 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / March 2005[ANN] UPDATED WSE 2.0 SP2 secure UsernameToken sample available
All, Because the sample proved more popular than I thought it would be, I have updated it. Credit: William Stacey for this excellent idea and his feedback on sample #1. Thanks. Installation: - Unzip to folder. - Open VS solution. - Remove my web application from solution. - Create new web application in solution. If you don't want to change any of the code, create the project under http://localhost/Tests and name it SecureUTSCT02 - Add web.config and policyCache.config to the web project. These files are located in the root of the zip file. If you have not put your web app under http://localhost/Tests/SecureUTSCT02, - In the TokenIssuer.vb file, verify/fix the URIs that point to the AppliesTo and TokenIssuer endpoints. - In the policyCache.config file, verify/fix the URIs for endpoints and TokenIssuer. What has changed? - Fixed the issue where the presence of the SecurityContextToken in requests to the service wasn't checked. Duh! - Provided also a sample of how the presence of the SecurityContextToken can be verified using WS-Policy. The sample looks for a body and parts of the header signature. - The function that creates the SecurityContextToken on the server has been moved to a class called TokenIssuer. - It's all VB.NET, no longer a mix of C# and VB.NET. Pure C# sample may be following, depending on response. Future I want to investigate the possibility of actually creating a WSE 2.0 TokenIssuer, so that the WSE methods to request tokens could be used. However, as of know, I don't really see how I can do it, because we are not actually returning a Security Token to the client. Also, I'll work on removing the dependency from the Adduxis shared library to provide greater transparency, pending feedback if that's desirable. Download http://www.adduxis.com/play/SecureUTSCTSample-VB.zip Please post feedback here. HTH, -- Sven. Thanks Sven. Sounds like good updates :-) > I want to investigate the possibility of actually creating a WSE 2.0 > TokenIssuer, so that the WSE methods to request tokens could be used. > However, as of know, I don't really see how I can do it, because we are not > actually returning a Security Token to the client. I wonder on this as well. This seems like a circular problem. We need to bootstrap the process somehow. As we don't have a SCT token yet (and don't want to use a UT), we can't encrypt/sign the request in the normal WSE way. I guess we could use x509securitytoken or something, but the idea was to not require certs to begin with. We probably could use secure XML, but that is effectively what I am doing manually and I found SecXML way too confusing. Therefore this "manual" use of xml and encrypting elements and signatures is needed to kick start the process. If you think about it, the GetSCT() method *is the TokenIssuer, so not sure what wrapping it again in some other issuer would offer (it does need to be built into the framework however). If you think about it, the RequestSecurityToken and SecurityContextTokenService stuff is really just doing the same thing, however they use a x509 cert and cert's public key instead of just a public key of our choosing. I have not yet drilled down into it see exactly what they are doing or the wire format, but that would be cool to know. The other thing I thought about was to use just an anonymous account to return a SCT, then you could request a "real" authenticated SCT using std WS-Security. However, I don't think you gain anything but more request/reply pairs (i.e traffic). I also thought about doing some other shared secret deal using Diffie-Hellman, etc. However that gains you nothing either as your just getting a shared key to get another shared key. I could, however, use DH to generate the shared key in the request/reply pair. But I asked myself what that would offer. You would have to break public PKI to find the secret that way it is (unless someone sees something), so not sure that would offer anything as would still need to protect against MITM attack for DH. The GetSCT() process allows authentication and SCT token generation in one request/reply pair, so it seems better then anything else I could think of. If you have other ideas, please let me know. Cheers!  SignatureWilliam Stacey, MVP http://mvp.support.microsoft.com I receive an exception when calling GetSCT in the line AESKey = RSA.Decrypt(TokenRequest.AESKey, RSA.GetKeyPairAsXml("Adduxis.Components.Security.Samples.RSA")) The Adduxis.Components.Security namespace in the assembly I have does not have the Samples namespace and so throws an exception. Thank you. > All, > [quoted text clipped - 57 lines] > > Sven. mgbee: The RSA.GetKeyPairAsXml function retrieves the key pair from a specified location. You're not looking for code, but just for a previously generated RSA key pair stored as XML. There was a tool in the first download that allowed you to create an RSA test pair. I didn't include it in the updated version. Here's a link: http://www.adduxis.com/play/CreateKeyPairAndPersist.zip HTH SignatureSven. > I receive an exception when calling GetSCT in the line > [quoted text clipped - 67 lines] > > > > Sven. Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.