Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / May 2005

Tip: Looking for answers? Try searching our database.

The message does not conform to the policy it was mapped to

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
John Jenkins - 06 May 2005 21:13 GMT
Hi,
   I have set up ( What I think should be ) a simple Web Service which
expects a signed Username Token. I implemented a custom Username Token
Manager which worked fine before I created a policy file on the Service side, using the GUI
interface tool provided. I set the policy to simple expect Username Signing on the request.

After I created the policy file and re-run my simple app I get the error

"Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The
message does not conform to the policy it was mapped to"

I have attached all the relevant files. I had initially assumed the
MessagePredicates were wrong, but tried a variety of combinations all of
which failed.

I can only assume I have done something dumb here.

Any help greatly appreciated.

Web.Config
=========
<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <configSections>
   <section name="microsoft.web.services2" type="Microsoft.Web.Services2.Configuration.WebServicesConfiguration, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken1bf3856ad364e35" />
 </configSections>
 <system.web>
   <!--  DYNAMIC DEBUG COMPILATION
         Set compilation debug="true" to enable ASPX debugging.  Otherwise, setting this value to
         false will improve runtime performance of this application.
         Set compilation debug="true" to insert debugging symbols (.pdb information)
         into the compiled page. Because this creates a larger file that executes
         more slowly, you should set this value to true only when debugging and to
         false at all other times. For more information, refer to the documentation about
         debugging ASP.NET files.
   -->
   <compilation defaultLanguage="c#" debug="true" />
   <!--  CUSTOM ERROR MESSAGES
         Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.
         Add <error> tags for each of the errors you want to handle.

         "On" Always display custom (friendly) messages.
         "Off" Always display detailed ASP.NET error information.
         "RemoteOnly" Display custom (friendly) messages only to users not running
          on the local Web server. This setting is recommended for security purposes, so
          that you do not display application detail information to remote clients.
   -->
   <customErrors mode="RemoteOnly" />
   <!--  AUTHENTICATION
         This section sets the authentication policies of the application. Possible modes are "Windows",
         "Forms", "Passport" and "None"

         "None" No authentication is performed.
         "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to
          its settings for the application. Anonymous access must be disabled in IIS.
         "Forms" You provide a custom form (Web page) for users to enter their credentials, and then
          you authenticate them in your application. A user credential token is stored in a cookie.
         "Passport" Authentication is performed via a centralized authentication service provided
          by Microsoft that offers a single logon and core profile services for member sites.
   -->
   <authentication mode="Windows" />
   <!--  AUTHORIZATION
         This section sets the authorization policies of the application. You can allow or deny access
         to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
         (unauthenticated) users.
   -->
   <authorization>
     <allow users="*" />
     <!-- Allow all users -->
     <!--  <allow     users="[comma separated list of users]"
                            roles="[comma separated list of roles]"/>
                 <deny      users="[comma separated list of users]"
                            roles="[comma separated list of roles]"/>
           -->
   </authorization>
   <!--  APPLICATION-LEVEL TRACE LOGGING
         Application-level tracing enables trace log output for every page within an application.
         Set trace enabled="true" to enable application trace logging.  If pageOutput="true", the
         trace information will be displayed at the bottom of each page.  Otherwise, you can view the
         application trace log by browsing the "trace.axd" page from your web application
         root.
   -->
   <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
   <!--  SESSION STATE SETTINGS
         By default ASP.NET uses cookies to identify which requests belong to a particular session.
         If cookies are not available, a session can be tracked by adding a session identifier to the URL.
         To disable cookies, set sessionState cookieless="true".
   -->
   <sessionState mode="InProc" stateConnectionString="tcpip7.0.0.1:42424" sqlConnectionString="data source7.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
   <!--  GLOBALIZATION
         This section sets the globalization settings of the application.
   -->
   <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
   <webServices>
     <soapExtensionTypes>
       <add type="Microsoft.Web.Services2.WebServicesExtension, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken1bf3856ad364e35" priority="1" group="0" />
     </soapExtensionTypes>
   </webServices>
 </system.web>
 <microsoft.web.services2>
   <security>
     <securityTokenManager type="Causeway.WebServices.Security.WSE20.TokenManager.MyUsernameTokenManager, WSPolicyUsername" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken">
       <replayDetection enabled="false" />
     </securityTokenManager>
   </security>
   <diagnostics />
   <tokenIssuer>
     <autoIssueSecurityContextToken enabled="true" />
   </tokenIssuer>
   <policy>
     <cache name="policyCache.config" />
   </policy>
 </microsoft.web.services2>
</configuration>

Policy File
=======<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
 <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
   <!--The following policy describes the policy requirements for the service: http://localhost/WSPolicyUsername/Service1.asmx .-->
   <endpoint uri="http://localhost/WSPolicyUsername/Service1.asmx">
     <defaultOperation>
       <request policy="#Sign-Username" />
       <response policy="" />
       <fault policy="" />
     </defaultOperation>
   </endpoint>
 </mappings>
 <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
   <wsp:Policy wsu:Id="Sign-Username">
     <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.-->
     <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate>
     <!--The Integrity assertion is used to ensure that the message is signed with Username. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific Username claims.-->
     <wssp:Integrity wsp:Usage="wsp:Required">
       <wssp:TokenInfo>
         <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.-->
         <wssp:SecurityToken>
           <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType>
           <wssp:Claims>
             <wse:Parent>
               <wssp:SecurityToken wse:IdentityToken="true">
                 <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1
.0#UsernameToken</wssp:TokenType>
               </wssp:SecurityToken>
             </wse:Parent>
           </wssp:Claims>
         </wssp:SecurityToken>
       </wssp:TokenInfo>
       <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
     </wssp:Integrity>
   </wsp:Policy>
 </policies>
</policyDocument>

Client Source:
==========  [STAThread]
 static void Main(string[] args)
 {
  UsernameToken token=new UsernameToken("lenin", "lenin12", PasswordOption.SendHashed);

  localhost.Service1 a=new PolicyClient.localhost.Service1();
  a.RequestSoapContext.Security.Tokens.Add(token);
  a.RequestSoapContext.Security.Elements.Add(new MessageSignature(token));
 
  try
  {
   Console.WriteLine( a.HelloWorld() );
  }
  catch(Exception ex){
   Console.WriteLine(ex.Message);
   Console.ReadLine();
  }
 }

Error
==Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The message
does not conform to the policy it was mapped to.
  at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpre
ssion(PolicyExpression expression, SoapEnvelope message, EndpointReference endpo
int, String action, Uri requestEndpoint)
  at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope me
ssage)
  at Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessag
e(SoapEnvelope envelope)
  at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope
)
  at Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapS
erverMessage message)
Reply to this Message
John Jenkins - 08 May 2005 19:02 GMT
Sorry if I wasted anyone's time. I saw the issue. I did not have any details of password requirements in the policy file.

Thanks

 Hi,
     I have set up ( What I think should be ) a simple Web Service which
 expects a signed Username Token. I implemented a custom Username Token
 Manager which worked fine before I created a policy file on the Service side, using the GUI
 interface tool provided. I set the policy to simple expect Username Signing on the request.

 After I created the policy file and re-run my simple app I get the error

 "Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The
 message does not conform to the policy it was mapped to"

 I have attached all the relevant files. I had initially assumed the
 MessagePredicates were wrong, but tried a variety of combinations all of
 which failed.

 I can only assume I have done something dumb here.

 Any help greatly appreciated.

 Web.Config
 =========
 <?xml version="1.0" encoding="utf-8"?>
 <configuration>
   <configSections>
     <section name="microsoft.web.services2" type="Microsoft.Web.Services2.Configuration.WebServicesConfiguration, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken1bf3856ad364e35" />
   </configSections>
   <system.web>
     <!--  DYNAMIC DEBUG COMPILATION
           Set compilation debug="true" to enable ASPX debugging.  Otherwise, setting this value to
           false will improve runtime performance of this application.
           Set compilation debug="true" to insert debugging symbols (.pdb information)
           into the compiled page. Because this creates a larger file that executes
           more slowly, you should set this value to true only when debugging and to
           false at all other times. For more information, refer to the documentation about
           debugging ASP.NET files.
     -->
     <compilation defaultLanguage="c#" debug="true" />
     <!--  CUSTOM ERROR MESSAGES
           Set customErrors mode="On" or "RemoteOnly" to enable custom error messages, "Off" to disable.
           Add <error> tags for each of the errors you want to handle.

           "On" Always display custom (friendly) messages.
           "Off" Always display detailed ASP.NET error information.
           "RemoteOnly" Display custom (friendly) messages only to users not running
            on the local Web server. This setting is recommended for security purposes, so
            that you do not display application detail information to remote clients.
     -->
     <customErrors mode="RemoteOnly" />
     <!--  AUTHENTICATION
           This section sets the authentication policies of the application. Possible modes are "Windows",
           "Forms", "Passport" and "None"

           "None" No authentication is performed.
           "Windows" IIS performs authentication (Basic, Digest, or Integrated Windows) according to
            its settings for the application. Anonymous access must be disabled in IIS.
           "Forms" You provide a custom form (Web page) for users to enter their credentials, and then
            you authenticate them in your application. A user credential token is stored in a cookie.
           "Passport" Authentication is performed via a centralized authentication service provided
            by Microsoft that offers a single logon and core profile services for member sites.
     -->
     <authentication mode="Windows" />
     <!--  AUTHORIZATION
           This section sets the authorization policies of the application. You can allow or deny access
           to application resources by user or role. Wildcards: "*" mean everyone, "?" means anonymous
           (unauthenticated) users.
     -->
     <authorization>
       <allow users="*" />
       <!-- Allow all users -->
       <!--  <allow     users="[comma separated list of users]"
                              roles="[comma separated list of roles]"/>
                   <deny      users="[comma separated list of users]"
                              roles="[comma separated list of roles]"/>
             -->
     </authorization>
     <!--  APPLICATION-LEVEL TRACE LOGGING
           Application-level tracing enables trace log output for every page within an application.
           Set trace enabled="true" to enable application trace logging.  If pageOutput="true", the
           trace information will be displayed at the bottom of each page.  Otherwise, you can view the
           application trace log by browsing the "trace.axd" page from your web application
           root.
     -->
     <trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" />
     <!--  SESSION STATE SETTINGS
           By default ASP.NET uses cookies to identify which requests belong to a particular session.
           If cookies are not available, a session can be tracked by adding a session identifier to the URL.
           To disable cookies, set sessionState cookieless="true".
     -->
     <sessionState mode="InProc" stateConnectionString="tcpip7.0.0.1:42424" sqlConnectionString="data source7.0.0.1;Trusted_Connection=yes" cookieless="false" timeout="20" />
     <!--  GLOBALIZATION
           This section sets the globalization settings of the application.
     -->
     <globalization requestEncoding="utf-8" responseEncoding="utf-8" />
     <webServices>
       <soapExtensionTypes>
         <add type="Microsoft.Web.Services2.WebServicesExtension, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken1bf3856ad364e35" priority="1" group="0" />
       </soapExtensionTypes>
     </webServices>
   </system.web>
   <microsoft.web.services2>
     <security>
       <securityTokenManager type="Causeway.WebServices.Security.WSE20.TokenManager.MyUsernameTokenManager, WSPolicyUsername" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken">
         <replayDetection enabled="false" />
       </securityTokenManager>
     </security>
     <diagnostics />
     <tokenIssuer>
       <autoIssueSecurityContextToken enabled="true" />
     </tokenIssuer>
     <policy>
       <cache name="policyCache.config" />
     </policy>
   </microsoft.web.services2>
 </configuration>

 Policy File
 =======  <?xml version="1.0" encoding="utf-8"?>
 <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
   <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
     <!--The following policy describes the policy requirements for the service: http://localhost/WSPolicyUsername/Service1.asmx .-->
     <endpoint uri="http://localhost/WSPolicyUsername/Service1.asmx">
       <defaultOperation>
         <request policy="#Sign-Username" />
         <response policy="" />
         <fault policy="" />
       </defaultOperation>
     </endpoint>
   </mappings>
   <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
     <wsp:Policy wsu:Id="Sign-Username">
       <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.-->
       <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate>
       <!--The Integrity assertion is used to ensure that the message is signed with Username. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific Username claims.-->
       <wssp:Integrity wsp:Usage="wsp:Required">
         <wssp:TokenInfo>
           <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.-->
           <wssp:SecurityToken>
             <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType>
             <wssp:Claims>
               <wse:Parent>
                 <wssp:SecurityToken wse:IdentityToken="true">
                   <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1
.0#UsernameToken</wssp:TokenType>
                 </wssp:SecurityToken>
               </wse:Parent>
             </wssp:Claims>
           </wssp:SecurityToken>
         </wssp:TokenInfo>
         <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
       </wssp:Integrity>
     </wsp:Policy>
   </policies>
 </policyDocument>

 Client Source:
 ==========    [STAThread]
   static void Main(string[] args)
   {
    UsernameToken token=new UsernameToken("lenin", "lenin12", PasswordOption.SendHashed);

    localhost.Service1 a=new PolicyClient.localhost.Service1();
    a.RequestSoapContext.Security.Tokens.Add(token);
    a.RequestSoapContext.Security.Elements.Add(new MessageSignature(token));
   
    try
    {
     Console.WriteLine( a.HelloWorld() );
    }
    catch(Exception ex){
     Console.WriteLine(ex.Message);
     Console.ReadLine();
    }
   }

 Error
 ==  Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The message
 does not conform to the policy it was mapped to.
    at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpre
 ssion(PolicyExpression expression, SoapEnvelope message, EndpointReference endpo
 int, String action, Uri requestEndpoint)
    at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope me
 ssage)
    at Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessag
 e(SoapEnvelope envelope)
    at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope
 )
    at Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapS
 erverMessage message)
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.