 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / June 2004UsernameTokenManager subclass's AuthenticateToken not called when message is signed
Consider the following: SoapEnvelope envelope = new SoapEnvelope(); UsernameToken token = new UsernameToken(username, CryptoUtil.Encrypt(password), PasswordOption.SendPlainText); envelope.Context.Security.Tokens.Add(token); DerivedKeyToken derivedKeyToken = new DerivedKeyToken(token); envelope.Context.Security.Tokens.Add(derivedKeyToken); envelope.Context.Security.Elements.Add(new MessageSignature(derivedKeyToken)); // Add content via envelope.SetBodyObject // SendRequestResponse or SendOneWay (I've extended UsernameTokenManager to do the authentication on the server.) When the message is received, VerifyPlainTextPassword is called instead of AuthenticateToken. AuthenticateToken is only called if I don't sign. This has been a source of great pain, suffering, sleepless nights and broken dreams. It worked in the TP. Can anyone give me a hand? Thanks, -jk Hi Jeff, In TechPreview, WSE did not cache any username tokens. In RTM, the behavior is that if you sign with a username, then it is automatically put in a cache, so that when a reply comes back encrypted with the same token, it can decrypt it. One side effect of caching is the behavior your are seeing below. When a request comes in, the cache is first looked up, and if there is a token already in the cache, then the AuthenticateToken part is skipped and only the VerifyPlainTextPassword is called. In your case, when the message is received with the Username token containing the salted password, does that endpoint sign the message with that same token for another endpoint. Is it possible to describe your scenario a little bit, so that I can hopefully provide you with a little more advice? Hope this helps a bit. Sidd [MSFT] > Consider the following: > [quoted text clipped - 24 lines] > Thanks, > -jk Hi Sidd, Thanks for the quick response. Rather than expanding on the current setup, which was designed with little knowledge of WSE during the TP and is probably flawed, I'll describe our scenario. It would be great to get direction from someone in-the-know. Technology: We're an ISV that sells a product consisting of two services (hosted on a server) that can be hosted in Windows Services or IIS, as well as client tools that talk to these services. The services are written as SoapServices and we're registering them as HttpHandlers when hosted in IIS (we aren't using ASMX). The clients use custom proxies that extend SoapClient. Requirements: Since the applications are bundled and sold as a single product, we can't have requirements like certificate servers; anyone should be able to buy the product and install it with minimal impact to OS configuration. Customers can use our user database, AD, LDAP, or anything else they write a provider for, so we must send the password over the wire. That's it, really. Simple stuff. What would be the simplest solution? I appreciate your input. Thanks, -jk > Hi Jeff, > [quoted text clipped - 53 lines] >> Thanks, >> -jk Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.