Hello,
I am creating a webservice that collects user information and stores it in a database. Since the user information contains sensitive data like SSN I am planning to use WS-Security (WSE 2.0) in my WebService to digitally sign and encrypt the data.
Here are the steps I followed to digitally sign the message:
1) I created a X.509 certificate using Certification Services in Windows Server 2003.
2) I installed the certificate on my development machine in 'Local Computer' Store and 'Current User' Store using MMC
3) Using X.509 Certification tool , I granted full control access to ASPNET machine account on the certificates.
4) I created a test WebService.
5) I created a client that sends in some test data to the Service. On the client side I retrieved the certificate from the 'Local Computer' store and used it to digitally sign the request.(RequestSoapContext) .
6) On the Service side I implemented SoapExtension to trap the incoming XML (SoapRequest).
Client side code:
SoapContext context = proxy.RequestSoapContext;
X509CertificateStore store = X509CertificateStore.LocalMachineStore(X509Certifi cateStore.MyStore);
if(store.OpenRead())
{
X509CertificateCollection certs = store.FindCertificateByKeyIdentifier(Convert.FromB ase64String(keyIdentifier));
if(certs.Count > 0)
{
X509SecurityToken token = new X509SecurityToken(certs[0]);
if(token != null)
{
context.Security.Tokens.Add(token);
context.Security.Elements.Add(new MessageSignature(token));
}
}
}
Response.Text = proxy.HelloWorld("Hello World");
When I run the application, the client side seems to retrieve the certificate and add the appropriate objects to Tokens and Security collections of the RequestSoapContext.
But when I check the XML (SoapRequest) on the Services side using SoapExtension, I do not see the <Soap:Header> and <wsse:Security> elements in SoapRequest.
**** - Before DeSerialize: (SoapRequest) ****
<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Body wsu:Id="Id-bb057f21-19f8-4804-a49f-d952affa4020">
<HelloWorld xmlns="http://tempuri.org/">
<name>Hello World</name>
</HelloWorld>
</soap:Body>
</soap:Envelope>
I do not know what I am doing wrong. As far as I know when I add a 'MessageSignature' object to the 'Security' collection of RequestSoapContext a <Header> and <Security> element should be created and the digital signature of the message should be placed in that. I can see some wsu:Id="Id-bb057f21-19f8-4804-a49f-d952affa4020 in the message but I don't understand what that means.
Note:
1) I am retrieving the XML (SoapRequest) before DeSerialization on the Service side.
2) There is no problem on the Webservice response. The client receives a valid response and displays it on the form.
Any help would be greatly appreciated.
Thanks,