473,324 Members | 2,313 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,324 software developers and data experts.

WSE2 UserName token not encrypted

I'm modifying the WSE2 HOL sample to develop my web service. I'm able to get
the client application's username token encrypted on the way out
(outputTrace.webinfo), but not on receipt from the server
(inputTrace.webinfo).

The HOL manual mentions adding the wse:UsernameToken() to the
policyCache.config on the client, but not on the server. I have tried adding
this to the <confidentiality> section on the server but it still shows the
username and password in plain text.

Could someone help me out? I've pasted the service's policy file below:

<?xml version="1.0" encoding="utf-8"?>
<policyDocument xmlns="http://schemas.microsoft.com/wse/2003/06/Policy">
<mappings xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy">
<!--The following policy describes the policy requirements for the
service: http://localhost/FundCenter/APIService/FCAPI.asmx .-->
<endpoint uri="http://localhost/FundCenter/APIService/FCAPI.asmx">
<defaultOperation>
<request policy="#Sign-Username-Encrypt-X.509" />
<response policy="#Sign-X.509-Encrypt-Username" />
<fault policy="" />
</defaultOperation>
</endpoint>
</mappings>
<policies
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wssp="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">
<wsp:Policy wsu:Id="Sign-Username-Encrypt-X.509">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with Username. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific Username
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>

<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType>
<wssp:Claims>
<wse:Parent>
<wssp:SecurityToken wse:IdentityToken="true">

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
<wssp:Claims>
<!--By specifying the Role, the policy system can verify
that the token contains a specific role, such as "Admin". Roles can be groups
a user is a member of, or they can be customized for each token.-->
<wse:Role value="BUILTIN\Administrators" />
</wssp:Claims>
</wssp:SecurityToken>
</wse:Parent>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp()</wssp:MessageParts>
</wssp:Integrity>
<!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct
values for this field.-->
<wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ =</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
</wssp:Confidentiality>
</wsp:Policy>
<wsp:Policy wsu:Id="Sign-X.509-Encrypt-Username">
<!--MessagePredicate is used to require headers. This assertion should
be used along with the Integrity assertion when the presence of the signed
element is required. NOTE: this assertion does not do anything for
enforcement (send-side) policy.-->
<wsp:MessagePredicate wsp:Usage="wsp:Required"
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID)
wse:Timestamp()</wsp:MessagePredicate>
<!--The Integrity assertion is used to ensure that the message is
signed with X.509. Many Web services will also use the token for
authorization, such as by using the <wse:Role> claim or specific X.509
claims.-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<!--The SecurityToken element within the TokenInfo element
describes which token type must be used for Signing.-->
<wssp:SecurityToken>

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3</wssp:TokenType>
<wssp:TokenIssuer>CN=Root Agency</wssp:TokenIssuer>
<wssp:Claims>
<!--By specifying the SubjectName claim, the policy system can
look for a certificate with this subject name in the certificate store
indicated in the application's configuration, such as LocalMachine or
CurrentUser. The WSE X.509 Certificate Tool is useful for finding the correct
values for this field.-->
<wssp:SubjectName
MatchType="wssp:Exact">CN=WSE2QuickStartServer</wssp:SubjectName>
<wssp:X509Extension OID="2.5.29.14"
MatchType="wssp:Exact">bBwPfItvKp3b6TNDq+14qs58VJQ =</wssp:X509Extension>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()
wsp:Header(wsa:Action) wsp:Header(wsa:FaultTo) wsp:Header(wsa:From)
wsp:Header(wsa:MessageID) wsp:Header(wsa:RelatesTo) wsp:Header(wsa:ReplyTo)
wsp:Header(wsa:To) wse:Timestamp() wse:UsernameToken()</wssp:MessageParts>
</wssp:Integrity>
<!--The Confidentiality assertion is used to ensure that the SOAP Body
is encrypted.-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<!--The SecurityToken element within the KeyInfo element describes
which token type must be used for Encryption.-->
<wssp:SecurityToken>

<wssp:TokenType>http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType>
<wssp:Claims>
<wse:Parent>
<wssp:SecurityToken wse:IdentityToken="true">

<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
</wssp:SecurityToken>
</wse:Parent>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wssp:MessageParts>
</wssp:Confidentiality>
</wsp:Policy>
</policies>
</policyDocument>

Jun 30 '06 #1
0 1849

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: rlr1031 | last post by:
I'm working on a project where we have to call up a URL from a Java servlet - the only sample call we have is some Javascript that used an MSXML2.XMLHTTP object to send the request, using a...
0
by: Hai Ta | last post by:
Please help We have been stuck for the past 2 weeks in trying to implement a webservice using WSE2 such that consumer can access with the following soap header. <?xml version="1.0"...
1
by: crypto-mania! | last post by:
I have a need to encrypt specific xml elements in a document and haven't been able to figure out a way to achieve this using the WSE 2.0 APIs. Please note that I do *NOT* want to send encrypted...
1
by: Mark Goosen | last post by:
Hi ive installed wse 2.0 SP3 and was running throught the demo downlaoded on the Securing the Username Token with WSE 2.0 page the Securing the Username Token with WSE 2.0. Im spose to change...
0
by: JMZ | last post by:
We have a web service that is called directly from clients via an IE hosted Windows control. We issue our own certificates and use them as part of the authentication process as well as in WSE2....
0
by: JJJ | last post by:
Just a quick question I think... I have a web service, implemented with WSE2 and secured with WS-Security Username tokens - When I autogenerate WSDL (using ?WSDL query strings) the WS-Security...
0
by: Andre | last post by:
I'm working on a web service and I need to pass in user information for authentication. The service needs to meet the WS-Security specification. I need to support two types of authentication for...
0
by: David G | last post by:
I have a web service originally written to use soap.tcp transport in WSE2 that now uses http transport under WSE3. The WSE2 method looked like public IndividualLookupResponse...
1
by: sravan_reddy001 | last post by:
Hi, There is a problem with the default SMTP mail provided by ASP administration tool so i configured SMTP mail and i want send the password to his mail when a user want's to recover his...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.