 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / February 2005Overriding X509SecurityTokenManager.AuthenticateToken
I have some special logic I would like to perform to make sure we accept a certain certificate in my webservice. The X509SecurityTokenManager.AuthenticateToken method has no return value so I was wondering what is the proper thing to do when the certificate is not accepted by the WebService? I figured I would throw a security fault with the code set to FailedAuthenticationCode. Is this the correct thing to do? Thanks, Oldman Hello Oldman, Are you sure you cant use policy to implement that 'special' logic. The Authenticate method should just be validating that the certificate it receives is valid (not expired/ trusted etc), unless you want to do something special with the tokens on its way in like, may be add an identity to the token etc.. I'd suggest take a look at how you can restrict uses based on policy first. If that doesnt fit the bill write a soap input filter to check all the tokens and throw the security fault in the filter. If you do the same in the token manager you're short circuiting the whole authentication process. By that I mean that you may receive more than on x509 token in the request. In that case you may end up throwing a soap fault even tho' the request had other valid x509 certificates. HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com > I have some special logic I would like to perform to make sure we > accept a [quoted text clipped - 10 lines] > > Oldman I don't believe I can use a policy. I am trying to make sure that the certificate is issued by us. Clients are only allowed to talk with our web service if they have a certificate issued by us. If they do not I want the authentication to fail. Oldman > Hello Oldman, > Are you sure you cant use policy to implement that 'special' logic. The [quoted text clipped - 30 lines] > > > > Oldman Hello Oldman, I believe you can.. Lookup in the policy configuration reference IssuerToken. You can set up a claim for the issuer token to conform to the subject name supplied as shown below .. <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:Claims> <wssp:SubjectName>CN=Your Issuer Subject name</wssp:SubjectName> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> .. HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com > I don't believe I can use a policy. I am trying to make sure that the > certificate is issued by us. Clients are only allowed to talk with [quoted text clipped - 46 lines] >>> Thanks, >>> Oldman That's awsome. I'll try that out but still if I were to do it with code and not a policy file how are you supposed to reject the authentication? Oldman > Hello Oldman, > I believe you can.. Lookup in the policy configuration reference IssuerToken. [quoted text clipped - 69 lines] > >>> Thanks, > >>> Oldman Hello Oldman, IMO use a soap filter. Check the tokens from the context and throw a soap fault if any of the tokens are not issued by you. X509Security token has methods that allow you to do that HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com > That's awsome. I'll try that out but still if I were to do it with > code and not a policy file how are you supposed to reject the [quoted text clipped - 92 lines] >>>>> Thanks, >>>>> Oldman FYI, when using policy to enforce the issuer of a X509 signing token, you can't use the IssuerToken element. That element is used in the context of requesting a security token from a web service that issues them. To do this via policy, I got this working by the following integrity policy (using TokenIssuer to demand who the issuer is for a SecurityToken, outside of a Claims element): <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X 509v3</wssp:TokenType> <wssp:TokenIssuer>CN=My CA Name</wssp:TokenIssuer> </wssp:SecurityToken> </wssp:TokenInfo> </wssp:Integrity> > Hello Oldman, > IMO use a soap filter. Check the tokens from the context and throw a [quoted text clipped - 103 lines] > >>>>> Thanks, > >>>>> Oldman Hi Oldman, > That's awsome. I'll try that out but still if I were to do it with code and > not a policy file how are you supposed to reject the authentication? Just throw an exception from your implementation of OnAuthenticate() (yes, I believe it is a somewhat ugly design there, but that's how it goes). In case you're not doing it already, you'll need to register your SecurityTokenManager using the <BinarySecurityTokenManager> element in your configuration.  SignatureTomas Restrepo tomasr@mvps.org Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.