 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / March 2005security tokens questions
Hi i have a web service that recieve a username token from the client, and verify it's credetials in a legacy application. this application issues a custom class (which represetns it's own security token). this class can be represented as XML. my question is, how can i add this custom xml as a header from the service into all incoming\outgoing requests. as this custom token, is used for authentication with the legacy application. i dont want to have the user send this custom class in all functions. Thanks, u > my question is, how can i add this custom xml as a header from the service > into all incoming\outgoing requests. I may misunderstand your config. If so, let me know. But if you have WSE client and WSE server web method, then just use UT or SCT to abstract the custom token. Say the UT comes in. You authenticate it inside the Auth override as normal by calling your legacy method(s). Then once you have a cached/authenticated token on the server side, all your future requests can use the std token abstractions to sign/encrypt messages - until the token expires (just renew it as normal.) The issue with UTs is security. The only way to really secure them is encrypting pw and sending encrypted pw in clear text or encrypting the whole token using another prior token (say a SCT.) But that is a catch 22 as you either need a shared symmetric key or another token which needed some PKI negotiation in the first place (say SCT.) A fixed shared symmetric key is not great as you need to embed it in your client assem. So you need some negotiated sym key like a SCT gives you. But once you have a SCT, you don't really need the UT in the first place. So to get a SCT, you can use the built in method(s) or check out my SCT method at http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry It could also give you some ideas on passing your own xml to create/return tokens and/or other ideas. HTH.  SignatureWilliam Stacey, MVP http://mvp.support.microsoft.com Hi thanks for the answer. i was thinking a bit different, here are my thoughts i thought of asking the client to supply credentials using usernameToken. then, on the server side use the authenticateToken in the token manager to verify the token with the legacy application (which by the way cause me problems, as if the user does not send the token, the routing doesnt occur, so i used soap extension to verify that the message has a username token, later on i will be using ws-policy to make sure that the message has the token). once i get the legacy application token (which is not related in any form to WSE tokens), represnt it as string, and use custom binary token, which will be added to the soap message, which then the client will continue using for repeated calls to the web services on my server. does this make any sense? Thanks, Uzi >> my question is, how can i add this custom xml as a header from the >> service [quoted text clipped - 25 lines] > It could also give you some ideas on passing your own xml to create/return > tokens and/or other ideas. HTH. > i was thinking a bit different, here are my thoughts > i thought of asking the client to supply credentials using usernameToken. > then, on the server side use the authenticateToken in the token manager to > verify the token with the legacy application Sorry if I was not clear. Was saying same thing. > (which by the way cause me > problems, as if the user does not send the token, the routing doesnt occur, > so i used soap extension to verify that the message has a username token, > later on i will be using ws-policy to make sure that the message has the > token). Right. You need to verify UT anyway. You do this by requiring each request is signed (i.e. the body is signed.) Those code examples of requiring a signed body are in the WSE doco or we could supply if you can't find. If you use UTs, you still have the problem of sending the pw. You should only send it encrypted, so you need a prior symm key. That is one reason why SCT may be more attractive as you get the PKI security without another prior key exchange. > once i get the legacy application token (which is not related in any form to > WSE tokens), represnt it as string, and use custom binary token, which will > be added > to the soap message, which then the client will continue using for repeated > calls to the web services on my server. Once you have an authenticated UT or SCT, you don't need the legacy token any longer. You don't get the UT token or SCT if it was not authenticated, so once you have it, just use that as it is authenticated. So now sign any future requests with the authenticated std token. This also saves you from doing some other special tokens, which you don't need unless I am missing something. Naturally, I am nudging you to use SCT and not UTs. Hope that makes sense. SignatureWilliam Stacey, MVP http://mvp.support.microsoft.com Hi thanks again for your reply. the only problem here, is that all repeated calls to the web service, are for activating commands on the legacy application. and the token that the legacy application supply, must be kept for all repeated calls as this is the only way to check privileges and authenticate the user on the legacy application (the application keeps the list of active tokens), that's why i must keep the token (in xml) and send it back and forth to the client, as he will have to use it for all subsequent calls. it's not enough for me to say that the UT is authenticated, i must also keep the legacy application token. i hope this clears up the situation. p.s. i use the soap extension to check for UT existence because i dont want to check it on each method call, this is also good for checking the adderessing header, and if this is the first call (i should know it if the header doesnt contain the binary token) and it's not addressed for the login web service then i can raise an exception. thanks, Uzi >> i was thinking a bit different, here are my thoughts >> i thought of asking the client to supply credentials using usernameToken. [quoted text clipped - 42 lines] > something. Naturally, I am nudging you to use SCT and not UTs. Hope that > makes sense. Gottcha. You probably have a few options here. Off the top of my head, I am thinking a few ways: 1) Use a SCT. The SCT on the server "contains" a UT. The UT pw could hold the legacy XML string. All Web security is still handled with std SCT token. All legacy security is handled with XML held in the UT pw field. 2) Use a lookup table in the web server class. Use a static hashtable or arraylist or other. The WSE framework still handles the security into the servedr method. Once inside the method, verify body is signed with UT or SCT in code or maybe using policy (not sure about policy, but know you can do this in code.) Now you know the token has been authenticated so continue to legacy auth. Lookup the legacy xml string in the lookup table and pass as you need. The focus in each method is that your using std WSE abstractions as much as possible and not creating or passing custom tokens. All your abstraction is hidden behind the web method so it looks like normal UT or SCT stuff at the client side. Does that work for you now? SignatureWilliam Stacey, MVP http://mvp.support.microsoft.com > Hi > [quoted text clipped - 71 lines] > > something. Naturally, I am nudging you to use SCT and not UTs. Hope that > > makes sense. Hi yep, didnt think about the option of using the password field as a placeholder for the xml custom token info. thanks, uzi > Gottcha. You probably have a few options here. Off the top of my head, I > am thinking a few ways: [quoted text clipped - 113 lines] > that >> > makes sense. Great. Now that I think about, you could probably use the Username as well as you not using the UT in the SCT for anything beyond holding this xml data (i.e. using UT fields as tag strings). SignatureWilliam Stacey, MVP http://mvp.support.microsoft.com > Hi > [quoted text clipped - 121 lines] > > that > >> > makes sense. Hi i've added the extra info into the UT (in the anyelement property) and i've this code in the service UsernameToken ut = GetSigningToken(requestContext) as UsernameToken; SoapContext responseContext = ResponseSoapContext.Current; responseContext.Security.Tokens.Add(ut); responseContext.Security.Elements.Add(new MessageSignature(ut)); when the message returns to the client i get the following exception: *** Exception Raised *** SOAP-Fault code: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecur ity-secext-1.0.xsd:FailedAuthentication Microsoft.Web.Services2.Security.SecurityFault: The security token could not be authenticated or authorized at Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.OnLogonUserFa iled(UsernameToken token) at Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.LogonUser(Use rnameToken token) at Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.AuthenticateT oken(UsernameToken token) at Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyToken(S ecurityToken securityToken) at Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecuri tyToken(XmlElement element) at Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.GetTokenFromX ml(XmlElement element) at Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement element, Se curityConfiguration configuration, Int32& tokenCount) at Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element) at Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEn velope envelope) at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope ) at Microsoft.Web.Services2.InputStream.GetRawContent() at Microsoft.Web.Services2.InputStream.get_Length() at System.Xml.XmlScanner..ctor(TextReader reader, XmlNameTable ntable) at System.Xml.XmlTextReader..ctor(String url, TextReader input, XmlNameTable nt) at System.Xml.XmlTextReader..ctor(TextReader input) at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClie ntMessage message, WebResponse response, Stream responseStream, Boolean asyncCal l) at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodN ame, Object[] parameters) at WSStockTraderClient.WSToken.StockTraderServiceWse.RequestQuote(String Symb ol) in C:\Documents and Settings\uzib\My Documents\Visual Studio Projects\WebSer viceUserNameToken\WSStockTraderClient\Web References\WSToken\Reference.cs:line 1 14 at WSStockTraderClient.StockTraderSecureClient.SignRequestUsingUsernameToken( ) in c:\documents and settings\uzib\my documents\visual studio projects\webservi ceusernametoken\wsstocktraderclient\stocktradersecureclient.cs:line 147 at WSStockTraderClient.StockTraderSecureClient.Main(String[] args) in c:\docu ments and settings\uzib\my documents\visual studio projects\webserviceusernameto ken\wsstocktraderclient\stocktradersecureclient.cs:line 35 ************************ p.s. is there a documented info on the internal behavior of this classes, exactly who talks to who and when. Thanks Uzi > Great. Now that I think about, you could probably use the Username as > well [quoted text clipped - 152 lines] >> > that >> >> > makes sense.
Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.