need to be going through a web service proxy at all for the web forms, since they were part of the same assembly. it was a simple oversight not to spot this. i had code in each web method to check for valid soap requests, but if the request originated from 127.0.0.1 then i skipped further checks to allow the web method to execute normally. still i think it must be useful (in some weird circumstances!) to be able to configure multiple WSE2 policies for the same web service. as an example, say for versioning the web service policy. in version 1 of a web service, the clients might use #username-token-signed, but then version 2 clients might be released who would want to take advantage of some new more efficient policy called #username-super-tokens, so they change the reference to the webservice by using a variation in the case (which is set up in the policyCache.config file with the new policy). the old clients can still use the same web service with the policy they were designed for, but the new clients can use the #username-super-tokens policy. this approach saves you having to duplicate the web service for each new client version. i'm sure there could be other uses too. tim well - see...isn't it fun to actually try out your own hypotheses? Anyway - pay heed to Softwaremaker's reply! hi julie, i was feeling a bit out of my depth earlier, but i tried it anyway and it works! i have 2 endpoints with different policies on the same web service (only difference is the case): <endpoint uri="http://localhost/winDB.asmx"> <defaultOperation> <request policy="#username-token-signed" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> <endpoint uri="http://localhost/WINDB.asmx"> <defaultOperation> <request policy="" /> <response policy="" /> <fault policy="" /> </defaultOperation> </endpoint> the problem in my situation was all my web methods call a checkAuth() method that throws soap faults for any invalid requests. i put the following lines of code at the top of this method to allow requests made on the same server to go through: // allow local ws requests to bypass security if(HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"].ToString() == "127.0.0.1") return; yee haw! this saves me a lot of work, and is quite cool. to think, i once complained about the case-sensitivity of endpoints! thanks for your help. tim Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.