Re: Securing webmethods webservice selectively using policy files.
- From: "Pablo Cibraro" <pcibraro@xxxxxxxxxxx>
- Date: Thu, 15 Dec 2005 10:31:10 -0300
Hi swapna,
You will have to separate the web methods in two different web services.
The requestAction attribute doesn't work in this case because the policy
applies to both webmethods.
Still, you can specify different protection requeriments under the same
policy with that attribute.
For example, this policy doesn't work because you can't specify IncludeNone
for the signature:
<usernameForCertificateSecurity establishSecurityContext="false"
renewExpiredSecurityContext="true" requireSignatureConfirmation="false"
messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My"
findValue="CN=WSE2QuickStartServer"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection requestAction="HelloWorldWithSecurity">
<request signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp,
IncludeSoapBody" encryptBody="false" />
</protection>
<protection requestAction="HelloWorldWithOutSecurity">
<request signatureOptions="IncludeNone" encryptBody="false" />
<response signatureOptions="IncludeNone" encryptBody="false" />
<fault signatureOptions="IncludeNone" encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax
http://www.lagash.com
"Swapna" <yswapna44@xxxxxxxxxxx> wrote in message
news:1134560728.590910.123250@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi,
> I am using wse3.0 to secure webservice.
> I have two web methods in this webservice
> viz. HelloWorldWithSecurity.
> HelloWorldWithOutSecurity.
>
> 1) Can I secure only HelloWorldWithSecurity and leave
> HelloWorldWithOutSecurity not secured ?
>
> Is it always necessary to specify the Policy attribute for the class in
> the webservice if we are using the policy method to secure webservices
> ?
> eg.
>
> [WebService(Namespace = "http://www.contoso.com/";)]
> [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
> [Policy("ServicePolicy")] // is this necessary ???
> public class Service : System.Web.Services.WebService
> {
> public Service () {
>
> }
>
> [WebMethod]
> public string HelloWorldWithSecurity() {
> return "Hello World with security";
> }
> [WebMethod]
> public string HelloWorldWithOutSecurity() {
> return "Hello World without security";
> }
>
> }
>
> 2) Can requestAction attribute of the protection element be used for
> this ?
>
>
> The problem I am facing is - If i dont specify the Policy attribute for
> the class none of the methods are secured.
>
> If I use the policy attribute all of them are secured irrespective of
> the method name in the request action attribute.
>
> Can anyone help me out with this ???
> Thanks.
>
.
- References:
- Prev by Date: Re: SSL certificate and x.509 certificate
- Next by Date: Re: WSE interoperability with non .NET clients. Need help
- Previous by thread: Securing webmethods webservice selectively using policy files.
- Next by thread: Securing webmethods webservice selectively using policy files.
- Index(es):
Relevant Pages
|
