Re: SecureConversation

Hi Eric,

WSE uses a set of pre-defined scenarios to specify the security
requeriments.
These scenarios are called turn-key scenarios, and they are implemented by
security assertions.

You can find a description of each security assertion provided by WSE in
this article,
http://msdn.microsoft.com/webservices/webservices/building/wse/default.aspx?pull=/library/en-us/dnwse/html/newwse3.asp

By default, all the assertions that use message security sign the messages
and optionally encrypt it (It is a configuration setting). The same happens
with security conversation, it is a configuration setting in these
assertions.

However, you can develop your own custom assertion and specify the security
requirements for that assertion (Signing, Encryption, Security
Conversation).

The client and the service, both must use the same security assertion, and
you can specify that assertion by means of code (Attribute) or configuration
(Policy file).
You can not call a secured web service from an unsecured client or web
service. Therefore, you should have two different implementations of the
same web service, a plain version and a secure one. (The same for security
conversation, the client and the service must agree on the use of this
feature).

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax


"Eric Quist" <EricQuist@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E475B9C1-D2C2-4BBF-B68F-CC64CF49894F@xxxxxxxxxxxxxxxx
The subject got a little bit wrong there because I changed the question,
but
forgot to change the subject.

I might also want the client to control if SecureConversation should be
used
or not for the same reason as below.

/Eric

"Eric Quist" wrote:

Hi
Is it possible for the client to decide whether to do encryption and
signing
of messages? If so, how do I do it?
Background: I got a webservice that is called from winform clients for
whom
I want encrypt and sign the messages. The webservice is also called by
another webservice and in that situation I don't want to encrypt and sign
the
message, because that is not necessary.
Thanks, Eric


.

Relevant Pages

  • Re: Can web site data be protected from access by the webmasters?
    ... > little about web site design or internet security. ... > Canceling a contract can be an expensive hassle. ... > The client contacted me after the fact of contract signing. ... SSL does nothing but encrypt the stream ...
    (microsoft.public.sqlserver.security)
  • RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
    ... \par Microsoft Online Support ... After some further consulting our Webservice/wse guys, we are confirmed that the description about the security policy in WSE 2.0 in the following msdn article ... \par And we can only put security token assertion in service's policy document like: ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
    ... \par Microsoft Online Support ... SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed ... if you do need to do validating on security Token (in ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
    ... fact support writing declarative policy files that support the SecurityToken ... assertion, but I can't get it to work. ... Perhaps this means that WSE 2.0 ... if you do need to do validating on security Token (in ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • RE: SecurityToken assertion policy in WSE 2.0 SP3 Configuration Ed
    ... After some further consulting our Webservice/wse guys, we are confirmed that the description about the security policy in WSE 2.0 in the following msdn article ... \par And we can only put security token assertion in service's policy document like: ... \par Microsoft Online Support ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
Loading