WS-Policy not always working

Discussion in 'ASP .Net Web Services' started by Patrick, Nov 22, 2004.

  1. Patrick

    Patrick Guest

    With the security.policy file appended at the end:
    1) I could successfully use it in a Web service client proxy class that
    does:
    [System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
    /webservices/PlaceOrder", RequestNamespace="http://publisher/webservices/",
    ResponseNamespace="http://publisherwebservices/",
    Use=System.Web.Services.Description.SoapBindingUse.Literal,
    ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
    public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
    order)
    {
    this.Invoke("PlaceOrder", new object[] {order});
    }

    2) But not with

    [System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
    /webservices/QueryProduct",
    RequestNamespace="http://publisher/webservices/",
    ResponseNamespace="http://publisherwebservices/",
    Use=System.Web.Services.Description.SoapBindingUse.Literal,
    ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
    public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
    ProductQuery query)
    {
    this.Invoke("QueryProduct", new object[] {query});
    }

    With the method call to 2
    2.1) I get an exception SecurityException with details "The security token
    could not be authenticated or authorized"
    2.2) The input trace as well as the output trace contain text in it,
    indicating that the server did reply. The message content is encrypted!

    -----------------start of Security.config used-----------------
    <?xml version="1.0" encoding="utf-8"?>
    <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
    <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
    <!--The following policy describes the policy requirements for all
    services who do not have a mapping in this file.-->
    <defaultEndpoint>
    <defaultOperation>
    <request policy="#Sign-X.509-Encrypt-X.509" />
    <response policy="" />
    <fault policy="" />
    </defaultOperation>
    </defaultEndpoint>
    </mappings>
    <policies
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
    y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
    xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
    xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
    ty-secext-1.0.xsd"
    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
    <wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
    <!--MessagePredicate is used to require headers. This assertion should
    be used along with the Integrity assertion when the presence of the signed
    element is required. NOTE: this assertion does not do anything for
    enforcement (send-side) policy.-->
    <wsp:MessagePredicate wsp:Usage="wsp:Required"
    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
    wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
    wse:Timestamp()</wsp:MessagePredicate>
    <!--The Integrity assertion is used to ensure that the message is
    signed with X.509. Many Web services will also use the token for
    authorization, such as by using the <wse:Role> claim or specific X.509
    claims.-->
    <wssp:Integrity wsp:Usage="wsp:Required">
    <wssp:TokenInfo>
    <!--The SecurityToken element within the TokenInfo element
    describes which token type must be used for Signing.-->
    <wssp:SecurityToken>

    <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
    -token-profile-1.0#X509v3</wssp:TokenType>
    <wssp:Claims>
    <!--By specifying the SubjectName claim, the policy system can
    look for a certificate with this subject name in the certificate store
    indicated in the application's configuration, such as LocalMachine or
    CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
    correct values for this field.-->
    <wssp:X509Extension OID="2.5.29.14"
    MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
    </wssp:Claims>
    </wssp:SecurityToken>
    </wssp:TokenInfo>
    <wssp:MessageParts
    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
    wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
    wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
    wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
    </wssp:Integrity>
    <!--The Confidentiality assertion is used to ensure that the SOAP Body
    is encrypted.-->
    <wssp:Confidentiality wsp:Usage="wsp:Required">
    <wssp:KeyInfo>
    <!--The SecurityToken element within the KeyInfo element describes
    which token type must be used for Encryption.-->
    <wssp:SecurityToken>

    <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
    -token-profile-1.0#X509v3</wssp:TokenType>

    <wssp:Claims>
    <!--By specifying the SubjectName claim, the policy system can
    look for a certificate with this subject name in the certificate store
    indicated in the application's configuration, such as LocalMachine or
    CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
    correct values for this field.-->
    <wssp:X509Extension OID="2.5.29.14"
    MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM=</wssp:X509Extension>
    </wssp:Claims>
    </wssp:SecurityToken>
    </wssp:KeyInfo>
    <wssp:MessageParts
    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
    ageParts>
    </wssp:Confidentiality>
    </wsp:policy>
    </policies>
    </policyDocument>
    -----------------End of Security.config used-----------------
    Patrick, Nov 22, 2004
    #1
    1. Advertising

  2. Patrick

    Patrick Guest

    I suspect this might be somethign to do with the Certificate usage.

    On the client, the current certificate usage is "Client Authentication".
    Would I need a certificate that support "Server Authentication" as well as
    "Client Authenticaiton"? I am struggling to find what the OID is for such a
    ceritficate (to put into the Windows 2003 CA requester).

    "Patrick" <> wrote in message
    news:...
    > With the security.policy file appended at the end:
    > 1) I could successfully use it in a Web service client proxy class that
    > does:
    >

    [System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
    > /webservices/PlaceOrder",

    RequestNamespace="http://publisher/webservices/",
    > ResponseNamespace="http://publisherwebservices/",
    > Use=System.Web.Services.Description.SoapBindingUse.Literal,
    > ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
    > public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)]

    SimpleOrderData
    > order)
    > {
    > this.Invoke("PlaceOrder", new object[] {order});
    > }
    >
    > 2) But not with
    >
    >

    [System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
    > /webservices/QueryProduct",
    > RequestNamespace="http://publisher/webservices/",
    > ResponseNamespace="http://publisherwebservices/",
    > Use=System.Web.Services.Description.SoapBindingUse.Literal,
    > ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
    > public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
    > ProductQuery query)
    > {
    > this.Invoke("QueryProduct", new object[] {query});
    > }
    >
    > With the method call to 2
    > 2.1) I get an exception SecurityException with details "The security token
    > could not be authenticated or authorized"
    > 2.2) The input trace as well as the output trace contain text in it,
    > indicating that the server did reply. The message content is encrypted!
    >
    > -----------------start of Security.config used-----------------
    > <?xml version="1.0" encoding="utf-8"?>
    > <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
    > <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
    > <!--The following policy describes the policy requirements for all
    > services who do not have a mapping in this file.-->
    > <defaultEndpoint>
    > <defaultOperation>
    > <request policy="#Sign-X.509-Encrypt-X.509" />
    > <response policy="" />
    > <fault policy="" />
    > </defaultOperation>
    > </defaultEndpoint>
    > </mappings>
    > <policies
    >

    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
    > y-utility-1.0.xsd"

    xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
    > xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
    > xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
    >

    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
    > ty-secext-1.0.xsd"
    > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
    > <wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
    > <!--MessagePredicate is used to require headers. This assertion

    should
    > be used along with the Integrity assertion when the presence of the signed
    > element is required. NOTE: this assertion does not do anything for
    > enforcement (send-side) policy.-->
    > <wsp:MessagePredicate wsp:Usage="wsp:Required"
    > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
    > wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
    > wse:Timestamp()</wsp:MessagePredicate>
    > <!--The Integrity assertion is used to ensure that the message is
    > signed with X.509. Many Web services will also use the token for
    > authorization, such as by using the <wse:Role> claim or specific X.509
    > claims.-->
    > <wssp:Integrity wsp:Usage="wsp:Required">
    > <wssp:TokenInfo>
    > <!--The SecurityToken element within the TokenInfo element
    > describes which token type must be used for Signing.-->
    > <wssp:SecurityToken>
    >
    >

    <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
    > -token-profile-1.0#X509v3</wssp:TokenType>
    > <wssp:Claims>
    > <!--By specifying the SubjectName claim, the policy system

    can
    > look for a certificate with this subject name in the certificate store
    > indicated in the application's configuration, such as LocalMachine or
    > CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
    > correct values for this field.-->
    > <wssp:X509Extension OID="2.5.29.14"
    > MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
    > </wssp:Claims>
    > </wssp:SecurityToken>
    > </wssp:TokenInfo>
    > <wssp:MessageParts
    > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
    > wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
    > wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)

    wsp:Header(wsa:ReplyTo)
    > wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
    > </wssp:Integrity>
    > <!--The Confidentiality assertion is used to ensure that the SOAP

    Body
    > is encrypted.-->
    > <wssp:Confidentiality wsp:Usage="wsp:Required">
    > <wssp:KeyInfo>
    > <!--The SecurityToken element within the KeyInfo element

    describes
    > which token type must be used for Encryption.-->
    > <wssp:SecurityToken>
    >
    >

    <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
    > -token-profile-1.0#X509v3</wssp:TokenType>
    >
    > <wssp:Claims>
    > <!--By specifying the SubjectName claim, the policy system

    can
    > look for a certificate with this subject name in the certificate store
    > indicated in the application's configuration, such as LocalMachine or
    > CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
    > correct values for this field.-->
    > <wssp:X509Extension OID="2.5.29.14"
    > MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM=</wssp:X509Extension>
    > </wssp:Claims>
    > </wssp:SecurityToken>
    > </wssp:KeyInfo>
    > <wssp:MessageParts
    >

    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
    > ageParts>
    > </wssp:Confidentiality>
    > </wsp:policy>
    > </policies>
    > </policyDocument>
    > -----------------End of Security.config used-----------------
    >
    >
    Patrick, Nov 22, 2004
    #2
    1. Advertising

  3. Patrick

    Patrick Guest

    In addition,
    when do I need a "response policy"- is it only needed for a web-service
    provider??

    "Patrick" <> wrote in message
    news:...
    > With the security.policy file appended at the end:
    > 1) I could successfully use it in a Web service client proxy class that
    > does:
    >

    [System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
    > /webservices/PlaceOrder",

    RequestNamespace="http://publisher/webservices/",
    > ResponseNamespace="http://publisherwebservices/",
    > Use=System.Web.Services.Description.SoapBindingUse.Literal,
    > ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
    > public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)]

    SimpleOrderData
    > order)
    > {
    > this.Invoke("PlaceOrder", new object[] {order});
    > }
    >
    > 2) But not with
    >
    >

    [System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
    > /webservices/QueryProduct",
    > RequestNamespace="http://publisher/webservices/",
    > ResponseNamespace="http://publisherwebservices/",
    > Use=System.Web.Services.Description.SoapBindingUse.Literal,
    > ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
    > public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
    > ProductQuery query)
    > {
    > this.Invoke("QueryProduct", new object[] {query});
    > }
    >
    > With the method call to 2
    > 2.1) I get an exception SecurityException with details "The security token
    > could not be authenticated or authorized"
    > 2.2) The input trace as well as the output trace contain text in it,
    > indicating that the server did reply. The message content is encrypted!
    >
    > -----------------start of Security.config used-----------------
    > <?xml version="1.0" encoding="utf-8"?>
    > <policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
    > <mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
    > <!--The following policy describes the policy requirements for all
    > services who do not have a mapping in this file.-->
    > <defaultEndpoint>
    > <defaultOperation>
    > <request policy="#Sign-X.509-Encrypt-X.509" />
    > <response policy="" />
    > <fault policy="" />
    > </defaultOperation>
    > </defaultEndpoint>
    > </mappings>
    > <policies
    >

    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
    > y-utility-1.0.xsd"

    xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
    > xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
    > xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
    >

    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
    > ty-secext-1.0.xsd"
    > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
    > <wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
    > <!--MessagePredicate is used to require headers. This assertion

    should
    > be used along with the Integrity assertion when the presence of the signed
    > element is required. NOTE: this assertion does not do anything for
    > enforcement (send-side) policy.-->
    > <wsp:MessagePredicate wsp:Usage="wsp:Required"
    > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
    > wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
    > wse:Timestamp()</wsp:MessagePredicate>
    > <!--The Integrity assertion is used to ensure that the message is
    > signed with X.509. Many Web services will also use the token for
    > authorization, such as by using the <wse:Role> claim or specific X.509
    > claims.-->
    > <wssp:Integrity wsp:Usage="wsp:Required">
    > <wssp:TokenInfo>
    > <!--The SecurityToken element within the TokenInfo element
    > describes which token type must be used for Signing.-->
    > <wssp:SecurityToken>
    >
    >

    <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
    > -token-profile-1.0#X509v3</wssp:TokenType>
    > <wssp:Claims>
    > <!--By specifying the SubjectName claim, the policy system

    can
    > look for a certificate with this subject name in the certificate store
    > indicated in the application's configuration, such as LocalMachine or
    > CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
    > correct values for this field.-->
    > <wssp:X509Extension OID="2.5.29.14"
    > MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
    > </wssp:Claims>
    > </wssp:SecurityToken>
    > </wssp:TokenInfo>
    > <wssp:MessageParts
    > Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
    > wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
    > wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo)

    wsp:Header(wsa:ReplyTo)
    > wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
    > </wssp:Integrity>
    > <!--The Confidentiality assertion is used to ensure that the SOAP

    Body
    > is encrypted.-->
    > <wssp:Confidentiality wsp:Usage="wsp:Required">
    > <wssp:KeyInfo>
    > <!--The SecurityToken element within the KeyInfo element

    describes
    > which token type must be used for Encryption.-->
    > <wssp:SecurityToken>
    >
    >

    <wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
    > -token-profile-1.0#X509v3</wssp:TokenType>
    >
    > <wssp:Claims>
    > <!--By specifying the SubjectName claim, the policy system

    can
    > look for a certificate with this subject name in the certificate store
    > indicated in the application's configuration, such as LocalMachine or
    > CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
    > correct values for this field.-->
    > <wssp:X509Extension OID="2.5.29.14"
    > MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM=</wssp:X509Extension>
    > </wssp:Claims>
    > </wssp:SecurityToken>
    > </wssp:KeyInfo>
    > <wssp:MessageParts
    >

    Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
    > ageParts>
    > </wssp:Confidentiality>
    > </wsp:policy>
    > </policies>
    > </policyDocument>
    > -----------------End of Security.config used-----------------
    >
    >
    Patrick, Nov 22, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Deryck
    Replies:
    4
    Views:
    517
    derek giroulle
    Jun 22, 2004
  2. aaragon

    working with policy classes

    aaragon, Sep 18, 2006, in forum: C++
    Replies:
    4
    Views:
    321
    Default User
    Sep 18, 2006
  3. mark4asp
    Replies:
    1
    Views:
    464
    mark4asp
    Aug 7, 2007
  4. shree0903
    Replies:
    0
    Views:
    931
    shree0903
    Jul 7, 2009
  5. Replies:
    8
    Views:
    96
    Mark Hubbart
    Apr 15, 2004
Loading...

Share This Page