| Groups | Blog | Home |
dotnet web services enhancements : Requiring username token in WSE 2.0
How do I enforce that UsernameToken be passed with SOAP request to Web Service. I looked at the following thread: http://groups.google.com/group/microsoft.public.dotnet.framework.webservices.enhancements/browse_thread/thread/3b659d7a27f280b7/724037e2293a2fb4%23724037e2293a2fb I tried using the policy file but I keep getting following exception: Message "System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: An error occured processing an outgoing fault response\n --- End of inner exception stack trace" Any ideas? Regards, dev209
Hello Pablo,
I did not configure the policy on client side. I added the policy file on server side only. In my client I am adding UsernameToken. Do I need to configure policy on client side? Web Service that I have implemented verfies the UsernameToken. It works fine as long as the client send UsernameToken. If client does not send UsernameToken it grants access to method without any checks. Regards, dev209 [quoted text, click to view] Pablo Cibraro [MVP] wrote:
> Hi, > > Did you configure the policy on the client side and server side as well ?. > In addition, you have to create a username token by code in the client > application and add it to the message. > > UsernameToken token = new UsernameToken("user", "password", > PasswordOption.SendPlainText); > proxy.RequestContext.Security.Add(token); > > Regards, > Pablo Cibraro > > > > > "dev" <dev209@gmail.com> wrote in message > news:1156291966.093370.234790@h48g2000cwc.googlegroups.com... > > Hello, > > > > How do I enforce that UsernameToken be passed with SOAP request to Web > > Service. I looked at the following thread: > > > > http://groups.google.com/group/microsoft.public.dotnet.framework.webservices.enhancements/browse_thread/thread/3b659d7a27f280b7/724037e2293a2fb4%23724037e2293a2fb > > > > I tried using the policy file but I keep getting following exception: > > > > Message "System.Web.Services.Protocols.SoapHeaderException: Server > > unavailable, please try later ---> System.ApplicationException: An > > error occured processing an outgoing fault response\n --- End of > > inner exception stack trace" > > > > Any ideas? > > > > Regards, > > dev209 > >
Hi,
Did you configure the policy on the client side and server side as well ?. In addition, you have to create a username token by code in the client application and add it to the message. UsernameToken token = new UsernameToken("user", "password", PasswordOption.SendPlainText); proxy.RequestContext.Security.Add(token); Regards, Pablo Cibraro [quoted text, click to view] "dev" <dev209@gmail.com> wrote in message news:1156291966.093370.234790@h48g2000cwc.googlegroups.com... > Hello, > > How do I enforce that UsernameToken be passed with SOAP request to Web > Service. I looked at the following thread: > > http://groups.google.com/group/microsoft.public.dotnet.framework.webservices.enhancements/browse_thread/thread/3b659d7a27f280b7/724037e2293a2fb4%23724037e2293a2fb > > I tried using the policy file but I keep getting following exception: > > Message "System.Web.Services.Protocols.SoapHeaderException: Server > unavailable, please try later ---> System.ApplicationException: An > error occured processing an outgoing fault response\n --- End of > inner exception stack trace" > > Any ideas? > > Regards, > dev209 >
Hello,
I am authenticating client by UsernameToken. The problem that I am facing is if client does not send UsernameToken than there is no authentication and client gets access to the WebService method. Here is the section of web.config file where I added the polcy file name: <microsoft.web.services2> <policy> <cache name="policyCache.config" /> </policy> <diagnostics> <policyTrace enabled="false" /> </diagnostics> <security> <securityTokenManager type="XXXXXXXX" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" qname="wsse:UsernameToken" /> </security> <tokenIssuer> <autoIssueSecurityContextToken enabled="true" /> </tokenIssuer> </microsoft.web.services2> Here are the content of policyCache.config file: <policyDocument xmlns="http://microsoft.com/wse/2003/06/PolicyDocument"> <mappings> <defaultEndpoint> <!-- Corresponds to the PassToken operation --> <defaultOperation> <request policy="#PresentAUserNameToken" /> <response policy="" /> </defaultOperation> </defaultEndpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <wsp:Policy wsu:Id="PresentAUserNameToken"> <SecurityToken wsp:Usage="wsp:Required" xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext"> <TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</TokenType> </SecurityToken> </wsp:Policy> </policies> </policyDocument> Regards, Dev209
Hi,
Yes, you also need to configure the policy on the client side. There is something I did not understand, "If client does not send UsernameToken it grants access to method without any checks". Is that one of your requeriments or it is a problem that your are having now ?. Regards, Pablo. [quoted text, click to view] "dev" <dev209@gmail.com> wrote in message news:1156351671.175546.315150@i3g2000cwc.googlegroups.com... > Hello Pablo, > > I did not configure the policy on client side. I added the policy file > on server side only. In my client I am adding UsernameToken. > > Do I need to configure policy on client side? > > Web Service that I have implemented verfies the UsernameToken. It works > fine as long as the client send UsernameToken. If client does not send > UsernameToken it grants access to method without any checks. > > Regards, > dev209 > > > > Pablo Cibraro [MVP] wrote: >> Hi, >> >> Did you configure the policy on the client side and server side as well >> ?. >> In addition, you have to create a username token by code in the client >> application and add it to the message. >> >> UsernameToken token = new UsernameToken("user", "password", >> PasswordOption.SendPlainText); >> proxy.RequestContext.Security.Add(token); >> >> Regards, >> Pablo Cibraro >> >> >> >> >> "dev" <dev209@gmail.com> wrote in message >> news:1156291966.093370.234790@h48g2000cwc.googlegroups.com... >> > Hello, >> > >> > How do I enforce that UsernameToken be passed with SOAP request to Web >> > Service. I looked at the following thread: >> > >> > http://groups.google.com/group/microsoft.public.dotnet.framework.webservices.enhancements/browse_thread/thread/3b659d7a27f280b7/724037e2293a2fb4%23724037e2293a2fb >> > >> > I tried using the policy file but I keep getting following exception: >> > >> > Message "System.Web.Services.Protocols.SoapHeaderException: Server >> > unavailable, please try later ---> System.ApplicationException: An >> > error occured processing an outgoing fault response\n --- End of >> > inner exception stack trace" >> > >> > Any ideas? >> > >> > Regards, >> > dev209 >> > >
Update on my problem:
I update my policy file on Server Side using the policy file shown in this article: http://dotnet.org.za/stuartg/articles/6277.aspx <?xml version="1.0" encoding="utf-8"?> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings> <endpoint uri="http://localhost/TermLifeAgency/TLAStatusService.asmx"> <defaultOperation> <request policy="#SignedUsername" /> </defaultOperation> </endpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> <!-- This policy ensures that the message is signed with a UsernameToken --> <wsp:Policy wsu:Id="SignedUsername"> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Integrity> </wsp:Policy> <!-- This policy ensures that the message is signed with a X509 certificate --> </policies> </policyDocument> When I invoke the WebService without passing UsernameToken I get the following exception: {"Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: The message does not conform to the policy it was mapped to.\n at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpression(PolicyExpression expression, SoapEnvelope message, EndpointReference endpoint, String action, Uri requestEndpoint)\n at Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope message)\n at Microsoft.Web.Services2.Policy.PolicyManager.Verify(SoapEnvelope message)\n at Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessage(SoapEnvelope envelope)\n at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope envelope)\n at Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapServerMessage message)" } System.Exception When I pass UsernameToken with correct username/password. I can see that it invokes AuthenticationManager but after that it throws the same exception. I verfied that username and password are correct by removing Policy file. Any suggestion would be greatly appreciated. Thanks, Dev209
Hello,
Along with adding UsernameToken I also added signature using token ws.RequestSoapContext.Security.Elements.Add(new MessageSignature(token)); I got it to work. Question: I am new to WSE and all the policy elements. Any idea as to what part of policy file is requiring that client request should have UsernameToken and message signed by UsernameToken? Thanks for your help. Best Regards, Dev209
Hi,
For some reason, the message sent by the client application does not meet some requeriments in your service policy. Is the endpoint Uri correct ?. You can see more details about why the policy can not be enforced in the WSE trace files. Regards, Pablo Cibraro. [quoted text, click to view] "dev" <dev209@gmail.com> wrote in message news:1156373691.634007.196130@i42g2000cwa.googlegroups.com... > Update on my problem: > > I update my policy file on Server Side using the policy file shown in > this article: > > http://dotnet.org.za/stuartg/articles/6277.aspx > > <?xml version="1.0" encoding="utf-8"?> > <policyDocument > xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> > <mappings> > <endpoint > uri="http://localhost/TermLifeAgency/TLAStatusService.asmx"> > <defaultOperation> > <request policy="#SignedUsername" /> > </defaultOperation> > </endpoint> > </mappings> > <policies > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" > xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"> > <!-- This policy ensures that the message is signed with a > UsernameToken --> > <wsp:Policy wsu:Id="SignedUsername"> > <wssp:Integrity wsp:Usage="wsp:Required"> > <wssp:TokenInfo> > <wssp:SecurityToken> > > <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType> > </wssp:SecurityToken> > </wssp:TokenInfo> > <wssp:MessageParts > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> > </wssp:Integrity> > </wsp:Policy> > <!-- This policy ensures that the message is signed with a X509 > certificate --> > </policies> > </policyDocument> > > When I invoke the WebService without passing UsernameToken I get the > following exception: > > {"Microsoft.Web.Services2.Policy.PolicyVerificationException: WSE402: > The message does not conform to the policy it was mapped to.\n at > Microsoft.Web.Services2.Policy.SimplePolicyVerifier.VerifyMessageWithExpression(PolicyExpression > expression, SoapEnvelope message, EndpointReference endpoint, String > action, Uri requestEndpoint)\n at > Microsoft.Web.Services2.Policy.SimplePolicyVerifier.Verify(SoapEnvelope > message)\n at > Microsoft.Web.Services2.Policy.PolicyManager.Verify(SoapEnvelope > message)\n at > Microsoft.Web.Services2.Policy.PolicyVerificationInputFilter.ProcessMessage(SoapEnvelope > envelope)\n at > Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope > envelope)\n at > Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapServerMessage > message)" } System.Exception > > > > When I pass UsernameToken with correct username/password. I can see > that it invokes AuthenticationManager but after that it throws the same > exception. > > I verfied that username and password are correct by removing Policy > file. > > Any suggestion would be greatly appreciated. > > Thanks, > Dev209 >
Hi,
It is this part, <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Integrity> In a nutshell, this section says: "I am expecting a message signed (Integrity element) with a UsernameToken (SecurityToken element). Only the body should be signed (MessageParts)". You can also define a confidentiallity element if your service expects an encrypted message, which is not the case. Regards, Pablo Cibraro. [quoted text, click to view] "dev" <dev209@gmail.com> wrote in message news:1156438186.116314.3510@b28g2000cwb.googlegroups.com... > Hello, > > Along with adding UsernameToken I also added signature using token > ws.RequestSoapContext.Security.Elements.Add(new > MessageSignature(token)); > > I got it to work. > > Question: I am new to WSE and all the policy elements. Any idea as to > what part of policy file is requiring that client request should have > UsernameToken and message signed by UsernameToken? > > Thanks for your help. > > Best Regards, > Dev209 >
Hello,
Thanks for your help. If the requirement was to only have UsernameToken with request than should I be using the following only: <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> Best Regards, Dev209
Hi,
I tried using the following policy setting to enforce the requirement of Username token in the soap header but it does not work. I am still able to explore the web service and invoke the methods. <?xml version="1.0" encoding="utf-8"?> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy"> <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"> <!--The following policy describes the policy requirements for all services who do not have a mapping in this file.--> <defaultEndpoint> <defaultOperation> <request policy="#Sign-Username" /> <response policy="#Encrypt-Username" /> <fault policy="" /> </defaultOperation> </defaultEndpoint> </mappings> <policies xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"> <wsp:Policy wsu:Id="Sign-Username"> <!--MessagePredicate is used to require headers. This assertion should be used along with the Integrity assertion when the presence of the signed element is required. NOTE: this assertion does not do anything for enforcement (send-side) policy.--> <wsp:MessagePredicate wsp:Usage="wsp:Required" Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()</wsp:MessagePredicate> <!--The Integrity assertion is used to ensure that the message is signed with Username. Many Web services will also use the token for authorization, such as by using the <wse:Role> claim or specific Username claims.--> <wssp:Integrity wsp:Usage="wsp:Required"> <wssp:TokenInfo> <!--The SecurityToken element within the TokenInfo element describes which token type must be used for Signing.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:TokenInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From) wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo) wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts> </wssp:Integrity> </wsp:Policy> <wsp:Policy wsu:Id="Encrypt-Username"> <!--The Confidentiality assertion is used to ensure that the SOAP Body is encrypted.--> <wssp:Confidentiality wsp:Usage="wsp:Required"> <wssp:KeyInfo> <!--The SecurityToken element within the KeyInfo element describes which token type must be used for Encryption.--> <wssp:SecurityToken> <wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType> <wssp:Claims> <wse:Parent> <wssp:SecurityToken> <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType> </wssp:SecurityToken> </wse:Parent> </wssp:Claims> </wssp:SecurityToken> </wssp:KeyInfo> <wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts> </wssp:Confidentiality> </wsp:Policy> </policies> </policyDocument> Can somebody help on this. Thanks & Regards, Oberoi [quoted text, click to view] dev wrote:
> Hello, > > Thanks for your help. If the requirement was to only have UsernameToken > with request than should I be using the following only: > > <wssp:SecurityToken> > <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType> > </wssp:SecurityToken> > > Best Regards, > Dev209
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |