WS-Policy not always working

P

Patrick

With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder", RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}

2) But not with

[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}

With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!

-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">xs215+SAbT398tPDffFSf/z0CcI=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
</wssp:Integrity>
<!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509
-token-profile-1.0#X509v3</wssp:TokenType>

<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the
correct values for this field.-->
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">9AENaG5CwcBcR1AggdBzS7o1QcM=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:Mess
ageParts>
</wssp:Confidentiality>
</wsp:policy>
</policies>
</policyDocument>
-----------------End of Security.config used-----------------
 
P

Patrick

I suspect this might be somethign to do with the Certificate usage.

On the client, the current certificate usage is "Client Authentication".
Would I need a certificate that support "Server Authentication" as well as
"Client Authenticaiton"? I am struggling to find what the OID is for such a
ceritficate (to put into the Windows 2003 CA requester).

Patrick said:
With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}

2) But not with

[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}

With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!

-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>
 
P

Patrick

In addition,
when do I need a "response policy"- is it only needed for a web-service
provider??

Patrick said:
With the security.policy file appended at the end:
1) I could successfully use it in a Web service client proxy class that
does:
[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/PlaceOrder",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public void PlaceOrder([MarshalAs(UnmanagedType.IUnknown)] SimpleOrderData
order)
{
this.Invoke("PlaceOrder", new object[] {order});
}

2) But not with

[System.Web.Services.Protocols.SoapDocumentMethodAttribute("http://publisher
/webservices/QueryProduct",
RequestNamespace="http://publisher/webservices/",
ResponseNamespace="http://publisherwebservices/",
Use=System.Web.Services.Description.SoapBindingUse.Literal,
ParameterStyle=System.Web.Services.Protocols.SoapParameterStyle.Wrapped)]
public ProductDetails QueryProduct([MarshalAs(UnmanagedType.IUnknown)]
ProductQuery query)
{
this.Invoke("QueryProduct", new object[] {query});
}

With the method call to 2
2.1) I get an exception SecurityException with details "The security token
could not be authenticated or authorized"
2.2) The input trace as well as the output trace contain text in it,
indicating that the server did reply. The message content is encrypted!

-----------------start of Security.config used-----------------
<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for all
services who do not have a mapping in this file.-->
<defaultEndpoint>
<defaultOperation>
<request policy="#Sign-X.509-Encrypt-X.509" />
<response policy="" />
<fault policy="" />
</defaultOperation>
</defaultEndpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit
y-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
ty-secext-1.0.xsd"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsp:policy wsu:Id="Sign-X.509-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,994
Messages
2,570,223
Members
46,810
Latest member
Kassie0918

Latest Threads

Top