Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Web Services > WS-Policy not always working

Reply
Thread Tools

WS-Policy not always working

 
 
Patrick
Guest
Posts: n/a
 
      11-22-2004
With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAt tribute("http://publisher
/webservices/PlaceOrder", RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse .Literal,
ParameterStyle=System.Web.Services.Protocols.SoapP arameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}

2) But not with

[System.Web.Services.Protocols.SoapDocumentMethodAt tribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse .Literal,
ParameterStyle=System.Web.Services.Protocols.SoapP arameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}

With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!

-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wspolicy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/...00401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
</wssp:Integrity>
<!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/...00401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>

<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM =</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>
</wssp:Confidentiality>
</wspolicy>
</policies>
</policyDocument>
-----------------End of Security.config used-----------------


 
Reply With Quote
 
 
 
 
Patrick
Guest
Posts: n/a
 
      11-22-2004
I suspect this might be somethign to do with the Certificate usage.

On the client, the current certificate usage is "Client Authentication".
Would I need a certificate that support "Server Authentication" as well as
"Client Authenticaiton"? I am struggling to find what the OID is for such a
ceritficate (to put into the Windows 2003 CA requester).

"Patrick" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> With the security.policy file appended at the end:
> 1) I could successfully use it in a Web service client proxy class that
> does:
>

[System.Web.Services.Protocols.SoapDocumentMethodAt tribute("http://publisher
> /webservices/PlaceOrder",

RequestNamespace="http://publisher/webservices/",
> ResponseNamespace="http://publisherwebservices/",
> Use=System.Web.Services.Description.SoapBindingUse .Literal,
> ParameterStyle=System.Web.Services.Protocols.SoapP arameterStyle.Wrapped)]
> public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)]

SimpleOrderData
> order)
> {
> this.Invoke("PlaceOrder", new object[] {order});
> }
>
> 2) But not with
>
>

[System.Web.Services.Protocols.SoapDocumentMethodAt tribute("http://publisher
> /webservices/QueryProduct",
> RequestNamespace="http://publisher/webservices/",
> ResponseNamespace="http://publisherwebservices/",
> Use=System.Web.Services.Description.SoapBindingUse .Literal,
> ParameterStyle=System.Web.Services.Protocols.SoapP arameterStyle.Wrapped)]
> public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
> ProductQuery query)
> {
> this.Invoke("QueryProduct", new object[] {query});
> }
>
> With the method call to 2
> 2.1) I get an exception SecurityException with details "The security token
> could not be authenticated or authorized"
> 2.2) The input trace as well as the output trace contain text in it,
> indicating that the server did reply. The message content is encrypted!
>
> -----------------start of Security.config used-----------------
> <?xml version="1.0" encoding="utf-8"?>
> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
> <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
> <!--The following policy describes the policy requirements for all
> services who do not have a mapping in this file.-->
> <defaultEndpoint>
> <defaultOperation>
> <request policy="#Sign-X.509-Encrypt-X.509" />
> <response policy="" />
> <fault policy="" />
> </defaultOperation>
> </defaultEndpoint>
> </mappings>
> <policies
>

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
> y-utility-1.0.xsd"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
> xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
> xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
>

xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
> ty-secext-1.0.xsd"
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
> <wspolicy wsu:Id="Sign-X.509-Encrypt-X.509">
> <!--MessagePredicate is used to require headers. This assertion

should
> be used along with the Integrity assertion when the presence of the signed
> element is required. NOTE: this assertion does not do anything for
> enforcement (send-side) policy.-->
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
> wse:Timestamp()</wsp:MessagePredicate>
> <!--The Integrity assertion is used to ensure that the message is
> signed with X.509. Many Web services will also use the token for
> authorization, such as by using the <wse:Role> claim or specific X.509
> claims.-->
> <wssp:Integrity wsp:Usage="wsp:Required">
> <wssp:TokenInfo>
> <!--The SecurityToken element within the TokenInfo element
> describes which token type must be used for Signing.-->
> <wssp:SecurityToken>
>
>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/...00401-wss-x509
> -token-profile-1.0#X509v3</wssp:TokenType>
> <wssp:Claims>
> <!--By specifying the SubjectName claim, the policy system

can
> look for a certificate with this subject name in the certificate store
> indicated in the application's configuration, such as LocalMachine or
> CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
> correct values for this field.-->
> <wssp:X509Extension OID="2.5.29.14"
> MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
> </wssp:Claims>
> </wssp:SecurityToken>
> </wssp:TokenInfo>
> <wssp:MessageParts
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)

wsp:Header(wsa:ReplyTo)
> wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
> </wssp:Integrity>
> <!--The Confidentiality assertion is used to ensure that the SOAP

Body
> is encrypted.-->
> <wssp:Confidentiality wsp:Usage="wsp:Required">
> <wssp:KeyInfo>
> <!--The SecurityToken element within the KeyInfo element

describes
> which token type must be used for Encryption.-->
> <wssp:SecurityToken>
>
>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/...00401-wss-x509
> -token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:Claims>
> <!--By specifying the SubjectName claim, the policy system

can
> look for a certificate with this subject name in the certificate store
> indicated in the application's configuration, such as LocalMachine or
> CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
> correct values for this field.-->
> <wssp:X509Extension OID="2.5.29.14"
> MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM =</wssp:X509Extension>
> </wssp:Claims>
> </wssp:SecurityToken>
> </wssp:KeyInfo>
> <wssp:MessageParts
>

Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
> ageParts>
> </wssp:Confidentiality>
> </wspolicy>
> </policies>
> </policyDocument>
> -----------------End of Security.config used-----------------
>
>



 
Reply With Quote
 
 
 
 
Patrick
Guest
Posts: n/a
 
      11-22-2004
In addition,
when do I need a "response policy"- is it only needed for a web-service
provider??

"Patrick" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> With the security.policy file appended at the end:
> 1) I could successfully use it in a Web service client proxy class that
> does:
>

[System.Web.Services.Protocols.SoapDocumentMethodAt tribute("http://publisher
> /webservices/PlaceOrder",

RequestNamespace="http://publisher/webservices/",
> ResponseNamespace="http://publisherwebservices/",
> Use=System.Web.Services.Description.SoapBindingUse .Literal,
> ParameterStyle=System.Web.Services.Protocols.SoapP arameterStyle.Wrapped)]
> public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)]

SimpleOrderData
> order)
> {
> this.Invoke("PlaceOrder", new object[] {order});
> }
>
> 2) But not with
>
>

[System.Web.Services.Protocols.SoapDocumentMethodAt tribute("http://publisher
> /webservices/QueryProduct",
> RequestNamespace="http://publisher/webservices/",
> ResponseNamespace="http://publisherwebservices/",
> Use=System.Web.Services.Description.SoapBindingUse .Literal,
> ParameterStyle=System.Web.Services.Protocols.SoapP arameterStyle.Wrapped)]
> public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
> ProductQuery query)
> {
> this.Invoke("QueryProduct", new object[] {query});
> }
>
> With the method call to 2
> 2.1) I get an exception SecurityException with details "The security token
> could not be authenticated or authorized"
> 2.2) The input trace as well as the output trace contain text in it,
> indicating that the server did reply. The message content is encrypted!
>
> -----------------start of Security.config used-----------------
> <?xml version="1.0" encoding="utf-8"?>
> <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
> <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
> <!--The following policy describes the policy requirements for all
> services who do not have a mapping in this file.-->
> <defaultEndpoint>
> <defaultOperation>
> <request policy="#Sign-X.509-Encrypt-X.509" />
> <response policy="" />
> <fault policy="" />
> </defaultOperation>
> </defaultEndpoint>
> </mappings>
> <policies
>

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
> y-utility-1.0.xsd"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
> xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
> xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
>

xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
> ty-secext-1.0.xsd"
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
> <wspolicy wsu:Id="Sign-X.509-Encrypt-X.509">
> <!--MessagePredicate is used to require headers. This assertion

should
> be used along with the Integrity assertion when the presence of the signed
> element is required. NOTE: this assertion does not do anything for
> enforcement (send-side) policy.-->
> <wsp:MessagePredicate wsp:Usage="wsp:Required"
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
> wse:Timestamp()</wsp:MessagePredicate>
> <!--The Integrity assertion is used to ensure that the message is
> signed with X.509. Many Web services will also use the token for
> authorization, such as by using the <wse:Role> claim or specific X.509
> claims.-->
> <wssp:Integrity wsp:Usage="wsp:Required">
> <wssp:TokenInfo>
> <!--The SecurityToken element within the TokenInfo element
> describes which token type must be used for Signing.-->
> <wssp:SecurityToken>
>
>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/...00401-wss-x509
> -token-profile-1.0#X509v3</wssp:TokenType>
> <wssp:Claims>
> <!--By specifying the SubjectName claim, the policy system

can
> look for a certificate with this subject name in the certificate store
> indicated in the application's configuration, such as LocalMachine or
> CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
> correct values for this field.-->
> <wssp:X509Extension OID="2.5.29.14"
> MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
> </wssp:Claims>
> </wssp:SecurityToken>
> </wssp:TokenInfo>
> <wssp:MessageParts
> Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
> wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
> wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)

wsp:Header(wsa:ReplyTo)
> wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
> </wssp:Integrity>
> <!--The Confidentiality assertion is used to ensure that the SOAP

Body
> is encrypted.-->
> <wssp:Confidentiality wsp:Usage="wsp:Required">
> <wssp:KeyInfo>
> <!--The SecurityToken element within the KeyInfo element

describes
> which token type must be used for Encryption.-->
> <wssp:SecurityToken>
>
>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/...00401-wss-x509
> -token-profile-1.0#X509v3</wssp:TokenType>
>
> <wssp:Claims>
> <!--By specifying the SubjectName claim, the policy system

can
> look for a certificate with this subject name in the certificate store
> indicated in the application's configuration, such as LocalMachine or
> CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
> correct values for this field.-->
> <wssp:X509Extension OID="2.5.29.14"
> MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM =</wssp:X509Extension>
> </wssp:Claims>
> </wssp:SecurityToken>
> </wssp:KeyInfo>
> <wssp:MessageParts
>

Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
> ageParts>
> </wssp:Confidentiality>
> </wspolicy>
> </policies>
> </policyDocument>
> -----------------End of Security.config used-----------------
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RowDataBound for Grid not working always shree0903 ASP .Net 0 07-07-2009 01:14 PM
SQLCacheDependency not working - Cache item is always null mark4asp ASP .Net 1 08-07-2007 03:28 PM
wifi not working on new hp, or not working after live update =?Utf-8?B?RHJhZ29ueA==?= Wireless Networking 1 10-01-2005 11:17 PM
Trying to create a CSS box that is always is always the width of an image placed inside it (and no wider) Deryck HTML 4 06-22-2004 08:25 PM
Hash == not always working? Or am I missing something? walter@mwsewall.com Ruby 8 04-15-2004 08:49 PM



Advertisments