Problem in securing webmethod Wse 2.0 sp3

Hi,

I am trying to implement webservice security , with x509 tokens,

By signing the message with x509 tokens and encrypting them, the
performance of the websvc becomes poor.

I want to implement it for specific methods..

There is a requestAction attribute in the operations element with the
help of which we can specify the name of the webmethod,

I am signing the request with x509 token on the client

I am attaching the policy files for u'r ref.
my service side policy is as follows
<?xml version="1.0" encoding="utf-8"?>
<policyDocument
xmlns="http://schemas.microsoft.com/wse/2003/06/Policy";>
<mappings>
<endpoint uri="http://localhost/PartialTrustSvc/Service1.asmx";>
<operation
requestAction="http://localhost/PartialTrustSvc/HelloWorld";>
<request policy="" />
<response policy="#signed-body-x509" />
<fault policy="" />
</operation>
<!--<defaultOperation>
<request policy="" />
<response policy="#signed-body-x509" />
<fault policy="" />
</defaultOperation>-->
</endpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy";
xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc";
xmlns:rp="http://schemas.xmlsoap.org/rp";>
<!--This policy requires that the body be digitally signed by an
X509 security token.-->
<wsp:Policy wsu:Id="signed-body-x509">
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy
system can look for a certificate with this subject name in the
certificate store indicated in the application's configuration, such as
LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
for finding the correct values for this field.-->
<wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts xmlns:rp="http://schemas.xmlsoap.org/rp";
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";>wsp:Body()
wse:Timestamp() wse:Addressing()</wssp:MessageParts>
</wssp:Integrity>
</wsp:Policy>
</policies>
</policyDocument>

server side code..
[WebMethod]
public string HelloWorld()
{
return "Hello World";
}



my client side policy is as follows
<?xml version="1.0" encoding="utf-8"?>
<policyDocument
xmlns="http://schemas.microsoft.com/wse/2003/06/Policy";>
<mappings>
<endpoint uri="http://localhost/PartialTrustSvc/Service1.asmx";>
<operation
requestAction="http://localhost/PartialTrustSvc/HelloWorld";>
<request policy="#signed-body-x509" />
<response policy="" />
<fault policy="" />
</operation>

<!--<defaultOperation>
<request policy="#signed-body-x509" />
<response policy="" />
<fault policy="" />
</defaultOperation>-->
</endpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing";
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy";
xmlns:wssc="http://schemas.xmlsoap.org/ws/2004/04/sc";
xmlns:rp="http://schemas.xmlsoap.org/rp";>
<!--This policy requires that the body be digitally signed by an
X509 security token.-->
<wsp:Policy wsu:Id="signed-body-x509">
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy
system can look for a certificate with this subject name in the
certificate store indicated in the application's configuration, such as
LocalMachine or CurrentUser. The WSE X.509 Certificate Tool is useful
for finding the correct values for this field.-->
<wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartClient</wssp:SubjectName>
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">gBfo0147lM6cKnTbbMSuMVvmFY4=</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts xmlns:rp="http://schemas.xmlsoap.org/rp";
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part";>wsp:Body()
wse:Timestamp() wse:Addressing()</wssp:MessageParts>
</wssp:Integrity>
</wsp:Policy>
</policies>
</policyDocument>

client side code
WSESvc.Service1Wse obj= new WSESvc.Service1Wse();
Console.WriteLine(obj.HelloWorld());



i m a getting the following error
{"WSE464: No policy could be found for this message." }
Microsoft.Web.Services2.Policy.PolicyEnforcementException: WSE464: No
policy cou
ld be found for this message.
at
Microsoft.Web.Services2.Policy.SimplePolicyEnforcer.Enforce(SoapEnvelope
m
essage)
at Microsoft.Web.Services2.Policy.PolicyManager.Enforce(SoapEnvelope
message)

at
Microsoft.Web.Services2.Policy.PolicyEnforcementOutputFilter.ProcessMessag
e(SoapEnvelope envelope)
at
Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope
envelop
e)
at Microsoft.Web.Services2.OutputStream.Close()
at
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String
methodN
ame, Object[] parameters)
at PartialTrustClient.WSESvc.Service1Wse.HelloWorld() in
D:\WSEPOCs\PartialTr
ustClient\Web References\WSESvc\Reference.cs:line 37
at PartialTrustClient.Class1.Main(String[] args) in
d:\wsepocs\partialtrustcl
ient\class1.cs:line 27

Where am i going wrong ?

Thanks,
Swapna

.

Relevant Pages

  • RE: Encryption and signing using Security context tokens using WS
    ... In a webfarm scenario wen i try to run the sample using policy the error is ... Tokens in a Web Farm.The built-in SecurityContextService keeps track of the ... //This is the point where to get the SCT service. ... system can look for a certificate with this subject name in the certificate ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Using Policy with WSE2.0 (From WSE Drilldown examples)
    ... I have added the "Root Agency" certificate to "Trusted Root ... Under Security Tab, ticked "Allow test roots" and select ... Under policy, ... > Conversation: SOAP Message from WSE ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • Re: Overriding X509SecurityTokenManager.AuthenticateToken
    ... Authenticate method should just be validating that the certificate it receives ... with the tokens on its way in like, may be add an identity to the token etc.. ... I'd suggest take a look at how you can restrict uses based on policy first. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Overriding X509SecurityTokenManager.AuthenticateToken
    ... I don't believe I can use a policy. ... service if they have a certificate issued by us. ... > with the tokens on its way in like, may be add an identity to the token etc.. ... > and throw the security fault in the filter. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Overriding X509SecurityTokenManager.AuthenticateToken
    ... Lookup in the policy configuration reference IssuerToken. ... > our web service if they have a certificate issued by us. ... >> with the tokens on its way in like, may be add an identity to the ... >> manager you're short circuiting the whole authentication process. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
Loading