RE: Problems signing request when using Windows Authentication
From: Julian Jelfs (JulianJelfs_at_discussions.microsoft.com)
Date: 09/24/04
- Next message: Trebor: "content based router"
- Previous message: Fraser: "wsa:Action and WSDL"
- In reply to: Andrew Feldman: "RE: Problems signing request when using Windows Authentication"
- Next in thread: Hervey Wilson [MSFT]: "Re: Problems signing request when using Windows Authentication"
- Reply: Hervey Wilson [MSFT]: "Re: Problems signing request when using Windows Authentication"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 24 Sep 2004 01:33:03 -0700
I wanted to do exactly the same thing as you and had exactly the same
problem. It amazes me that this problem which must be very very common is
totally glossed over in all the documentation.
The solution I have used is to sign the message with a KerberosToken instead
of a UserNameToken. This way you do not need access to the password in the
client and you still get access to the authenticated user in the web service.
There is an article on how to do this here:
http://www.15seconds.com/issue/040602.htm
and here's another article to help you work it out when it doesn't work!
http://support.microsoft.com/default.aspx?scid=kb;en-us;326985
It took a little bit of pain, but I got this working in the end.
Hope it helps.
"Andrew Feldman" wrote:
> Thanks for your response, but in your sample you illustrate my problem. When
> Windows Authentication is enabled on the web form, I do not have access to
> the users password with which to create the UserNameToken. How can I
> get/create this token such that I can pass it to a web service and have the
> service perform authorization based on the same users principal?
>
> "D.Mitchell" wrote:
>
> > I do exactly what you are talking about Andrew. When the request is processed
> > by WSE it checks the user account specified exists with the specified
> > password. You can then allow or disallow the access to the guts of the web
> > method based on the user account benig in a group.
> >
> > Hope this helps - Dominic Mitchell
> >
> > In the client I add a username token to the request.
> >
> > Dim proxy As New myWebServiceWse
> >
> > Dim usernameToken as usernameToken = New
> > usernameToken("myUser","test123",PasswordOption.SendPlainText)
> >
> > proxy.RequestSoapContext.Security.Tokens.Add(usernameToken)
> >
> > Call proxy.myWebMethod()
> >
> > *** In your web method code ***
> >
> > Dim token As UsernameToken
> > token = getUsernameToken(RequestSoapContent.Current)
> >
> > If token.Principal.IsInRole(Dns.GetHostName() &
> > "\requiredGroupForWebMethod") Then
> > Throw New SoapException("Access denied", SoapException.ServerFaultCode)
> >
> > Else
> > 'do it
> >
> > End If
> >
> > Public Function GetUsernameTokenOfRequestAtWebService(ByVal
> > requestContext As SoapContext) As UsernameToken
> > Dim boolFoundUserNameToken As Boolean
> >
> > If IsNothing(requestContext) Then
> > Throw New SoapException("Only SOAP requests are permitted.",
> > SoapException.ClientFaultCode)
> > End If
> >
> > 'when there are no tokens in the request
> > If requestContext.Security.Tokens.Count = 0 Then
> > Throw New SoapException("No security tokens found in the
> > request.", SoapException.ClientFaultCode)
> >
> > 'when there are one or more security tokens in the request
> > Else
> >
> > 'loop over the security tokens in the request
> > Dim token As UsernameToken
> > For Each token In requestContext.Security.Tokens
> >
> > 'when the token is a username token
> > If TypeOf token Is UsernameToken Then
> > boolFoundUserNameToken = True
> > Exit For
> > End If
> > Next
> >
> > 'when found the username token in the request
> > If boolFoundUserNameToken Then
> > Return token
> >
> > 'when not found the username token in the request
> > Else
> > 'when get here, must not have found the required
> > username token in the request
> > Throw New SoapException("UsernameToken not found in
> > security tokens in the request.", SoapException.ClientFaultCode)
> > End If
> > End If
> > End Function
> >
> > "Andrew Feldman" wrote:
> >
> > > Is it possible to crate a UserNameToken on a web form using Windows
> > > Authentication and have that token be authenticated on the web service
> > > against a Windows account?
> > >
> > > I am using Windows Authentication on my Web UI layer. I would like to
> > > secure my web service layer with Windows Authentication as well. I've
> > > created a policy which requires the message be signed by a UserNameToken. My
> > > problem is how to create such a token in the UI, when the UserNameToken
> > > constructor requires a user name and password, which from my perspective has
> > > all been handled by Windows and IIS. It is unacceptable to require the users
> > > to reenter their info into my app in adition to any Windows/IIS popups they
> > > may have received. Can I utlize the WindowsPrincipal which ASP.NET has
> > > created for me in some manner?
- Next message: Trebor: "content based router"
- Previous message: Fraser: "wsa:Action and WSDL"
- In reply to: Andrew Feldman: "RE: Problems signing request when using Windows Authentication"
- Next in thread: Hervey Wilson [MSFT]: "Re: Problems signing request when using Windows Authentication"
- Reply: Hervey Wilson [MSFT]: "Re: Problems signing request when using Windows Authentication"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
