dotnet web services enhancements: WSE 3.0 Username basic question -- dotnet web services enhancements

You're in the

dotnet web services enhancements

group:

WSE 3.0 Username basic question

BrookHeat
2/21/2006 7:21:28 AM

dotnet web services enhancements: Hello,

I want to restrict access to an ASP.NET web service using a WS-Security
Username and password. I'm *not* using SSL, ceretificates, Kerberos, Windows
accounts, or anything of the kind. I simply want to 1) detect whether or not
the <wsse:UsernameToken> element is present. If not, automatically reject
the request. If so, check for an acceptable password.

To accomplish this, I've written a custom UsernameTokenManager, which looks
like this:

Imports Microsoft.VisualBasic
Imports Microsoft.Web.Services3.Security.Tokens

Namespace Brook

Public Class MyUserNameTokenManager
Inherits UsernameTokenManager
Protected Overrides Function AuthenticateToken(ByVal token As
UsernameToken) As String
Dim blah As String
blah = ""
If token.Username = "brook" Then
blah = "monkey"
End If
Return blah
End Function
End Class

End Namespace

Furthermore, I have updated my web.config file with the following:

<security>
<securityTokenManager>
<add type="Brook.MyUserNameTokenManager"
namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" localName="UsernameToken" qname="wsse:UsernameToken" />
</securityTokenManager>
</security>

Now, the good news is that this works flawlessly- a client sending a request
to the service with an incorrect username/password is returned an error. The
problem is that clients sending requests with *no* WS-Security information
(just a plain old SOAP message) are allowed through.

How do I configure my service to reject messages that are missing the
<wsse:UsernameToken> security information in the soap header? I'm thinking
the answer might be in the use of a policy file, but I haven't had any
success on this front.

Thanks

Re: WSE 3.0 Username basic question

BrookHeat
2/21/2006 10:35:29 AM

Pablo

Thanks for the suggestion; however, I do not wish to use certificates, nor
do I wish to use any form of Windows authentication. I only want to use
WS-Security usernames and passwords; i.e. <wsse:UsernameToken> and
<wsse:Password> in the <wsse:Security> tag. The message should be rejected
if <wsse:Security> tags are missing; it should also be rejected if the
username and password don't match. That is why I went with the custom
UsernameTokenManager.

Thanks

Brook

Re: WSE 3.0 Username basic question

BrookHeat
2/21/2006 11:56:28 AM

Pablo

Your tip pointed me in the right direction; it turns out that all I need is
the UsernameOverTransport assertion + Custom UsernameTokenManager.

My web.config looks like this:

<microsoft.web.services3>
<security>
<securityTokenManager>
<add type="Brook.MyUsernameTokenManager"
namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" localName="UsernameToken" />
</securityTokenManager>
</security>
<policy fileName="wse3policyCache.config" />
</microsoft.web.services3>

And my policy file:

<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<extensions>
<extension name="usernameOverTransportSecurity"
type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion,
Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" />
<policy name="BrookSecurityPolicy">
<usernameOverTransportSecurity />
</policy>
</policies>

This configuration did exactly what I wanted- rejected anything that didn't
have a wsse:UsernameToken tag in the SOAP header, and only allowed valid
username/password combinations.

Interestingly enough, the authorization assertion caused all kinds of
problems (perhaps because I was connecting to the service from a Java
client), but getting rid of it didn't seem to hurt me.

Thanks again for the help!

Re: WSE 3.0 Username basic question

Pablo Cibraro
2/21/2006 2:39:49 PM

Hi Brook,

You should add an authorization assertion to the policy assigned to the web
service.
Something like this:

<policy name="usernameTokenSecurity">
<authorization>
<allow role="SomeRole"/>
</authorization>
<usernameForCertificateSecurity establishSecurityContext="true"
renewExpiredSecurityContext="false" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
requireDerivedKeys="true" ttlInSeconds="60">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=WSE2QuickStartServer"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>

In this case, only the users assigned to the role "SomeRole" will able to
execute the service. The authorization assertion also supports user names
instead of roles.

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax

[quoted text, click to view]

Re: WSE 3.0 Username basic question

Pablo Cibraro
2/21/2006 4:31:36 PM

Ok, use the UsernameOverTransport assertion + Authorization assertion + your
Custom username token manager.

Does it make sense ?.

Regards,
Pablo.

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages in the dotnet web services enhancements group.

home · blog · groups

Questions? Comments? Contact the dn