|
|
You're in the
dotnet web services enhancements
group:WSE3: Client X509 Authorization Programmatically
dotnet web services enhancements:
I'm working in a Mutual X509 context, i can define the authorized clients into the wse policy config file using something like: <authorization> <allow user="CN=WSE2QuickStartClient" /> <deny user="*" /> </authorization> But i want add programmatically the users allowed to use the web service. So How can i do it? I tried making a custom assertion, and into the CreateServiceInputFilter adding to the context an AuthorizationAssertion: public override SoapFilter CreateServiceInputFilter(FilterCreationContext context) { auth = new AuthorizationAssertion(); auth.Rules.Add(new AccessCheckRule(true, "CN=WSE2QuickStartClient")); auth.Rules.Add(new AccessCheckRule(false, "*")); context.Policy.Assertions.Add(auth); return base.CreateServiceInputFilter(context); } this doesn't work: allways allow use the web service :(
I think you need to apply this change to your code:
public override SoapFilter CreateServiceInputFilter(FilterCreationContext context) { auth = new AuthorizationAssertion(); auth.Rules.Add(new AccessCheckRule(true, "CN=WSE2QuickStartClient")); auth.Rules.Add(new AccessCheckRule(false, "*")); return auth.CreateServiceInputFilter(context); } Regards, Pablo Cibraro http://weblogs.asp.net/cibrax [quoted text, click to view] "Adriana" <Adriana@discussions.microsoft.com> wrote in message news:A53CD125-65D7-4FBE-A65B-3A9A2E5A784E@microsoft.com... > > I'm working in a Mutual X509 context, i can define the authorized clients > into the wse policy config file using something like: > > <authorization> > <allow user="CN=WSE2QuickStartClient" /> > <deny user="*" /> > </authorization> > > But i want add programmatically the users allowed to use the web service. > So How can i do it? I tried making a custom assertion, and into the > CreateServiceInputFilter adding to the context an AuthorizationAssertion: > > public override SoapFilter CreateServiceInputFilter(FilterCreationContext > context) > { > auth = new AuthorizationAssertion(); > auth.Rules.Add(new AccessCheckRule(true, "CN=WSE2QuickStartClient")); > auth.Rules.Add(new AccessCheckRule(false, "*")); > > context.Policy.Assertions.Add(auth); > return base.CreateServiceInputFilter(context); > } > > this doesn't work: allways allow use the web service :( > > Thanks a lot for any help!
I tried with your answer but it didn't work...The code at the service is something like: public class CertAssertion : MutualCertificate11Assertion { ... public override SoapFilter CreateServiceInputFilter(FilterCreationContext context) { auth = new AuthorizationAssertion(); auth.Rules.Add(new AccessCheckRule(true, "CN=WSE2QuickStartClient")); auth.Rules.Add(new AccessCheckRule(false, "*")); return auth.CreateServiceInputFilter(context); } } The input trace file, looks like: Entering SOAP filter Microsoft.Web.Services3.Design.AuthorizationAssertion+AuthorizationFilter Exception thrown: Identity token not found. Authorization assertion requires identity token to be supplied by security assertion that runs prior to authorization. at Microsoft.Web.Services3.Design.AuthorizationAssertion.GetPrincipal(SoapEnvelope envelope, RoleProvider roleProvider) at Microsoft.Web.Services3.Design.AuthorizationAssertion.AuthorizationFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope) Maybe i need add something into the client? The policy at the client side, is only a MutualCertificate11Assertion, without a custom assertion... Thanks a lot!
I know what the problem is, you do not have to override the
MutualCertificate11Assertion to create your own authorization assertion. You should create a new assertion, something like this, public class CertAssertion : PolicyAssertion { ... public override SoapFilter CreateServiceInputFilter(FilterCreationContext context) { auth = new AuthorizationAssertion(); auth.Rules.Add(new AccessCheckRule(true, "CN=WSE2QuickStartClient")); auth.Rules.Add(new AccessCheckRule(false, "*")); return auth.CreateServiceInputFilter(context); } } After that, you must configure both assertions in your policy file, the MutualCertificate11Assertion first, and then the CertAssertion. Let me know if that works Regards, Pablo Cibraro http://weblogs.asp.net/cibrax [quoted text, click to view] "Adriana" <Adriana@discussions.microsoft.com> wrote in message news:1D51A359-F1F1-4820-AADE-F2458666B08B@microsoft.com... > > I tried with your answer but it didn't work...The code at the service is > something like: > > public class CertAssertion : MutualCertificate11Assertion > { ... > > public override SoapFilter > CreateServiceInputFilter(FilterCreationContext context) > { > auth = new AuthorizationAssertion(); > auth.Rules.Add(new AccessCheckRule(true, > "CN=WSE2QuickStartClient")); > auth.Rules.Add(new AccessCheckRule(false, "*")); > return auth.CreateServiceInputFilter(context); > } > } > > The input trace file, looks like: > > Entering SOAP filter > Microsoft.Web.Services3.Design.AuthorizationAssertion+AuthorizationFilter > > Exception thrown: Identity token not found. Authorization assertion > requires > identity token to be supplied by security assertion that runs prior to > authorization. at > Microsoft.Web.Services3.Design.AuthorizationAssertion.GetPrincipal(SoapEnvelope > envelope, RoleProvider roleProvider) at > Microsoft.Web.Services3.Design.AuthorizationAssertion.AuthorizationFilter.ProcessMessage(SoapEnvelope > envelope) at > Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope > envelope) > > Maybe i need add something into the client? The policy at the client side, > is only a MutualCertificate11Assertion, without a custom assertion... > > Thanks a lot! > > > > > >
Good news! It works! :) At the server the code is something like: public class CertAssertion : PolicyAssertion { ... public override SoapFilter CreateServiceInputFilter(FilterCreationContext context) { auth = new AuthorizationAssertion(); auth.Rules.Add(new AccessCheckRule(false, "CN=WSE2QuickStartClient")); auth.Rules.Add(new AccessCheckRule(false, "*")); return auth.CreateServiceInputFilter(context); } } public class CustomCertPolicy : Policy { public CustomCertPolicy() { MutualCertificate11Assertion assertionCert = new MutualCertificate11Assertion(); //Include here MutualCertificate11Assertion configuration: ServiceX509TokenProvider, Protection,... CertAssertion assertionAuth = new CertAssertion(); this.Assertions.Add(assertionAuth); this.Assertions.Add(assertionCert); } } Just one key: youmust add the assertions in strict order, that is, first authorization assertion, if you add first MutualCertificate11Assertion the same exception is throwed: Entering SOAP filter Microsoft.Web.Services3.Design.AuthorizationAssertion+AuthorizationFilter Exception thrown: Identity token not found. Authorization assertion requires identity token to be supplied by security assertion that runs prior to authorization. at Microsoft.Web.Services3.Design.AuthorizationAssertion.GetPrincipal(SoapEnvelope envelope, RoleProvider roleProvider) at Microsoft.Web.Services3.Design.AuthorizationAssertion.AuthorizationFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services3.Pipeline.ProcessInputMessage(SoapEnvelope envelope) Thanks a lot for your help!!!
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |