Re: Overriding X509SecurityTokenManager.AuthenticateToken

From: Dilip Krishnan (dkrishnan_at_NOSPAM.geniant.com)
Date: 01/28/05 

Date: Fri, 28 Jan 2005 07:14:12 -0800

Hello Oldman,
   Are you sure you cant use policy to implement that 'special' logic. The
Authenticate method should just be validating that the certificate it receives
is valid (not expired/ trusted etc), unless you want to do something special
with the tokens on its way in like, may be add an identity to the token etc..
I'd suggest take a look at how you can restrict uses based on policy first.
If that doesnt fit the bill write a soap input filter to check all the tokens
and throw the security fault in the filter. If you do the same in the token
manager you're short circuiting the whole authentication process. By that
I mean that you may receive more than on x509 token in the request. In that
case you may end up throwing a soap fault even tho' the request had other
valid x509 certificates.

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

> I have some special logic I would like to perform to make sure we
> accept a
> certain certificate in my webservice.
> The X509SecurityTokenManager.AuthenticateToken method has no return
> value so
> I was wondering what is the proper thing to do when the certificate is
> not
> accepted by the WebService? I figured I would throw a security fault
> with
> the code set to FailedAuthenticationCode.
> Is this the correct thing to do?
> Thanks,
>
> Oldman
>

Relevant Pages

  • RE: Encryption and signing using Security context tokens using WS
    ... In a webfarm scenario wen i try to run the sample using policy the error is ... Tokens in a Web Farm.The built-in SecurityContextService keeps track of the ... //This is the point where to get the SCT service. ... system can look for a certificate with this subject name in the certificate ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Problem in securing webmethod Wse 2.0 sp3
    ... I am trying to implement webservice security, with x509 tokens, ... By signing the message with x509 tokens and encrypting them, ... I am attaching the policy files for u'r ref. ... certificate store indicated in the application's configuration, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • WSE 3.0 Clarification
    ... maintaining all the authenticated tokens within the last X minutes etc... ... between Authentication, Authorization and Security. ... uses Security when talking about Authentication, ... Say we are dealing with X509 MutualSecurity, the client has a Certificate ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Overriding X509SecurityTokenManager.AuthenticateToken
    ... Lookup in the policy configuration reference IssuerToken. ... > our web service if they have a certificate issued by us. ... >> with the tokens on its way in like, may be add an identity to the ... >> manager you're short circuiting the whole authentication process. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Getting around mutual Certificate authentication using safenet 2032 tokens enforced in a webapp
    ... Getting around mutual Certificate authentication using ... The client certificates are contained on safenet 2032 tokens ...
    (Pen-Test)