By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,492 Members | 1,210 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,492 IT Pros & Developers. It's quick & easy.

(WS-Security): Soap Header and Security elements missing in the SoapRequest.

P: 1
Hello,

I am creating a webservice that collects user information and stores it in a database. Since the user information contains sensitive data like SSN I am planning to use WS-Security (WSE 2.0) in my WebService to digitally sign and encrypt the data.

Here are the steps I followed to digitally sign the message:


1) I created a X.509 certificate using Certification Services in Windows Server 2003.

2) I installed the certificate on my development machine in 'Local Computer' Store and 'Current User' Store using MMC

3) Using X.509 Certification tool , I granted full control access to ASPNET machine account on the certificates.

4) I created a test WebService.

5) I created a client that sends in some test data to the Service. On the client side I retrieved the certificate from the 'Local Computer' store and used it to digitally sign the request.(RequestSoapContext) .

6) On the Service side I implemented SoapExtension to trap the incoming XML (SoapRequest).

Client side code:

SoapContext context = proxy.RequestSoapContext;

X509CertificateStore store = X509CertificateStore.LocalMachineStore(X509Certifi cateStore.MyStore);
if(store.OpenRead())
{
X509CertificateCollection certs = store.FindCertificateByKeyIdentifier(Convert.FromB ase64String(keyIdentifier));
if(certs.Count > 0)
{
X509SecurityToken token = new X509SecurityToken(certs[0]);
if(token != null)
{
context.Security.Tokens.Add(token);
context.Security.Elements.Add(new MessageSignature(token));
}
}
}

Response.Text = proxy.HelloWorld("Hello World");


When I run the application, the client side seems to retrieve the certificate and add the appropriate objects to Tokens and Security collections of the RequestSoapContext.

But when I check the XML (SoapRequest) on the Services side using SoapExtension, I do not see the <Soap:Header> and <wsse:Security> elements in SoapRequest.

**** - Before DeSerialize: (SoapRequest) ****

<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<soap:Body wsu:Id="Id-bb057f21-19f8-4804-a49f-d952affa4020">
<HelloWorld xmlns="http://tempuri.org/">
<name>Hello World</name>
</HelloWorld>
</soap:Body>
</soap:Envelope>


I do not know what I am doing wrong. As far as I know when I add a 'MessageSignature' object to the 'Security' collection of RequestSoapContext a <Header> and <Security> element should be created and the digital signature of the message should be placed in that. I can see some wsu:Id="Id-bb057f21-19f8-4804-a49f-d952affa4020 in the message but I don't understand what that means.

Note:

1) I am retrieving the XML (SoapRequest) before DeSerialization on the Service side.
2) There is no problem on the Webservice response. The client receives a valid response and displays it on the form.

Any help would be greatly appreciated.

Thanks,
Sep 17 '07 #1
Share this Question
Share on Google+
1 Reply


P: 1
Hi,

Create a Trace in Web.Config/App.config then you can see the full header in the inputTrace.webinfo.

Use WSE Setting 2.0 to add it automatically.
<microsoft.web.services2>
<diagnostics>
<trace enabled="true" input="InputTrace.webinfo" output="OutputTrace.webinfo" />
</diagnostics>
</microsoft.web.services2>


Siva


Hello,

I am creating a webservice that collects user information and stores it in a database. Since the user information contains sensitive data like SSN I am planning to use WS-Security (WSE 2.0) in my WebService to digitally sign and encrypt the data.

Here are the steps I followed to digitally sign the message:


1) I created a X.509 certificate using Certification Services in Windows Server 2003.

2) I installed the certificate on my development machine in 'Local Computer' Store and 'Current User' Store using MMC

3) Using X.509 Certification tool , I granted full control access to ASPNET machine account on the certificates.

4) I created a test WebService.

5) I created a client that sends in some test data to the Service. On the client side I retrieved the certificate from the 'Local Computer' store and used it to digitally sign the request.(RequestSoapContext) .

6) On the Service side I implemented SoapExtension to trap the incoming XML (SoapRequest).

Client side code:

SoapContext context = proxy.RequestSoapContext;

X509CertificateStore store = X509CertificateStore.LocalMachineStore(X509Certifi cateStore.MyStore);
if(store.OpenRead())
{
X509CertificateCollection certs = store.FindCertificateByKeyIdentifier(Convert.FromB ase64String(keyIdentifier));
if(certs.Count > 0)
{
X509SecurityToken token = new X509SecurityToken(certs[0]);
if(token != null)
{
context.Security.Tokens.Add(token);
context.Security.Elements.Add(new MessageSignature(token));
}
}
}

Response.Text = proxy.HelloWorld("Hello World");


When I run the application, the client side seems to retrieve the certificate and add the appropriate objects to Tokens and Security collections of the RequestSoapContext.

But when I check the XML (SoapRequest) on the Services side using SoapExtension, I do not see the <Soap:Header> and <wsse:Security> elements in SoapRequest.

**** - Before DeSerialize: (SoapRequest) ****

<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

<soap:Body wsu:Id="Id-bb057f21-19f8-4804-a49f-d952affa4020">
<HelloWorld xmlns="http://tempuri.org/">
<name>Hello World</name>
</HelloWorld>
</soap:Body>
</soap:Envelope>


I do not know what I am doing wrong. As far as I know when I add a 'MessageSignature' object to the 'Security' collection of RequestSoapContext a <Header> and <Security> element should be created and the digital signature of the message should be placed in that. I can see some wsu:Id="Id-bb057f21-19f8-4804-a49f-d952affa4020 in the message but I don't understand what that means.

Note:

1) I am retrieving the XML (SoapRequest) before DeSerialization on the Service side.
2) There is no problem on the Webservice response. The client receives a valid response and displays it on the form.

Any help would be greatly appreciated.

Thanks,
Oct 3 '07 #2

Post your reply

Sign in to post your reply or Sign up for a free account.