| Groups | Blog | Home |
dotnet web services enhancements : Are my Responses Encrypted?
Hi All,
If I call a WebMethod and supply a UsernameToken, a MessageSignature and an EncrypedData object I know that my message to the server is secure. If I do nothing other than return the 'result' in my WebMethod, is the Response sent back to the client secure? If so, is it automatically Encrypted & Signed with the Security Token the client sent in the Request? Chris
Hi Chris,
The answer is no. You are only protecting the request message, so you will have to do the same for the response message. Regards, Pablo Cibraro www.lagash.com [quoted text, click to view] "Chris Arnold" <chris.arnold@data-interface.net> wrote in message news:%23xwxHy3wFHA.1488@TK2MSFTNGP10.phx.gbl... > Hi All, > > If I call a WebMethod and supply a UsernameToken, a MessageSignature and > an EncrypedData object I know that my message to the server is secure. > > If I do nothing other than return the 'result' in my WebMethod, is the > Response sent back to the client secure? > > If so, is it automatically Encrypted & Signed with the Security Token the > client sent in the Request? > > Chris >
Thanks Pablo.
I am now attaching a UsernameToken to the Response message sent from the server. However, when I try to implement my own UsernameTokenManager on the client it fails to load with the following exception ... System.Configuration.ConfigurationException: WSE032: There was an error loading the microsoft.web.services2 configuration section. ---> System.Configuration.ConfigurationException: WSE040: Type WSE_Test.ClientUsernameTokenManager, ClientUsernameTokenManager could not be loaded. Please check the configuration file. at Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.LoadSecurityTokenManager(String typeName, String configSection, XmlNodeList configData) at Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.ParseSecurityTokenManager(XmlElement child) at Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.Load(XmlNode section) at Microsoft.Web.Services2.Configuration.WebServicesConfiguration.System.Configuration.IConfigurationSectionHandler.Create(Object parent, Object configContext, XmlNode section) at System.Configuration.ConfigurationRecord.EvaluateRecursive(IConfigurationSectionHandler factory, Object config, String[] keys, Int32 iKey, XmlTextReader reader) at System.Configuration.ConfigurationRecord.Evaluate(String configKey) at System.Configuration.ConfigurationRecord.ResolveConfig(String configKey) at System.Configuration.ConfigurationRecord.GetConfig(String configKey) at System.Configuration.DefaultConfigurationSystem.System.Configuration.IConfigurationSystem.GetConfig(String configKey) at System.Configuration.ConfigurationSettings.GetConfig(String sectionName) at Microsoft.Web.Services2.Configuration.WebServicesConfiguration.Initialize() --- End of inner exception stack trace --- I have just copied the settings from the Web.config file of my web service and entered it in the App.config file of my client - but I'm obviously doing something wrong! Anyone got any examples of Authentication etc on the client side? [quoted text, click to view] "Pablo Cibraro" <pcibraro@hotmail.com> wrote in message news:ekn7tf4wFHA.2212@TK2MSFTNGP15.phx.gbl... > Hi Chris, > The answer is no. You are only protecting the request message, so you will > have to do the same for the response message. > > Regards, > Pablo Cibraro > www.lagash.com > > > "Chris Arnold" <chris.arnold@data-interface.net> wrote in message > news:%23xwxHy3wFHA.1488@TK2MSFTNGP10.phx.gbl... >> Hi All, >> >> If I call a WebMethod and supply a UsernameToken, a MessageSignature and >> an EncrypedData object I know that my message to the server is secure. >> >> If I do nothing other than return the 'result' in my WebMethod, is the >> Response sent back to the client secure? >> >> If so, is it automatically Encrypted & Signed with the Security Token the >> client sent in the Request? >> >> Chris >> > >
since you are signing the message, one option you have is to set the client
to not send the password. WSE will automatically "verify the password" based on verifying the message signature (since the password was used to generate the signature). depending on the level of security you're going for, you have two options to encrypt the response: echo the usernametoken back and resign and encrypt the message with the original token or sign and encrypt the response with an X.509 cert. i'm not real sure exactly how secure resigning the response with the original token is. could someone comment on this?? [quoted text, click to view] "Chris Arnold" wrote:
> Thanks Pablo. > > I am now attaching a UsernameToken to the Response message sent from the > server. However, when I try to implement my own UsernameTokenManager on the > client it fails to load with the following exception ... > > System.Configuration.ConfigurationException: WSE032: There was an error > loading the microsoft.web.services2 configuration section. ---> > System.Configuration.ConfigurationException: WSE040: Type > WSE_Test.ClientUsernameTokenManager, ClientUsernameTokenManager could not be > loaded. Please check the configuration file. > at > Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.LoadSecurityTokenManager(String > typeName, String configSection, XmlNodeList configData) > at > Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.ParseSecurityTokenManager(XmlElement > child) > at > Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.Load(XmlNode > section) > at > Microsoft.Web.Services2.Configuration.WebServicesConfiguration.System.Configuration.IConfigurationSectionHandler.Create(Object > parent, Object configContext, XmlNode section) > at > System.Configuration.ConfigurationRecord.EvaluateRecursive(IConfigurationSectionHandler > factory, Object config, String[] keys, Int32 iKey, XmlTextReader reader) > at System.Configuration.ConfigurationRecord.Evaluate(String configKey) > at System.Configuration.ConfigurationRecord.ResolveConfig(String > configKey) > at System.Configuration.ConfigurationRecord.GetConfig(String configKey) > at > System.Configuration.DefaultConfigurationSystem.System.Configuration.IConfigurationSystem.GetConfig(String > configKey) > at System.Configuration.ConfigurationSettings.GetConfig(String > sectionName) > at > Microsoft.Web.Services2.Configuration.WebServicesConfiguration.Initialize() > --- End of inner exception stack trace --- > > > > I have just copied the settings from the Web.config file of my web service > and entered it in the App.config file of my client - but I'm obviously doing > something wrong! Anyone got any examples of Authentication etc on the client > side? > > > > "Pablo Cibraro" <pcibraro@hotmail.com> wrote in message > news:ekn7tf4wFHA.2212@TK2MSFTNGP15.phx.gbl... > > Hi Chris, > > The answer is no. You are only protecting the request message, so you will > > have to do the same for the response message. > > > > Regards, > > Pablo Cibraro > > www.lagash.com > > > > > > "Chris Arnold" <chris.arnold@data-interface.net> wrote in message > > news:%23xwxHy3wFHA.1488@TK2MSFTNGP10.phx.gbl... > >> Hi All, > >> > >> If I call a WebMethod and supply a UsernameToken, a MessageSignature and > >> an EncrypedData object I know that my message to the server is secure. > >> > >> If I do nothing other than return the 'result' in my WebMethod, is the > >> Response sent back to the client secure? > >> > >> If so, is it automatically Encrypted & Signed with the Security Token the > >> client sent in the Request? > >> > >> Chris > >> > > > > > >
I could be wrong as I have not tried this on a reply, but:
1) The client has the UT. 2) The server has the UT cached after verification including the pw or pw equiv. Regardless of (none, hashed, sendplain) 3) In the reply, just encrypt/sign with the UT. 4) The client "knows" the UT in the reply, so WSE should just verify the reply automatically as the UT is cached. (maybe you need the cache the UT locally, not sure here or if this is done automatically) That said, I would not use a UT for this anyway for security reasons. I would use a SCT both ways. -- William Stacey [MVP] [quoted text, click to view] "Burton Rodman" <BurtonRodman@discussions.microsoft.com> wrote in message news:E71C4034-58CF-46F7-BC06-296660FA5ECC@microsoft.com... > since you are signing the message, one option you have is to set the > client > to not send the password. WSE will automatically "verify the password" > based > on verifying the message signature (since the password was used to > generate > the signature). > > depending on the level of security you're going for, you have two options > to > encrypt the response: > echo the usernametoken back and resign and encrypt the message with the > original token > or > sign and encrypt the response with an X.509 cert. > > i'm not real sure exactly how secure resigning the response with the > original token is. could someone comment on this?? > > > > "Chris Arnold" wrote: > >> Thanks Pablo. >> >> I am now attaching a UsernameToken to the Response message sent from the >> server. However, when I try to implement my own UsernameTokenManager on >> the >> client it fails to load with the following exception ... >> >> System.Configuration.ConfigurationException: WSE032: There was an error >> loading the microsoft.web.services2 configuration section. ---> >> System.Configuration.ConfigurationException: WSE040: Type >> WSE_Test.ClientUsernameTokenManager, ClientUsernameTokenManager could not >> be >> loaded. Please check the configuration file. >> at >> Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.LoadSecurityTokenManager(String >> typeName, String configSection, XmlNodeList configData) >> at >> Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.ParseSecurityTokenManager(XmlElement >> child) >> at >> Microsoft.Web.Services2.Security.Configuration.SecurityConfiguration.Load(XmlNode >> section) >> at >> Microsoft.Web.Services2.Configuration.WebServicesConfiguration.System.Configuration.IConfigurationSectionHandler.Create(Object >> parent, Object configContext, XmlNode section) >> at >> System.Configuration.ConfigurationRecord.EvaluateRecursive(IConfigurationSectionHandler >> factory, Object config, String[] keys, Int32 iKey, XmlTextReader reader) >> at System.Configuration.ConfigurationRecord.Evaluate(String configKey) >> at System.Configuration.ConfigurationRecord.ResolveConfig(String >> configKey) >> at System.Configuration.ConfigurationRecord.GetConfig(String >> configKey) >> at >> System.Configuration.DefaultConfigurationSystem.System.Configuration.IConfigurationSystem.GetConfig(String >> configKey) >> at System.Configuration.ConfigurationSettings.GetConfig(String >> sectionName) >> at >> Microsoft.Web.Services2.Configuration.WebServicesConfiguration.Initialize() >> --- End of inner exception stack trace --- >> >> >> >> I have just copied the settings from the Web.config file of my web >> service >> and entered it in the App.config file of my client - but I'm obviously >> doing >> something wrong! Anyone got any examples of Authentication etc on the >> client >> side? >> >> >> >> "Pablo Cibraro" <pcibraro@hotmail.com> wrote in message >> news:ekn7tf4wFHA.2212@TK2MSFTNGP15.phx.gbl... >> > Hi Chris, >> > The answer is no. You are only protecting the request message, so you >> > will >> > have to do the same for the response message. >> > >> > Regards, >> > Pablo Cibraro >> > www.lagash.com >> > >> > >> > "Chris Arnold" <chris.arnold@data-interface.net> wrote in message >> > news:%23xwxHy3wFHA.1488@TK2MSFTNGP10.phx.gbl... >> >> Hi All, >> >> >> >> If I call a WebMethod and supply a UsernameToken, a MessageSignature >> >> and >> >> an EncrypedData object I know that my message to the server is secure. >> >> >> >> If I do nothing other than return the 'result' in my WebMethod, is the >> >> Response sent back to the client secure? >> >> >> >> If so, is it automatically Encrypted & Signed with the Security Token >> >> the >> >> client sent in the Request? >> >> >> >> Chris >> >> >> > >> > >> >> >>
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |