|
|
You're in the
dotnet web services enhancements
group:Overriding X509SecurityTokenManager.AuthenticateToken
dotnet web services enhancements:
I have some special logic I would like to perform to make sure we accept a
certain certificate in my webservice. The X509SecurityTokenManager.AuthenticateToken method has no return value so I was wondering what is the proper thing to do when the certificate is not accepted by the WebService? I figured I would throw a security fault with the code set to FailedAuthenticationCode. Is this the correct thing to do? Thanks,
Hello Oldman,
Are you sure you cant use policy to implement that 'special' logic. The Authenticate method should just be validating that the certificate it receives is valid (not expired/ trusted etc), unless you want to do something special with the tokens on its way in like, may be add an identity to the token etc.. I'd suggest take a look at how you can restrict uses based on policy first. If that doesnt fit the bill write a soap input filter to check all the tokens and throw the security fault in the filter. If you do the same in the token manager you're short circuiting the whole authentication process. By that I mean that you may receive more than on x509 token in the request. In that case you may end up throwing a soap fault even tho' the request had other valid x509 certificates. HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com [quoted text, click to view] > I have some special logic I would like to perform to make sure we > accept a > certain certificate in my webservice. > The X509SecurityTokenManager.AuthenticateToken method has no return > value so > I was wondering what is the proper thing to do when the certificate is > not > accepted by the WebService? I figured I would throw a security fault > with > the code set to FailedAuthenticationCode. > Is this the correct thing to do? > Thanks, > > Oldman >
I don't believe I can use a policy. I am trying to make sure that the
certificate is issued by us. Clients are only allowed to talk with our web service if they have a certificate issued by us. If they do not I want the authentication to fail. Oldman [quoted text, click to view] "Dilip Krishnan" wrote:
> Hello Oldman, > Are you sure you cant use policy to implement that 'special' logic. The > Authenticate method should just be validating that the certificate it receives > is valid (not expired/ trusted etc), unless you want to do something special > with the tokens on its way in like, may be add an identity to the token etc.. > I'd suggest take a look at how you can restrict uses based on policy first. > If that doesnt fit the bill write a soap input filter to check all the tokens > and throw the security fault in the filter. If you do the same in the token > manager you're short circuiting the whole authentication process. By that > I mean that you may receive more than on x509 token in the request. In that > case you may end up throwing a soap fault even tho' the request had other > valid x509 certificates. > > HTH > Regards, > Dilip Krishnan > MCAD, MCSD.net > dkrishnan at geniant dot com > http://www.geniant.com > > > I have some special logic I would like to perform to make sure we > > accept a > > certain certificate in my webservice. > > The X509SecurityTokenManager.AuthenticateToken method has no return > > value so > > I was wondering what is the proper thing to do when the certificate is > > not > > accepted by the WebService? I figured I would throw a security fault > > with > > the code set to FailedAuthenticationCode. > > Is this the correct thing to do? > > Thanks, > > > > Oldman > > > >
Hello Oldman,
I believe you can.. Lookup in the policy configuration reference IssuerToken. You can set up a claim for the issuer token to conform to the subject name supplied as shown below ... <wse:IssuerToken> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType> <wssp:Claims> <wssp:SubjectName>CN=Your Issuer Subject name</wssp:SubjectName> </wssp:Claims> </wssp:SecurityToken> </wse:IssuerToken> ... HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com [quoted text, click to view] > I don't believe I can use a policy. I am trying to make sure that the > certificate is issued by us. Clients are only allowed to talk with > our web service if they have a certificate issued by us. If they do > not I want the authentication to fail. > > Oldman > > "Dilip Krishnan" wrote: > >> Hello Oldman, >> Are you sure you cant use policy to implement that 'special' logic. >> The >> Authenticate method should just be validating that the certificate it >> receives >> is valid (not expired/ trusted etc), unless you want to do something >> special >> with the tokens on its way in like, may be add an identity to the >> token etc.. >> I'd suggest take a look at how you can restrict uses based on policy >> first. >> If that doesnt fit the bill write a soap input filter to check all >> the tokens >> and throw the security fault in the filter. If you do the same in the >> token >> manager you're short circuiting the whole authentication process. By >> that >> I mean that you may receive more than on x509 token in the request. >> In that >> case you may end up throwing a soap fault even tho' the request had >> other >> valid x509 certificates. >> HTH >> Regards, >> Dilip Krishnan >> MCAD, MCSD.net >> dkrishnan at geniant dot com >> http://www.geniant.com >>> I have some special logic I would like to perform to make sure we >>> accept a >>> certain certificate in my webservice. >>> The X509SecurityTokenManager.AuthenticateToken method has no return >>> value so >>> I was wondering what is the proper thing to do when the certificate >>> is >>> not >>> accepted by the WebService? I figured I would throw a security >>> fault >>> with >>> the code set to FailedAuthenticationCode. >>> Is this the correct thing to do? >>> Thanks, >>> Oldman >>>
That's awsome. I'll try that out but still if I were to do it with code and
not a policy file how are you supposed to reject the authentication? Oldman [quoted text, click to view] "Dilip Krishnan" wrote:
> Hello Oldman, > I believe you can.. Lookup in the policy configuration reference IssuerToken. > You can set up a claim for the issuer token to conform to the subject name > supplied as shown below > > ... > <wse:IssuerToken> > <wssp:SecurityToken> > <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType> > <wssp:Claims> > <wssp:SubjectName>CN=Your Issuer Subject name</wssp:SubjectName> > </wssp:Claims> > </wssp:SecurityToken> > </wse:IssuerToken> > ... > > HTH > Regards, > Dilip Krishnan > MCAD, MCSD.net > dkrishnan at geniant dot com > http://www.geniant.com > > > I don't believe I can use a policy. I am trying to make sure that the > > certificate is issued by us. Clients are only allowed to talk with > > our web service if they have a certificate issued by us. If they do > > not I want the authentication to fail. > > > > Oldman > > > > "Dilip Krishnan" wrote: > > > >> Hello Oldman, > >> Are you sure you cant use policy to implement that 'special' logic. > >> The > >> Authenticate method should just be validating that the certificate it > >> receives > >> is valid (not expired/ trusted etc), unless you want to do something > >> special > >> with the tokens on its way in like, may be add an identity to the > >> token etc.. > >> I'd suggest take a look at how you can restrict uses based on policy > >> first. > >> If that doesnt fit the bill write a soap input filter to check all > >> the tokens > >> and throw the security fault in the filter. If you do the same in the > >> token > >> manager you're short circuiting the whole authentication process. By > >> that > >> I mean that you may receive more than on x509 token in the request. > >> In that > >> case you may end up throwing a soap fault even tho' the request had > >> other > >> valid x509 certificates. > >> HTH > >> Regards, > >> Dilip Krishnan > >> MCAD, MCSD.net > >> dkrishnan at geniant dot com > >> http://www.geniant.com > >>> I have some special logic I would like to perform to make sure we > >>> accept a > >>> certain certificate in my webservice. > >>> The X509SecurityTokenManager.AuthenticateToken method has no return > >>> value so > >>> I was wondering what is the proper thing to do when the certificate > >>> is > >>> not > >>> accepted by the WebService? I figured I would throw a security > >>> fault > >>> with > >>> the code set to FailedAuthenticationCode. > >>> Is this the correct thing to do? > >>> Thanks, > >>> Oldman > >>> > >
Hello Oldman,
IMO use a soap filter. Check the tokens from the context and throw a soap fault if any of the tokens are not issued by you. X509Security token has methods that allow you to do that HTH Regards, Dilip Krishnan MCAD, MCSD.net dkrishnan at geniant dot com http://www.geniant.com [quoted text, click to view] > That's awsome. I'll try that out but still if I were to do it with > code and not a policy file how are you supposed to reject the > authentication? > > Oldman > > "Dilip Krishnan" wrote: > >> Hello Oldman, >> I believe you can.. Lookup in the policy configuration reference >> IssuerToken. >> You can set up a claim for the issuer token to conform to the subject >> name >> supplied as shown below >> ... >> >> <wse:IssuerToken> >> >> <wssp:SecurityToken> >> >> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w >> ss-x509-token-profile-1.0#X509v3</wssp:TokenType> >> >> <wssp:Claims> >> >> <wssp:SubjectName>CN=Your Issuer Subject name</wssp:SubjectName> >> >> </wssp:Claims> >> >> </wssp:SecurityToken> >> >> </wse:IssuerToken> >> >> ... >> >> HTH >> Regards, >> Dilip Krishnan >> MCAD, MCSD.net >> dkrishnan at geniant dot com >> http://www.geniant.com >>> I don't believe I can use a policy. I am trying to make sure that >>> the certificate is issued by us. Clients are only allowed to talk >>> with our web service if they have a certificate issued by us. If >>> they do not I want the authentication to fail. >>> >>> Oldman >>> >>> "Dilip Krishnan" wrote: >>> >>>> Hello Oldman, >>>> Are you sure you cant use policy to implement that 'special' logic. >>>> The >>>> Authenticate method should just be validating that the certificate >>>> it >>>> receives >>>> is valid (not expired/ trusted etc), unless you want to do >>>> something >>>> special >>>> with the tokens on its way in like, may be add an identity to the >>>> token etc.. >>>> I'd suggest take a look at how you can restrict uses based on >>>> policy >>>> first. >>>> If that doesnt fit the bill write a soap input filter to check all >>>> the tokens >>>> and throw the security fault in the filter. If you do the same in >>>> the >>>> token >>>> manager you're short circuiting the whole authentication process. >>>> By >>>> that >>>> I mean that you may receive more than on x509 token in the request. >>>> In that >>>> case you may end up throwing a soap fault even tho' the request had >>>> other >>>> valid x509 certificates. >>>> HTH >>>> Regards, >>>> Dilip Krishnan >>>> MCAD, MCSD.net >>>> dkrishnan at geniant dot com >>>> http://www.geniant.com >>>>> I have some special logic I would like to perform to make sure we >>>>> accept a >>>>> certain certificate in my webservice. >>>>> The X509SecurityTokenManager.AuthenticateToken method has no >>>>> return >>>>> value so >>>>> I was wondering what is the proper thing to do when the >>>>> certificate >>>>> is >>>>> not >>>>> accepted by the WebService? I figured I would throw a security >>>>> fault >>>>> with >>>>> the code set to FailedAuthenticationCode. >>>>> Is this the correct thing to do? >>>>> Thanks, >>>>> Oldman
Hi Oldman,
[quoted text, click to view] > That's awsome. I'll try that out but still if I were to do it with code and > not a policy file how are you supposed to reject the authentication? Just throw an exception from your implementation of OnAuthenticate() (yes, I believe it is a somewhat ugly design there, but that's how it goes). In case you're not doing it already, you'll need to register your SecurityTokenManager using the <BinarySecurityTokenManager> element in your configuration. -- Tomas Restrepo tomasr@mvps.org
FYI, when using policy to enforce the issuer of a X509 signing token, you
can't use the IssuerToken element. That element is used in the context of requesting a security token from a web service that issues them. To do this via policy, I got this working by the following integrity policy (using TokenIssuer to demand who the issuer is for a SecurityToken, outside of a Claims element): <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken wse:IdentityToken="true"> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType> <wssp:TokenIssuer>CN=My CA Name</wssp:TokenIssuer> </wssp:SecurityToken> </wssp:TokenInfo> </wssp:Integrity> [quoted text, click to view] "Dilip Krishnan" wrote:
> Hello Oldman, > IMO use a soap filter. Check the tokens from the context and throw a > soap fault if any of the tokens are not issued by you. X509Security token > has methods that allow you to do that > HTH > Regards, > Dilip Krishnan > MCAD, MCSD.net > dkrishnan at geniant dot com > http://www.geniant.com > > > That's awsome. I'll try that out but still if I were to do it with > > code and not a policy file how are you supposed to reject the > > authentication? > > > > Oldman > > > > "Dilip Krishnan" wrote: > > > >> Hello Oldman, > >> I believe you can.. Lookup in the policy configuration reference > >> IssuerToken. > >> You can set up a claim for the issuer token to conform to the subject > >> name > >> supplied as shown below > >> ... > >> > >> <wse:IssuerToken> > >> > >> <wssp:SecurityToken> > >> > >> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-w > >> ss-x509-token-profile-1.0#X509v3</wssp:TokenType> > >> > >> <wssp:Claims> > >> > >> <wssp:SubjectName>CN=Your Issuer Subject name</wssp:SubjectName> > >> > >> </wssp:Claims> > >> > >> </wssp:SecurityToken> > >> > >> </wse:IssuerToken> > >> > >> ... > >> > >> HTH > >> Regards, > >> Dilip Krishnan > >> MCAD, MCSD.net > >> dkrishnan at geniant dot com > >> http://www.geniant.com > >>> I don't believe I can use a policy. I am trying to make sure that > >>> the certificate is issued by us. Clients are only allowed to talk > >>> with our web service if they have a certificate issued by us. If > >>> they do not I want the authentication to fail. > >>> > >>> Oldman > >>> > >>> "Dilip Krishnan" wrote: > >>> > >>>> Hello Oldman, > >>>> Are you sure you cant use policy to implement that 'special' logic. > >>>> The > >>>> Authenticate method should just be validating that the certificate > >>>> it > >>>> receives > >>>> is valid (not expired/ trusted etc), unless you want to do > >>>> something > >>>> special > >>>> with the tokens on its way in like, may be add an identity to the > >>>> token etc.. > >>>> I'd suggest take a look at how you can restrict uses based on > >>>> policy > >>>> first. > >>>> If that doesnt fit the bill write a soap input filter to check all > >>>> the tokens > >>>> and throw the security fault in the filter. If you do the same in > >>>> the > >>>> token > >>>> manager you're short circuiting the whole authentication process. > >>>> By > >>>> that > >>>> I mean that you may receive more than on x509 token in the request. > >>>> In that > >>>> case you may end up throwing a soap fault even tho' the request had > >>>> other > >>>> valid x509 certificates. > >>>> HTH > >>>> Regards, > >>>> Dilip Krishnan > >>>> MCAD, MCSD.net > >>>> dkrishnan at geniant dot com > >>>> http://www.geniant.com > >>>>> I have some special logic I would like to perform to make sure we > >>>>> accept a > >>>>> certain certificate in my webservice. > >>>>> The X509SecurityTokenManager.AuthenticateToken method has no > >>>>> return > >>>>> value so > >>>>> I was wondering what is the proper thing to do when the > >>>>> certificate > >>>>> is > >>>>> not > >>>>> accepted by the WebService? I figured I would throw a security > >>>>> fault > >>>>> with > >>>>> the code set to FailedAuthenticationCode. > >>>>> Is this the correct thing to do? > >>>>> Thanks, > >>>>> Oldman > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |