RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed

{\rtf1\ansi\ansicpg936\deff0\deflang1033\deflangfe2052{\fonttbl{\f0\fnil\fprq2\fcharset0 MS Sans Serif;}}
\viewkind4\uc1\pard\lang2052\f0\fs20 Thanks for your further followup Asanford,
\par
\par First, I agree with you that from the article you provided:
\par
\par http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wse2wspolicy.asp
\par
\par the WSE2.0's policy assersion should allow pure token assertion without enrypting or signing. However, the current document and policy schema of the wse2.0 (sp3) seems be inconsistent with that aritcle. I'll contacting some other XML webservices guys to see whether the 2.0 did haven't implemented this error and I'll update you as soon as I got any new update.
\par
\par Thanks for your understanding.
\par
\par Steven Cheng
\par Microsoft Online Support
\par
\par Get Secure! www.microsoft.com/security
\par (This posting is provided "AS IS", with no warranties, and confers no rights.)
\par
\par
\par
\par \pard\li720 --------------------
\par Thread-Topic: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
\par thread-index: AcW/m2bHKLw4pJIESu20JFGpUW4VWg==
\par X-WBNR-Posting-Host: 65.115.47.2
\par From: "=?Utf-8?B?YXNhbmZvcmQ=?=" <asanford2000@xxxxxxxxxxx>
\par References: <C3E577D9-8EC2-4894-8D7E-C6A4D077C984@xxxxxxxxxxxxx> <l3#guzyvFHA.580@xxxxxxxxxxxxxxxxxxxxx>
\par Subject: RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
\par Date: Thu, 22 Sep 2005 10:31:01 -0700
\par Lines: 89
\par Message-ID: <1E21A95B-39B1-425A-B633-36F289C1A0B4@xxxxxxxxxxxxx>
\par MIME-Version: 1.0
\par Content-Type: text/plain;
\par \tab charset="Utf-8"
\par Content-Transfer-Encoding: 7bit
\par X-Newsreader: Microsoft CDO for Windows 2000
\par Content-Class: urn:content-classes:message
\par Importance: normal
\par Priority: normal
\par X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
\par Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
\par Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
\par Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.dotnet.framework.webservices.enhancements:4958
\par X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par
\par Hi, Steven,
\par
\par Thanks for your response. MSDN does seem to indicate the WSE 2.0 does in
\par fact support writing declarative policy files that support the SecurityToken
\par assertion (independent of the integrity and confidentiality assertions), in
\par the following article:
\par
\par http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwse/html/wse2wspolicy.asp
\par -search the article for the following phrase: "Sending a UsernameToken".
\par So, I'm assuming that this article is correct, and I don't actually need to
\par check for the existance of the token in code (of course, I still would need
\par to write a custom token manager if I wanted to do custom authentication.) I
\par was just curious if there was some way to author such a policy using the
\par editor, rather than hand coding it. Any ideas?
\par
\par BTW, I did try to create a hand edited policy to enforce the securityToken
\par assertion, but I can't get it to work. Perhaps this means that WSE 2.0
\par doesn't support such policies, despite the article to the contrary?
\par
\par Thanks!
\par
\par "Steven Cheng[MSFT]" wrote:
\par
\par > Hi Asanford,
\par >
\par > Welcome to MSDN newsgroup.
\par > Regarding on the question of the policy assertion on SecurityToken only ,
\par > based on my reseach on the current version of the WSE (2.0 SP3), the
\par > declarative based policy assertion only contains data encrytion and data
\par > signing, and the SecurityToken assersion are also used together with those
\par > two (defined under the <integrity> or <confidentiality> element). There is
\par > no single alone element for Token Info assertion.
\par >
\par > for your scenario, if you do need to do validating on security Token (in
\par > the request's context) only(without encrypting or signing the message), I
\par > think we need to use code to programmatically retrieve token from the
\par > Request context and validate it. Or alternatively ,we can implement a
\par > custom SecurityTokenManager ( derived from UsernameTokenManger or
\par > X509CertificateTokenManager....) and override the verify method.
\par >
\par > Thanks,
\par >
\par > Steven Cheng
\par > Microsoft Online Support
\par >
\par > Get Secure! www.microsoft.com/security
\par > (This posting is provided "AS IS", with no warranties, and confers no
\par > rights.)
\par >
\par >
\par >
\par >
\par >
\par > --------------------
\par > Thread-Topic: SecurityToken assertion policy in WSE 2.0 SP3 Configuration
\par > Editor
\par > thread-index: AcW+0dLFlP2JkZexS96E/4MmEQYEgg==
\par > X-WBNR-Posting-Host: 65.115.47.2
\par > From: "=?Utf-8?B?YXNhbmZvcmQ=?=" <asanford2000@xxxxxxxxxxx>
\par > Subject: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Editor
\par > Date: Wed, 21 Sep 2005 10:28:04 -0700
\par > Lines: 8
\par > Message-ID: <C3E577D9-8EC2-4894-8D7E-C6A4D077C984@xxxxxxxxxxxxx>
\par > MIME-Version: 1.0
\par > Content-Type: text/plain;
\par > \tab charset="Utf-8"
\par > Content-Transfer-Encoding: 7bit
\par > X-Newsreader: Microsoft CDO for Windows 2000
\par > Content-Class: urn:content-classes:message
\par > Importance: normal
\par > Priority: normal
\par > X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
\par > Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
\par > NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
\par > Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
\par > Xref: TK2MSFTNGXA01.phx.gbl
\par > microsoft.public.dotnet.framework.webservices.enhancements:4949
\par > X-Tomcat-NG: microsoft.public.dotnet.framework.webservices.enhancements
\par >
\par > Hello,
\par >
\par > Using the WSE 2.0 (SP3) Configuration Editor, I can't seem to find a way to
\par > create a policy file with a SecurityToken assertion (I don't want
\par > encryption
\par > or signing.) Must I create this policy file by hand, or am I missing
\par > something?
\par >
\par > Thanks!
\par >
\par \pard
\par
\par }