WSE 2.0 security problem

I have a web service that I am calling by digitally signing the message with
WSE 2.0 SP2. It runs fine on my PC. I uploaded the WS to our server, and if
I call that from my PC that also works fine.

The problem comes in when I try to call the WS from another machine besides
mine or the host server. When I do that, I get "An error was discovered
processing the <Security> header"...

Is there something else I need to install on other machines to get my WSE
security working? I installed the WSE 2.0 runtime files, that didn't help.
Any ideas?

Here is the client code that calls the web service:

public CateringWS.DataServWse GetProxy()
{
CateringWS.DataServWse proxy = new CateringWS.DataServWse();
proxy.Url = "http://my_ip_address_here/CateringWS/DataServ.asmx";

// Get the SoapContext for the SOAP request that is being made to the
Web service
SoapContext reqCtx = proxy.RequestSoapContext;

// Add the UsernameToken to the WS-Security SOAP header
/* Help File Excerpt: The password is never sent in any form in the
SOAP message,
* but WSE does use the password to sign the SOAP message.
* A recipient would then need to provide a password to WSE
* during the signature validation stage. */
UsernameToken tok = new UsernameToken("mike", "amanda1",
PasswordOption.SendNone);

// set the TimeToLive to 2 minutes, to prevent anyone else from
replaying it
reqCtx.Security.Timestamp.TtlInSeconds = 120;

// Digitally sign the SOAP request by using a user name and password.
reqCtx.Security.Tokens.Add(tok);
reqCtx.Security.Elements.Add(new MessageSignature(tok));
// reqCtx.Security.Elements.Add(new EncryptedData(tok));

return proxy;
}

public ChartOfAccountsInfo[] GetChartOfAccounts()
{
CateringWS.DataServWse proxy = GetProxy();
try
{
return proxy.GetChartOfAccounts();
}
catch (Exception ex)
{
throw new ApplicationException(ex.Message);
}
}

TIA,

Mike Rodriguez

--
To understand recursion, we must first understand recursion.

Michael,

Are you sure that you are signing the message? The code here just adds
some authentication, but I see nothing that loads a digital certificate (is
that what the MessageCertificate does?).

Also, if you have a certificate loaded in a store on the machine that is
doing the signing (your dev machine), then you have to make sure that
certificate is installed on the other machine that you installed the proxy
on.

Hope this helps.

--
- Nicholas Paldino [.NET/C# MVP]
- mvp@spam.guard.caspershouse.com

"Michael Rodriguez" <mike__at__compeat_dot_com> wrote in message
news:C57EC39E-645A-4A0B-B205-C7EC27E6C1C6@microsoft.com...[color=blue]
>I have a web service that I am calling by digitally signing the message
>with
> WSE 2.0 SP2. It runs fine on my PC. I uploaded the WS to our server, and
> if
> I call that from my PC that also works fine.
>
> The problem comes in when I try to call the WS from another machine
> besides
> mine or the host server. When I do that, I get "An error was discovered
> processing the <Security> header"...
>
> Is there something else I need to install on other machines to get my WSE
> security working? I installed the WSE 2.0 runtime files, that didn't
> help.
> Any ideas?
>
> Here is the client code that calls the web service:
>
> public CateringWS.DataServWse GetProxy()
> {
> CateringWS.DataServWse proxy = new CateringWS.DataServWse();
> proxy.Url = "http://my_ip_address_here/CateringWS/DataServ.asmx";
>
> // Get the SoapContext for the SOAP request that is being made to the
> Web service
> SoapContext reqCtx = proxy.RequestSoapContext;
>
> // Add the UsernameToken to the WS-Security SOAP header
> /* Help File Excerpt: The password is never sent in any form in the
> SOAP message,
> * but WSE does use the password to sign the SOAP message.
> * A recipient would then need to provide a password to WSE
> * during the signature validation stage. */
> UsernameToken tok = new UsernameToken("mike", "amanda1",
> PasswordOption.SendNone);
>
> // set the TimeToLive to 2 minutes, to prevent anyone else from
> replaying it
> reqCtx.Security.Timestamp.TtlInSeconds = 120;
>
> // Digitally sign the SOAP request by using a user name and password.
> reqCtx.Security.Tokens.Add(tok);
> reqCtx.Security.Elements.Add(new MessageSignature(tok));
> // reqCtx.Security.Elements.Add(new EncryptedData(tok));
>
> return proxy;
> }
>
> public ChartOfAccountsInfo[] GetChartOfAccounts()
> {
> CateringWS.DataServWse proxy = GetProxy();
> try
> {
> return proxy.GetChartOfAccounts();
> }
> catch (Exception ex)
> {
> throw new ApplicationException(ex.Message);
> }
> }
>
> TIA,
>
> Mike Rodriguez
>
> --
> To understand recursion, we must first understand recursion.[/color]

Nicholas,

Thanks for the quick response. I figured out what is was. I enabled
tracing in the web.config so I could see the SOAP responses. When I looked
at those, I saw the problem was a timeout error. I had set the TimeToLive to
2 minutes, and the computer I was sending the request from was 10 minutes
behind the Web server! All I had to do was sync the time and then it worked
fine.

Thanks,

Mike Rodriguez

"Nicholas Paldino [.NET/C# MVP]" wrote:
[color=blue]
> Michael,
>
> Are you sure that you are signing the message? The code here just adds
> some authentication, but I see nothing that loads a digital certificate (is
> that what the MessageCertificate does?).
>
> Also, if you have a certificate loaded in a store on the machine that is
> doing the signing (your dev machine), then you have to make sure that
> certificate is installed on the other machine that you installed the proxy
> on.
>
> Hope this helps.
>
>
> --
> - Nicholas Paldino [.NET/C# MVP]
> - mvp@spam.guard.caspershouse.com
>
> "Michael Rodriguez" <mike__at__compeat_dot_com> wrote in message
> news:C57EC39E-645A-4A0B-B205-C7EC27E6C1C6@microsoft.com...[color=green]
> >I have a web service that I am calling by digitally signing the message
> >with
> > WSE 2.0 SP2. It runs fine on my PC. I uploaded the WS to our server, and
> > if
> > I call that from my PC that also works fine.
> >
> > The problem comes in when I try to call the WS from another machine
> > besides
> > mine or the host server. When I do that, I get "An error was discovered
> > processing the <Security> header"...
> >
> > Is there something else I need to install on other machines to get my WSE
> > security working? I installed the WSE 2.0 runtime files, that didn't
> > help.
> > Any ideas?
> >
> > Here is the client code that calls the web service:
> >
> > public CateringWS.DataServWse GetProxy()
> > {
> > CateringWS.DataServWse proxy = new CateringWS.DataServWse();
> > proxy.Url = "http://my_ip_address_here/CateringWS/DataServ.asmx";
> >
> > // Get the SoapContext for the SOAP request that is being made to the
> > Web service
> > SoapContext reqCtx = proxy.RequestSoapContext;
> >
> > // Add the UsernameToken to the WS-Security SOAP header
> > /* Help File Excerpt: The password is never sent in any form in the
> > SOAP message,
> > * but WSE does use the password to sign the SOAP message.
> > * A recipient would then need to provide a password to WSE
> > * during the signature validation stage. */
> > UsernameToken tok = new UsernameToken("mike", "amanda1",
> > PasswordOption.SendNone);
> >
> > // set the TimeToLive to 2 minutes, to prevent anyone else from
> > replaying it
> > reqCtx.Security.Timestamp.TtlInSeconds = 120;
> >
> > // Digitally sign the SOAP request by using a user name and password.
> > reqCtx.Security.Tokens.Add(tok);
> > reqCtx.Security.Elements.Add(new MessageSignature(tok));
> > // reqCtx.Security.Elements.Add(new EncryptedData(tok));
> >
> > return proxy;
> > }
> >
> > public ChartOfAccountsInfo[] GetChartOfAccounts()
> > {
> > CateringWS.DataServWse proxy = GetProxy();
> > try
> > {
> > return proxy.GetChartOfAccounts();
> > }
> > catch (Exception ex)
> > {
> > throw new ApplicationException(ex.Message);
> > }
> > }
> >
> > TIA,
> >
> > Mike Rodriguez
> >
> > --
> > To understand recursion, we must first understand recursion.[/color]
>
>
>[/color]

The one problem you still have is signing the message with the user token.
This is *not secure in the least. That password would be cracked in a few
seconds off the wire - *even if you use SendNone. Hacker just does the
dictionary attack on the signature. UsernameTokens should only be sent if
they are encrypted first - either inside an SSL session or using a
SecurityContextToken. If you use a SCT, then you don't need to send the UT
anyway. So I would use only SCTs and require on the server each message is
at *least signed with an *authenticated SCT (or a token derived from an
authenticated SCT).

See:
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!303.entry
http://spaces.msn.com/members/staceyw/Blog/cns!1pnsZpX0fPvDxLKC6rAAhLsQ!268.entry
http://msdn.microsoft.com/webservice...rnametoken.asp

--
William Stacey, MVP
http://mvp.support.microsoft.com

"Michael Rodriguez" <mike__at__compeat_dot_com> wrote in message
news:67FC8DFC-14C8-443B-A717-D758C5393B59@microsoft.com...[color=blue]
> Nicholas,
>
> Thanks for the quick response. I figured out what is was. I enabled
> tracing in the web.config so I could see the SOAP responses. When I[/color]
looked[color=blue]
> at those, I saw the problem was a timeout error. I had set the TimeToLive[/color]
to[color=blue]
> 2 minutes, and the computer I was sending the request from was 10 minutes
> behind the Web server! All I had to do was sync the time and then it[/color]
worked[color=blue]
> fine.
>
> Thanks,
>
> Mike Rodriguez
>
> "Nicholas Paldino [.NET/C# MVP]" wrote:
>[color=green]
> > Michael,
> >
> > Are you sure that you are signing the message? The code here just[/color][/color]
adds[color=blue][color=green]
> > some authentication, but I see nothing that loads a digital certificate[/color][/color]
(is[color=blue][color=green]
> > that what the MessageCertificate does?).
> >
> > Also, if you have a certificate loaded in a store on the machine[/color][/color]
that is[color=blue][color=green]
> > doing the signing (your dev machine), then you have to make sure that
> > certificate is installed on the other machine that you installed the[/color][/color]
proxy[color=blue][color=green]
> > on.
> >
> > Hope this helps.
> >
> >
> > --
> > - Nicholas Paldino [.NET/C# MVP]
> > - mvp@spam.guard.caspershouse.com
> >
> > "Michael Rodriguez" <mike__at__compeat_dot_com> wrote in message
> > news:C57EC39E-645A-4A0B-B205-C7EC27E6C1C6@microsoft.com...[color=darkred]
> > >I have a web service that I am calling by digitally signing the message
> > >with
> > > WSE 2.0 SP2. It runs fine on my PC. I uploaded the WS to our server,[/color][/color][/color]
and[color=blue][color=green][color=darkred]
> > > if
> > > I call that from my PC that also works fine.
> > >
> > > The problem comes in when I try to call the WS from another machine
> > > besides
> > > mine or the host server. When I do that, I get "An error was[/color][/color][/color]
discovered[color=blue][color=green][color=darkred]
> > > processing the <Security> header"...
> > >
> > > Is there something else I need to install on other machines to get my[/color][/color][/color]
WSE[color=blue][color=green][color=darkred]
> > > security working? I installed the WSE 2.0 runtime files, that didn't
> > > help.
> > > Any ideas?
> > >
> > > Here is the client code that calls the web service:
> > >
> > > public CateringWS.DataServWse GetProxy()
> > > {
> > > CateringWS.DataServWse proxy = new CateringWS.DataServWse();
> > > proxy.Url = "http://my_ip_address_here/CateringWS/DataServ.asmx";
> > >
> > > // Get the SoapContext for the SOAP request that is being made to[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > Web service
> > > SoapContext reqCtx = proxy.RequestSoapContext;
> > >
> > > // Add the UsernameToken to the WS-Security SOAP header
> > > /* Help File Excerpt: The password is never sent in any form in[/color][/color][/color]
the[color=blue][color=green][color=darkred]
> > > SOAP message,
> > > * but WSE does use the password to sign the SOAP message.
> > > * A recipient would then need to provide a password to WSE
> > > * during the signature validation stage. */
> > > UsernameToken tok = new UsernameToken("mike", "amanda1",
> > > PasswordOption.SendNone);
> > >
> > > // set the TimeToLive to 2 minutes, to prevent anyone else from
> > > replaying it
> > > reqCtx.Security.Timestamp.TtlInSeconds = 120;
> > >
> > > // Digitally sign the SOAP request by using a user name and[/color][/color][/color]
password.[color=blue][color=green][color=darkred]
> > > reqCtx.Security.Tokens.Add(tok);
> > > reqCtx.Security.Elements.Add(new MessageSignature(tok));
> > > // reqCtx.Security.Elements.Add(new EncryptedData(tok));
> > >
> > > return proxy;
> > > }
> > >
> > > public ChartOfAccountsInfo[] GetChartOfAccounts()
> > > {
> > > CateringWS.DataServWse proxy = GetProxy();
> > > try
> > > {
> > > return proxy.GetChartOfAccounts();
> > > }
> > > catch (Exception ex)
> > > {
> > > throw new ApplicationException(ex.Message);
> > > }
> > > }
> > >
> > > TIA,
> > >
> > > Mike Rodriguez
> > >
> > > --
> > > To understand recursion, we must first understand recursion.[/color]
> >
> >
> >[/color][/color]

WSE 2.0 security problem

re: WSE 2.0 security problem

re: WSE 2.0 security problem

re: WSE 2.0 security problem

Similar C# / C Sharp bytes

/bytes/development

/bytes/it

/bytes/about