Second post about WSE2.0 SP2
From: Martin Kulov (kulov_at_bezbokluk.abv.bg)
Date: 12/01/04
- Next message: Martin Kulov: "SecurityFault Class"
- Previous message: Martin Kulov: "Re: WSE 2.0 SP2 Pre-release Announcement"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 01 Dec 2004 04:49:50 -0800
I ran to download the new release of WSE. At the first step my old demos run well but it took me some days before I had an opportunity to spend more time on it.
I have a desktop client application that connects to web service. Both of them use policy to describe that they both require encryption and signing in the request and the response.
I must say that I am pleased. When I used SecureConversation the UsernameToken that I used for authentication was encrypted using the server public key. What a relief :).
I have been advocating the use of UsernameToken long enough so I feel a little bit more confident.
However when I use UsernameToken to authenticate without SecureConversation things looks like they have not changed.
Why the UsernameToken is not encrypted using the server’s public key? I read the awesome HOL-Security and it says that if I add wse:UsernameToken() to the first policy’s Confidentiality\MessageParts [1] the token will be encrypted. Well it really does get encrypted! Why this is not the default behavior. No one wants to send passwords in clear text. There is one caveat however. The response that the receiver sends back leaves UsernameToken unencrypted. This was an issue in SP1 also. If I add wse:UsernameToken() to Confidentiality\MessageParts in the request policy of the receiver the response does not change (naturally). When I add wse:UsernameToken() to Confidentiality\MessageParts of the response policy (#Sign-X.509-Encrypt-Username) of the receiver I get this [2].
This used to happen in WSE2.0 SP1 also. My expectation is that the adding wse:UsernameToken() to the response policy of the receiver will encode the username token in the response also. How can I do this?
One more question:
The response of the receiver contains BinarySecurityToken, which I have no idea where it came from. It is used to sign the message parts in the response. Here is the response soap [3]. How this X509 token is generated? Is it used to check if the digital signature is correct? If so everyone can replace it along with the digests and change the actual message. Is it right?
Thanks for reading.
I will be waiting for your comments.
Martin Kulov
www.codeattest.com
[1]
<wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wse:UsernameToken()</wssp:MessageParts>
</wssp:Confidentiality>
[2]
<faultstring>System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE507: The order of security elements and security tokens will cause a processing failure on the receiving end, and they must be reordered to create a valid message.
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.GetOrderedList()
at Microsoft.Web.Services2.Security.Security.ComputeSerializationPlan()
at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope envelope)
at Microsoft.Web.Services2.WebServicesExtension.AfterSerializeServer(SoapServerMessage message)
--- End of inner exception stack trace ---</faultstring>
[3]
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-225143d0-b45a-4180-946f-9d17be77da20">MIIBxDCC...</wsse:BinarySecurityToken>
..
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-225143d0-b45a-4180-946f-9d17be77da20" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
Martin Kulov
www.codeattest.com
- Next message: Martin Kulov: "SecurityFault Class"
- Previous message: Martin Kulov: "Re: WSE 2.0 SP2 Pre-release Announcement"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
