473,746 Members | 2,471 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Microsoft Webservice Security Problem

Hello,
I am trying to secure a webservice using WSE 3.0 and the turnkey
usernameForCert ificateSecurity profile. I am passing a valid username
token, and on the server I have overridden the Authenticate token
call
and it is being called. My ASP.NET service has a Login() method and
it is being called during client application startup. Both the client
and service have matching policy config files. Once authentication
occurs I want to obtain a SCT to use as a session token.

But the first call returns with an exception although it successfully
returns from the Login() call.
I get a "ResponseProces singException" on the client when calling my
Login() method.
It has the following inner exception:
InnerException {"WSE2005: Protection requirements in
UsernameForCert ificateAssertio n are not satisfied."}
The strange thing is that there is no further information on the
above
exceptions. What requirements are not being met?

If I drill down into the exception stack I do see a
GenericParamete rAttribute and
GenericParamete rPosition exception, they both throw a
System.InvalidE xception on the parameters to
ClientInputFilt er.ValidateMess ageSecurity(). But this is deep within
WSE and out of my control.

I originally thought this may be a library mismatch with the parameter
types but I have
successfully ran the WSE 3.0 sample applications that should be using
the same libraries. What could possibly alter the parameters to this
call? The only real difference is in the "real" webservice I am
trying
to call versus the "sample" webservice that works.

Also note that the "real" webservice project was created prior to
adding WSE support to it. Perhaps there is a step missing in this
scenario?
I have tracing turned on and here are the results of a single call to
my Login() method:

OutputTrace.web info:
xml version="1.0" encoding="utf-8"?>
<log>
<outputMessag e utc="10/29/2008 1:38:38 AM"
messageId="urn: uuid:d07b96ee-9882-4303-8d17-3996e928e364">
<processingSt ep description="Un processed message">
<soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http ://www.w3.org/2001/XMLSchema">
<soap:Body>
<LoginRespons e xmlns="http://localhost/
NetTiersPayroll WebServices">
<LoginResult>Pa ss</LoginResult>
</LoginResponse>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingSt ep description="En tering SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="Ex ited SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="En tering SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="Ex ited SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="Pr ocessed message">
<soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http ://www.w3.org/2001/XMLSchema" xmlns:wsa="http ://
schemas.xmlsoap .org/ws/2004/08/addressing" xmlns:wsse="htt p://
docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd" xmlns:wsu="http ://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>http://localhost/NetTiersPayrollWebServices/
LoginResponse</wsa:Action>
<wsa:MessageID> urn:uuid:d07b96 ee-9882-4303-8d17-3996e928e364</
wsa:MessageID>
<wsa:RelatesTo> urn:uuid:55cc02 b2-
b8e4-4ecc-973f-64fa047abdcc</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/
role/anonymous</wsa:To>
<wsse:Securit y>
<wsu:Timestam p wsu:Id="Timesta mp-
b96e5653-4fc6-4f6d-944a-0984d06c49d6">
<wsu:Created>20 08-10-29T01:38:38Z</wsu:Created>
<wsu:Expires>20 08-10-29T01:53:38Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<LoginRespons e xmlns="http://localhost/
NetTiersPayroll WebServices">
<LoginResult>Pa ss</LoginResult>
</LoginResponse>
</soap:Body>
</soap:Envelope>
</processingStep>
</outputMessage>
</log>
*************** *************** *************** *************** *************** *
*************** *************** **********
InputTrace.webi nfo
<?xml version="1.0" encoding="utf-8"?>
<log>
<inputMessage utc="10/29/2008 1:38:09 AM" messageId="urn: uuid:
55cc02b2-b8e4-4ecc-973f-64fa047abdcc">
<processingSt ep description="Un processed message">
<soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http ://www.w3.org/2001/XMLSchema" xmlns:wsa="http ://
schemas.xmlsoap .org/ws/2004/08/addressing" xmlns:wsse="htt p://
docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd" xmlns:wsu="http ://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-68723008-2e19-429f-90cc-
b60854083f76">h ttp://localhost/NetTiersPayroll WebServices/Login</
wsa:Action>
<wsa:MessageI D wsu:Id="Id-8a252441-
bfb4-404a-89fe-436f5e7baa83">u rn:uuid:55cc02b 2-
b8e4-4ecc-973f-64fa047abdcc</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-f8dac67d-9ed9-4a7a-
ba68-15843d3ac661">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/
addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-4b502a5c-8b18-4bc9-
bca8-1c6f8713810d">http://localhost/NetTiersPayrollWebServices/
EasePayrollServ ices.asmx</wsa:To>
<wsse:Securit y soap:mustUnders tand="1">
<wsu:Timestam p wsu:Id="Timesta mp-6e434b43-
cbc2-4d8b-8d09-1597b9e46f63">
<wsu:Created>20 08-10-29T01:37:40Z</wsu:Created>
<wsu:Expires>20 08-10-29T01:42:40Z</wsu:Expires>
</wsu:Timestamp>
<xenc:Encrypted Key Id="SecurityTok en-6783d606-38ad-4895-
a83f-40054c4e47e8" xmlns:xenc="htt p://www.w3.org/2001/04/xmlenc#">
<xenc:Encryptio nMethod Algorithm="http ://www.w3.org/
2001/04/xmlenc#rsa-oaep-mgf1p">
<ds:DigestMetho d xmlns:ds="http://www.w3.org/2000/09/
xmldsig#" Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" />
</xenc:Encryption Method>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityT okenReference>
<wsse:KeyIdenti fier ValueType="http ://docs.oasis-
open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintS HA1"
EncodingType="h ttp://docs.oasis-open.org/wss/2004/01/oasis-200401-
wss-
soap-message-
security-1.0#Base64Binar y">bOSPmOcGQlCm 8L0A110A1piq5ss =</
wsse:KeyIdentif ier>
</wsse:SecurityTo kenReference>
</KeyInfo>
<xenc:CipherDat a>
<xenc:CipherVal ue>p42Ckf
+vVhlF5S0rnFd9F nxeCJ2d9kOu9xuc KaTFrTYVdTjQoIz 3ycZhMgiukywOPv Zqcgp17B1IBRCId *
neFRdvhPOn7glet Ds8j63BujYtoeEo ydmB89CdBIDrn5m BLC4xf2+sub8+nO fMo4X700HDnwfE6 *
zTxSUsGar1NebtE =</
xenc:CipherValu e>
</xenc:CipherData >
</xenc:EncryptedK ey>
<wssc:DerivedKe yToken
wsu:Id="Securit yToken-78c6f480-4f00-4a55-ab2b-7578d1393ff7"
Algorithm="http ://schemas.xmlsoap .org/ws/2005/02/sc/dk/p_sha1"
xmlns:wssc="htt p://schemas.xmlsoap .org/ws/2005/02/sc">
<wsse:SecurityT okenReference>
<wsse:Referen ce
URI="#SecurityT oken-6783d606-38ad-4895-
a83f-40054c4e47e8" ValueType="http ://docs.oasis-open.org/wss/oasis-
wss-
soap-message-security-1.1#EncryptedKe y" />
</wsse:SecurityTo kenReference>
<wssc:Generatio n>0</wssc:Generation >
<wssc:Length>32 </wssc:Length>
<wssc:Label>W S-SecureConversat ionWS-
SecureConversat ion</
wssc:Label>
<wssc:Nonce>LRZ oEDWOiuFaPEoEcN Zkew==</wssc:Nonce>
</wssc:DerivedKey Token>
<xenc:Reference List xmlns:xenc="htt p://www.w3.org/
2001/04/
xmlenc#">
<xenc:DataRefer ence
URI="#Enc-43bf8398-6a11-44a5-9f4b-4ec86072f1a7" />
<xenc:DataRefer ence
URI="#Enc-54b1428c-06dc-4026-9261-5f8e51887606" />
</xenc:ReferenceL ist>
<xenc:Encrypted Data
Id="Enc-43bf8398-6a11-44a5-9f4b-4ec86072f1a7" Type="http://
www.w3.org/
2001/04/xmlenc#Element" xmlns:xenc="htt p://www.w3.org/2001/04/
xmlenc#">
<xenc:Encryptio nMethod Algorithm="http ://www.w3.org/
2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityT okenReference>
<wsse:Referen ce
URI="#SecurityT oken-78c6f480-4f00-4a55-ab2b-7578d1393ff7"
ValueType="http ://schemas.xmlsoap .org/ws/2005/02/sc/dk" />
</wsse:SecurityTo kenReference>
</KeyInfo>
<xenc:CipherDat a>
<xenc:CipherVal ue>yf2TTGTWpTzW f7uqJm7QT9OF/
mxe15V7xmjVqm9g kKMdIIyvPfSYJ+2 ei/+DWMgdEGKiHpWc3 dw7//
Zg6BXy2G8samYKo Tx3EO0NaSkq17bQ MhJm0/Z+bIEh6lJJX5rCN meGRb+8CUN1wIhX e/
IH18cdlMd7UKnSX KIFaTonHBhwn92U DhFeDl8HF0lqmpz HqiRttpHtMXwys3 r5N
+ivoGq16eENuedE Tev6xaJx6tfaybg lPafIwSgqTpJZYP aMrigNrRwhG8wCd D4V1s35ptFcTzEx *
peiOZn8KmL/
GMuJrJJshmzi1Kx tI2HSHEOczMc7aR 9vQZDHbyBm1HAgu 9q970l9TeDJ139r STFUeIO7q97WpZp *
bFGtym5zP8tntkh 19XlXOIJHDwVmzA nOnDVPQO0FnJr1P svM5+kEKIGNmOeF waaWekcGd548UyA *
Azi0gjG8EPPk5jz 4ENyPGua/
xMg+AXuTy8GVIky aKCFt5UV
+g1h65+FovY5Qk4 YM772ojNvQPUN2c f3NRKA3yIn4xgj3 r0oI3QpZRwiKovG Pe5aOKyWKTqvwDo *
nWQ6I1RdlZn6n1d ARU4D3jqKDrJh35 ST0pYT5H80jn22T uQzvz2xsnfWB9ej Zcb03rqInnmumWT *
VkjDqgwCalHn9NR fLdq/
BIUDVCY+rIKPMRQ rydidR/ZNnb8tOkFCtBb3a wMiJ7G7fHh8twli DErGH8IPFbRMn5g W/
uHBzMmmi0t2x9j/nukUfF4PpCB
+0L09kSWtbYrpE0 hIvc4oJzlQUNwF7 7UMaWwK1kwVqP0S N8yftVH83VJVwO9 JAee4fsgS0xPmQp *
</
xenc:CipherValu e>
</xenc:CipherData >
</xenc:EncryptedD ata>
<wssc:DerivedKe yToken wsu:Id="Securit yToken-c6292af7-
c89b-4c89-a45f-4a3e5dc36f8a" Algorithm="http ://schemas.xmlsoap .org/
ws/
2005/02/sc/dk/p_sha1" xmlns:wssc="htt p://schemas.xmlsoap .org/ws/
2005/02/sc">
<wsse:SecurityT okenReference>
<wsse:Referen ce
URI="#SecurityT oken-6783d606-38ad-4895-
a83f-40054c4e47e8" ValueType="http ://docs.oasis-open.org/wss/oasis-
wss-
soap-message-security-1.1#EncryptedKe y" />
</wsse:SecurityTo kenReference>
<wssc:Generatio n>0</wssc:Generation >
<wssc:Length>24 </wssc:Length>
<wssc:Label>W S-SecureConversat ionWS-
SecureConversat ion</
wssc:Label>
<wssc:Nonce>sMB bG/szCbOaObxHATB5b A==</wssc:Nonce>
</wssc:DerivedKey Token>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:Canonicaliz ationMethod Algorithm="http ://
www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/
2000/09/
xmldsig#" />
<SignatureMetho d Algorithm="http ://www.w3.org/
2000/09/
xmldsig#hmac-sha1" />
<Reference URI="#SecurityT oken-
ddbe03d7-4aef-46fe-97d5-7932b13e058f">
<Transforms>
<Transform Algorithm="http ://www.w3.org/2001/10/
xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http ://www.w3.org/2000/09/
xmldsig#sha1" />
<DigestValue>um NbubjBpIc2DVgi2 WZvhqwneko=</
DigestValue>
</Reference>
<Reference URI="#Id-68723008-2e19-429f-90cc-
b60854083f76">
<Transforms>
<Transform Algorithm="http ://www.w3.org/2001/10/
xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http ://www.w3.org/2000/09/
xmldsig#sha1" />
<DigestValue>Y7 8aZjdWsViQl3v+a kyPU9LBhzo=</
DigestValue>
</Reference>
<Reference URI="#Id-8a252441-
bfb4-404a-89fe-436f5e7baa83">
<Transforms>
<Transform Algorithm="http ://www.w3.org/2001/10/
xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http ://www.w3.org/2000/09/
xmldsig#sha1" />
<DigestValue>wh jNXB7TFArfY359/a4MuX80C9Y=</
DigestValue>
</Reference>
<Reference URI="#Id-f8dac67d-9ed9-4a7a-
ba68-15843d3ac661">
<Transforms>
<Transform Algorithm="http ://www.w3.org/2001/10/
xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http ://www.w3.org/2000/09/
xmldsig#sha1" />
<DigestValue>ws HjgZEa4JyNvwgy3 4gP9AeBKu4=</
DigestValue>
</Reference>
<Reference URI="#Id-4b502a5c-8b18-4bc9-
bca8-1c6f8713810d">
<Transforms>
<Transform Algorithm="http ://www.w3.org/2001/10/
xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http ://www.w3.org/2000/09/
xmldsig#sha1" />
<DigestValue>AS zsIfuwwRXTt/VWglZUOYpJQaA=</
DigestValue>
</Reference>
<Reference URI="#Timestamp-6e434b43-
cbc2-4d8b-8d09-1597b9e46f63">
<Transforms>
<Transform Algorithm="http ://www.w3.org/2001/10/
xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http ://www.w3.org/2000/09/
xmldsig#sha1" />
<DigestValue>iu CJFGlTwKwNkURTu ulrDqM7Mzs=</
DigestValue>
</Reference>
<Reference
URI="#Id-6b1345f0-29d1-4b7b-8848-2405ff747eb3">
<Transforms>
<Transform Algorithm="http ://www.w3.org/2001/10/
xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http ://www.w3.org/2000/09/
xmldsig#sha1" />
<DigestValue>os c5rYeQV3x611/OIGK2GxkaEgM=</
DigestValue>
</Reference>
</SignedInfo>
<SignatureValue >Ax8CX4YIdpxKeM a0bF4/KhxCWXw=</
SignatureValue>
<KeyInfo>
<wsse:SecurityT okenReference>
<wsse:Referen ce URI="#SecurityT oken-c6292af7-
c89b-4c89-a45f-4a3e5dc36f8a" ValueType="http ://schemas.xmlsoap .org/
ws/
2005/02/sc/dk" />
</wsse:SecurityTo kenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-6b1345f0-29d1-4b7b-8848-2405ff747eb3">
<xenc:Encrypted Data
Id="Enc-54b1428c-06dc-4026-9261-5f8e51887606" Type="http://
www.w3.org/
2001/04/xmlenc#Content" xmlns:xenc="htt p://www.w3.org/2001/04/
xmlenc#">
<xenc:Encryptio nMethod Algorithm="http ://www.w3.org/
2001/04/xmlenc#aes256-cbc" />
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityT okenReference>
<wsse:Referen ce
URI="#SecurityT oken-78c6f480-4f00-4a55-
ab2b-7578d1393ff7" ValueType="http ://schemas.xmlsoap .org/ws/2005/02/
sc/
dk" />
</wsse:SecurityTo kenReference>
</KeyInfo>
<xenc:CipherDat a>
<xenc:CipherVal ue>qSXdqTbXDVBe KxItQJRCwHVBWHf lXz7YwZwF
+bOlgK9rSSiWsMG y1pXKu1VmnLKRot EsaDdI0EZBt++YE RpvK7TWWsV78G6a
+0rvxVGqbXM=</xenc:CipherValu e>
</xenc:CipherData >
</xenc:EncryptedD ata>
</soap:Body>
</soap:Envelope>
</processingStep>
<processingSt ep description="En tering SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="Ex ited SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="En tering SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="Ex ited SOAP filter
Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
+LegacyFilterWr apper" />
<processingSt ep description="Pr ocessed message">
<soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http ://www.w3.org/2001/XMLSchema" xmlns:wsa="http ://
schemas.xmlsoap .org/ws/2004/08/addressing" xmlns:wsse="htt p://
docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
secext-1.0.xsd" xmlns:wsu="http ://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header />
<soap:Body wsu:Id="Id-6b1345f0-29d1-4b7b-8848-2405ff747eb3">
<Login xmlns="http://localhost/
NetTiersPayroll WebServices" /


</soap:Body>
</soap:Envelope>
</processingStep>
</inputMessage>
</log>

Does anything look out of place? I know it's hard to tell off hand,
but in the output trace file there is no SOAP fault or anything that
points a finger at the cause of this problem.
Any help will be greatly appreciated.
Thanks,
V. Grippi
Oct 29 '08 #1
5 2750
"VictorG" <gr************ **@yahoo.comwro te in message
news:49******** *************** ***********@x1g 2000prh.googleg roups.com...
Hello,
I am trying to secure a webservice using WSE 3.0
....

Not an answer to your question, but I wanted to make sure: are you aware
that WSE is obsolete? It's not even supported in Visual Studio 2008, and
certainly not beyond. You might try using WCF to solve your problem, as it
is the replacement for WSE.
--
John Saunders | MVP - Connected System Developer

Oct 29 '08 #2
On Oct 29, 1:40*pm, "John Saunders" <n...@dont.do.t hat.comwrote:
"VictorG" <grippiconsult. ..@yahoo.comwro te in message

news:49******** *************** ***********@x1g 2000prh.googleg roups.com...
Hello,
I am trying to secure a webservice using WSE 3.0

...

Not an answer to your question, but I wanted to make sure: are you aware
that WSE is obsolete? It's not even supported in Visual Studio 2008, and
certainly not beyond. You might try using WCF to solve your problem, as it
is the replacement for WSE.
--
John Saunders | MVP - Connected System Developer

Thanks for the reply John.

How much refactoring is involved porting an existing ASP.NET Web
Service and client to WCF?

We are using NetTiers templates to auto generate the Web service
methods that are based on a SQL schema. I'm not sure if NetTiers
supports WCF.

-Victor
Oct 29 '08 #3
"VictorG" <gr************ **@yahoo.comwro te in message
news:13******** *************** ***********@a29 g2000pra.google groups.com...
On Oct 29, 1:40 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
>"VictorG" <grippiconsult. ..@yahoo.comwro te in message

news:49******* *************** ************@x1 g2000prh.google groups.com...
Hello,
I am trying to secure a webservice using WSE 3.0

...

Not an answer to your question, but I wanted to make sure: are you aware
that WSE is obsolete? It's not even supported in Visual Studio 2008, and
certainly not beyond. You might try using WCF to solve your problem, as
it
is the replacement for WSE.
--
John Saunders | MVP - Connected System Developer


Thanks for the reply John.

How much refactoring is involved porting an existing ASP.NET Web
Service and client to WCF?

We are using NetTiers templates to auto generate the Web service
methods that are based on a SQL schema. I'm not sure if NetTiers
supports WCF.
Your first step, even if you don't move to WCF today, would be to make sure
that NetTiers supports WCF. It's been out for two years - they would have no
excuse for not supporting it by now.

If they don't support WCF, then the ease of porting would depend on how they
generate their code. If it's all monolithic classes, then you would have an
issue. If they generate separate classes for the resultsets, then you may be
able to reuse those, at least if you stick with the XML Serializer. Again,
depending on how they generate the code that accesses the database, you may
be able to reuse that as well.

But if you didn't know that WSE is long dead, you really need to ask
yourself why you didn't know that - and what else you might have missed in
the same way.

In a case like this, I often ask people if they think their competitors are
making the same mistakes.
--
John Saunders | MVP - Connected System Developer

Oct 29 '08 #4
On Oct 29, 2:43*pm, "John Saunders" <n...@dont.do.t hat.comwrote:
"VictorG" <grippiconsult. ..@yahoo.comwro te in message

news:13******** *************** ***********@a29 g2000pra.google groups.com...


On Oct 29, 1:40 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
"VictorG" <grippiconsult. ..@yahoo.comwro te in message
>news:49******* *************** ************@x1 g2000prh.google groups.com....
Hello,
I am trying to secure a webservice using WSE 3.0
...
Not an answer to your question, but I wanted to make sure: are you aware
that WSE is obsolete? It's not even supported in Visual Studio 2008, and
certainly not beyond. You might try using WCF to solve your problem, as
it
is the replacement for WSE.
--
John Saunders | MVP - Connected System Developer
Thanks for the reply John.
How much refactoring is involved porting an existing ASP.NET Web
Service and client to WCF?
We are using NetTiers templates to auto generate the Web service
methods that are based on a SQL schema. I'm not sure if NetTiers
supports WCF.

Your first step, even if you don't move to WCF today, would be to make sure
that NetTiers supports WCF. It's been out for two years - they would haveno
excuse for not supporting it by now.

If they don't support WCF, then the ease of porting would depend on how they
generate their code. If it's all monolithic classes, then you would have an
issue. If they generate separate classes for the resultsets, then you maybe
able to reuse those, at least if you stick with the XML Serializer. Again,
depending on how they generate the code that accesses the database, you may
be able to reuse that as well.

But if you didn't know that WSE is long dead, you really need to ask
yourself why you didn't know that - and what else you might have missed in
the same way.

In a case like this, I often ask people if they think their competitors are
making the same mistakes.
--
John Saunders | MVP - Connected System Developer- Hide quoted text -

- Show quoted text -

John,

Thanks again for your reply.

WCF is not an option for my project at this time. We have existing
NetTiers templates (CodeSmith generated) that we do not have time to
refactor. NetTiers does have a patch that will allow access to the
data layer through WCF, however it is not an option for us at this
time, and has not been fully released into their build. I was brought
in late in the game to add security, to this project, and although
this is not an optimal situation, either is security in general with
web services, (all of it was added after the fact)

Many like myself are starting to use WSE because it is still available
for download, is still on the MSDN, and in many articles on-line or
otherwise. Just do a search for securing web services or SOA security.
The other alternative is for me to "roll my own" and add a handler to
inject my own token in the SOAP header. (I may have to do this)

With that said, there must be a solution to add security to an
existing web services project using VS2008. I have been able to get
everything to work except for the exception in the first post. The WSE
3.0 quick start samples all work in VS2008, after conversion, so it
should be a viable solution.

This leaves me at the original question of what could cause a
GenericParamete rAttribute and GenericParamete rPosition exception, they
both throw a System.InvalidE xception on the parameters in the call to
ClientInputFilt er.ValidateMess ageSecurity().

Thanks,
Victor
Oct 30 '08 #5
"VictorG" <gr************ **@yahoo.comwro te in message
news:ae******** *************** ***********@d36 g2000prf.google groups.com...
On Oct 29, 2:43 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
>"VictorG" <grippiconsult. ..@yahoo.comwro te in message
....
Many like myself are starting to use WSE because it is still available
for download, is still on the MSDN, and in many articles on-line or
otherwise. Just do a search for securing web services or SOA security.
I hope this teaches you and many others a lesson about depending on Google
or the equivalent to make your decisions for you. There's all sorts of crap
that you will find in an Internet search. Just because you can find it
doesn't mean it's any good. It _could_ just mean that nobody has bothered to
remove the article. Search MSDN and you'll find some very old information -
I easily found stuff from 1998.

I have spoken to Microsoft about better adjusting the search on the MSDN
site to be more relevant. I gave them the specific example of searching for
"web service security". I intend to keep following up on that. This won't
help people who use a different search engine.
The other alternative is for me to "roll my own" and add a handler to
inject my own token in the SOAP header. (I may have to do this)

With that said, there must be a solution to add security to an
existing web services project using VS2008.
There is - use WCF or roll your own, or depend on SSL.

I characterize WSE as obsolete for this reason alone. If it has not been
updated to "WSE 3.1" to support Visual Studio 2008, then that should tell
you something very important about continuing to use WSE. BTW, have you seen
any hot fixes for WSE lately? I don't know anything official, but I'd be
surprised to learn that anything other than the most critical security bugs
would be fixed.
>I have been able to get
everything to work except for the exception in the first post. The WSE
3.0 quick start samples all work in VS2008, after conversion, so it
should be a viable solution.

This leaves me at the original question of what could cause a
GenericParamete rAttribute and GenericParamete rPosition exception, they
both throw a System.InvalidE xception on the parameters in the call to
ClientInputFilt er.ValidateMess ageSecurity().
I hope you find an answer. If you do, then please post it here so that
others who find this conversation in the future will benefit from it.

--
John Saunders | MVP - Connected System Developer

Oct 30 '08 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
2022
by: Programatix | last post by:
Hi, I'm working on a project which includes WebServices and Windows Form application. The Windows Form application will call the WebServices to retrieve data from database. The data will be returned as DataSet. Now, here's the problem. On .NET Framework 1.1, if any rows in the dataset returned contain errors (marked by calling the SetColumnError() method or
4
4662
by: Rajesh.V | last post by:
I looked up the following.... 1. mshtml activex object which letts us do http request thru js. But the browser security has to be adjusted so not possible. 2. Htc behaviours enable calling webservices thru scripts. But this is currently not supported. Is there any other method to call a webservice or do a httprequest from javascript. I would be using only ie 6 and above and .net webservice.
2
1331
by: Sergi Adamchuk | last post by:
I need determine which web service (class WebService or its inheritors) serveces current request (I need Type instance of class that serves request). For example you wrote your own WebService: public class MyService : WebService .... Now I need to know the Guid of WebService class that serves current
3
3563
by: Merav Orion via .NET 247 | last post by:
I have a problem calling webservice from client side javascript. The javascript call the settimeout() method. when the user press submit button it ignore the press and keep refreshing the page. it looks like the data is not transferred to the asp page from the web service. just after going to internet option -> security -> Custom level -> Access data sources across domains -> and check the enable radio -> the problem is fixed. I need a...
2
1789
by: Sonia | last post by:
Hi all, I have couple of questions on MS Webservices : Do they have some published webservices : Like a webservice to convert an excel or .mpp into xml ? If yes where to locate them and how to call them ? If no what can be a possible solution to implement private webservice to do
2
2222
by: Naeem Sarfraz | last post by:
Any advice for the following situation? I've deployed my webservice on a remote server, e.g. http://mywebservice.co.uk/summary.asmx. The windows clients attempts to access this webservice and fails, the error returned is "there was an error processing the <Security> header". If I run the client on the server there is no problem. Help!
4
5996
by: Boni | last post by:
I want consuming a webserivce trough a proxy. I use this code. myService s = new myService (); System.Net.WebProxy proxyObject = new System.Net.WebProxy("http://proxyhost:8080"); s.Proxy = proxyObject; It doesn't works, it returns a error HTTP 407: Proxy Authentication Required ( Access is denied. ). But my proxy don't need a user Authentication.
0
2032
by: Daniel Knöpfel | last post by:
Hi We have developed a webservice that was accessed by a fat windows client. A security requirement was that the client authenticates itself by using by providing a client certificate. The webserver (iis) made then sure that only clients providing a valid certificate could connect. (settings: Requeire secure channel, Require client certificates). This worked fine. Due to a request by our client, we are forced to integrate the...
0
848
by: Bob1 | last post by:
Hi all, I have a situation where I have a client calling into a webservice. I am trying to change the security context of the client before I make the call to the webservice. I've got something really simple like the following on the client: // The Webservice HelloServer.Service1 service = new Service1(); NetworkCredential testCredential = new NetworkCredential("testUser", "Password", "DOMAIN"); service.Credentials = testCredential;
0
8801
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9516
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9351
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
9219
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
8229
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
0
4587
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4840
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
2768
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
3
2200
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.