UsernameToken unencrypted in response
From: Martin Kulov (kulov_at_bezbokluk.abv.bg)
Date: 12/08/04
- Next message: Drew Marsh: "RE: WseWsdl2.exe doesn't seem to import third+ level schemas"
- Previous message: Martin Kulov: "Re: Why or Why NOT use SecureConversation"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 07 Dec 2004 18:11:22 -0800
Hi guys,
I am reposting this since it is very important for me to understand all blind spots I have.
I use UsernameToken to authenticate to web service without SecureConversation.
The UsernameToken is not encrypted using the server’s public key as it is when using SecureConversation. I read the awesome HOL-Security and it says that if I add wse:UsernameToken() to the first policy’s Confidentiality\MessageParts [1] the token will be encrypted.
Well it really does get encrypted! Why this is not the default behavior? No one wants to send passwords in clear text.
There is one caveat however. The response that the receiver sends back leaves UsernameToken unencrypted. This was an issue in SP1 also. If I add wse:UsernameToken() to Confidentiality\MessageParts in the request policy of the receiver the response does not change (naturally). When I add wse:UsernameToken() to Confidentiality\MessageParts of the response policy (#Sign-X.509-Encrypt-Username) of the receiver I get this [2].
This used to happen in WSE2.0 SP1 also. My expectation is that the adding wse:UsernameToken() to the response policy of the receiver will encode the username token in the response also. How can I do this?
[1]
<wssp:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body() wse:UsernameToken()</wssp:MessageParts>
</wssp:Confidentiality>
[2]
<faultstring>System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE507: The order of security elements and security tokens will cause a processing failure on the receiving end, and they must be reordered to create a valid message.
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.AddNode(DependancyTableItem item, ArrayList doneSet)
at Microsoft.Web.Services2.Security.DependancyTable.GetOrderedList()
at Microsoft.Web.Services2.Security.Security.ComputeSerializationPlan()
at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope envelope)
at Microsoft.Web.Services2.WebServicesExtension.AfterSerializeServer(SoapServerMessage message)
--- End of inner exception stack trace ---</faultstring>
Martin Kulov
http://www.codeattest.com
MCAD Charter Member
MCSD.NET Early Achiever
- Next message: Drew Marsh: "RE: WseWsdl2.exe doesn't seem to import third+ level schemas"
- Previous message: Martin Kulov: "Re: Why or Why NOT use SecureConversation"
- Messages sorted by: [ date ] [ thread ]
