WSE3 Credentials

E

Euphilos

Hello,

I'm trying to use WSE 3 in a web service for authentication and
authorization.

I've created a custom UsernameTokenManager overriding VerifyToken to
validate the token against the database and setting the token principal to a
generic principal with all the needed information.

This goes ok, but when I'm trying to find out which user is currently
authenticated, in the web method, using
RequestSoapContext.Current.Credentials.UltimateReceiver.GetClientToken(Of
UsernameToken)().Principal, GetClientToken returns nothing (causing a null
reference exception).

The code above is used in the hands-on lab for WSE3 security, and seems to
work there. I guess I could set the thread principal in VerifyToken, but the
code above seemed the recommended way to go.

Thank you for your help,

Euphilos
 
S

Steven Cheng[MSFT]

Hi Euphilos,

Welcome to the MSDN newsgroup.

From your description, I understand you're building a custom
UsernameTokenManager for your ASP.NET webservice which uses WSE 3.0 to
secure the messages. Also, you create some custom GenericPrinciple
instances in the custom UsernameTokenManager's verifytoken method and
assign them to the current SoapRequestContext. However, in webmethod code,
you find that the
RequestSoapContext.Current.Credentials.UltimateReceiver.GetClientToken can
not return the custom principal you assigned and report null reference
exception, correct?

I've also performed some tests in my local environment and did find some
similiar problem. Actually, the null reference exception occurs when I
configure the webservice application to use username over certificate (sign
and encrypt message) assertion. If do not sign and encrypte the message(use
transport layer security), the UltimateReceiver.GetClientToken can return
the correct value.

Would you please also test the two conditions and let me know whether you
get the same result? Meanwhile, I'll do some further research on this and
will update you if I get any new information.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
S

Steven Cheng[MSFT]

Hi Euphilos,

After some further research and discussing with some other WSE guys. The
behavior you encounter is the expected one if you've turned on the
"establishSecurityContext"? e.g:

<usernameForCertificateSecurity establishSecurityContext="true"


If this is the case, since the WSE runtime will cache the security context
token, it won't attach the token at the
RequestSoapContext.Current.Credentials.UltimateReceiver in each request.
Instead, we can use the following code to retrieve the security token:

SecurityContextToken sct =
RequestSoapContext.Current.Credentials.GetSecurityContextToken();

string username = sct.Principal.Identity.Name;


Hope this helps.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

WebService Credentials 1
Using WSE3 For Web Service Kerberos Auth 1
How to effectively develop a web application from scratch? 0
WS Security Header (WSE 2) 4
WSE 2.0 - The security token could not be authenticated or authori 2
401 error accessing web service using credentials 1
PDA WSE 2 & OpenNetCF 0
Default credentials 3

Members online

Total: 28 (members: 1, guests: 27)
Robots: 494

Forum statistics

Threads
473,769
Messages
2,569,579
Members
45,053
Latest member
BrodieSola

Latest Threads

Top