 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / July 2005Mutable Security Token exception
The big picture: I want to use WS-Trust with a Security token service that issues a custom Security Token that I later will be sending to other web services. I've been using the code in CustomXmlSecTokenCode sample that comes with WSE 2 as my starting point. I made the following changes: * Support for a UsernameToken (still encrypted with X509, and I would have liked to also sign with the X509, se in the end of this message.) * Added support for roles in the XmlToken I have managed to get almost everything to work, but when IssueSecurityToken returns I get "Mutable Security Token has to be added into the tokens collection" and I can't see what I'm doing wrong. The exception is thrown in the custom XmlToken GetXml method on the following line: element.AppendChild(new EncryptedKey(this.serviceToken, this.key.KeyBytes).GetXml(document)); The serviceToken is a X509SecurityToken. I have also tried to comment out the ResponseEncryptingToken = null line, since I want it to be encrypted. RolesToken issuedXmlToken = new RolesToken(serviceToken, Roles.GetRolesForUser(usernameToken.Username)); // Generate new request as a RSTR RequestSecurityTokenResponse requestSecurityTokenResponse = new RequestSecurityTokenResponse(issuedXmlToken); // Generate a proof token so that the token requestor can recover the key material requestSecurityTokenResponse.RequestedProofToken = new RequestedProofToken( ((SymmetricKeyAlgorithm)issuedXmlToken.Key).KeyBytes, base.RequestSigningToken); // Add an envelope signature over the issued token requestSecurityTokenResponse.RequestedSecurityToken.SigningToken = ResponseSigningToken; // Comment the following line of code to enable encryption of the whole RSTR ResponseEncryptingToken = null; // return the rstr return requestSecurityTokenResponse; This only gives me: WSE1300: The encrypting token in an RST or RSTR cannot be a UsernameToken. It's because the UsernameToken is used as RequestSigningToken at the client that it's later used for encryption. But if I try to switch the RequestSigningToken to my X509SecurityToken on the client it is instead complaining about that I'm not using BaseToken. Maybe I'm missing something in the big picture? Could someone please help get out of my moment 22 situation? Thanks in advance, Eric Quist Hi Eric, In general, when you see a Mutable security message, it general means that when you sign or encrypt a message with a Mutable security token, then that token has to be in the message. In WSE, UsernameTokens are mutable security tokens, and hence they have to be present in the message. Does this help answer your question? If not, please let me know Thanks, Sidd [MSFT] > The big picture: I want to use WS-Trust with a Security token service that > issues a custom Security Token that I later will be sending to other web [quoted text clipped - 62 lines] > Thanks in advance, > Eric Quist I have understood that UsernameTokens are mutable, but I guess that i doesn't make sense to send the UsernameToken back to the client again. Wouldn't WSE even try to verify the UsernameToken on the client again which definately doesn't make sense. Considering how little I have found on the web about this I start to think that my origonal thougts are in the wrong direction. This is what I want to accomplish: 1. I must support KerberosToken and UsernameToken. 2. I want to get the roles that the user belongs to (probably in a custom token). 3. I want to be able to send a custom token with the roles in a secure manner to an Activity Service or to an Entity Service. In this "business" services I would be able to verify that the user belongs to a role. 4. It is Ok to distribute a public part of an X509 Certificate to all the clients (to verify the server and for encryption use), but I would rather not use certificates to authenticate the client. My original idea was to implement this as follows: 1. Use WS-Trust. 2. Create a Security Infrastructure Service (the STS). This is the step that I fail to complete in my original question for UsernameTokens. 3. The client sends a request to the STS with a KerberosToken (if the user belongs to the domain) or with an Enrypted and signed UsernameToken. 4. The STS will verify UsernameTokens against a database. 5. The STS will pick up which roles an user belongs to from the database (no matter how the user is authenticated). 6. The STS will send this roles in a Custom XML token (which I call RolesToken). It is to return this custom token that I can't figure out how to solve. 7. When the client application recives the Custom XML token, it will use it to send to another Web Service (a business web service). 8. The business web service will use this RolesToken to find out if a user belongs to a role or not. Is this the way to go? And in that case, what would I have to do to be able to return RSTR in a secure way so that my business web services can trust it? I would be so glad if someone could post the code required (to make it work with an UsernameToken in the request) after that I have created my custom RolesToken in the IssueSecurityToken method. Thanks in advance, Eric > Hi Eric, > [quoted text clipped - 75 lines] > > Thanks in advance, > > Eric Quist Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.