P
Patrick
With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder", RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}
2) But not with
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}
With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!
-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wspolicy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
</wssp:Integrity>
<!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
<wssp:SecurityToken>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>
</wssp:Confidentiality>
</wspolicy>
</policies>
</policyDocument>
-----------------End of Security.config used-----------------
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder", RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}
2) But not with
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}
With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!
-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wspolicy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
</wssp:Integrity>
<!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
<wssp:SecurityToken>
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>
</wssp:Confidentiality>
</wspolicy>
</policies>
</policyDocument>
-----------------End of Security.config used-----------------