WS-Policy not always working

P

Patrick

With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder", RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}

2) But not with

[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}

With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!

-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
</wssp:Integrity>
<!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>

<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>
</wssp:Confidentiality>
</wsp:policy>
</policies>
</policyDocument>
-----------------End of Security.config used-----------------
 
P

Patrick

I suspect this might be somethign to do with the Certificate usage.

On the client, the current certificate usage is "Client Authentication".
Would I need a certificate that support "Server Authentication" as well as
"Client Authenticaiton"? I am struggling to find what the OID is for such a
ceritficate (to put into the Windows 2003 CA requester).

Patrick said:
With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder",
Click to expand...
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}

2) But not with

[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}

With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!

-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd"
Click to expand...
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
Click to expand...
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>
Click to expand...
 
P

Patrick

In addition,
when do I need a "response policy"- is it only needed for a web-service
provider??

Patrick said:
With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder",
Click to expand...
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}

2) But not with

[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}

With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!

-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd"
Click to expand...
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
Click to expand...
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WS-Policy and WSE problems! 13
WSE 2 Authentication against a database 0
WSE 2 SP3 error: Client found response content type of '', but expected 'text/xml'. 1
SOAP Message from WSE 12
Sending DIME Attachments to Axis 0
Problem with parsing SOAP security element using older namespace in WSE 2 0
Usernametoken requirement in the policy file 1
How to get rid of the default namespace .NET adds to SOAP message ? 0

Members online

No members online now.
Total: 36 (members: 1, guests: 35)
Robots: 452

Forum statistics

Threads
473,768
Messages
2,569,574
Members
45,050
Latest member
AngelS122

Latest Threads

Top