Microsoft Webservice Security Problem

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • VictorG
    #1

    Microsoft Webservice Security Problem

    Hello,


    I am trying to secure a webservice using WSE 3.0 and the turnkey
    usernameForCert ificateSecurity profile. I am passing a valid username
    token, and on the server I have overridden the Authenticate token
    call
    and it is being called. My ASP.NET service has a Login() method and
    it is being called during client application startup. Both the client
    and service have matching policy config files. Once authentication
    occurs I want to obtain a SCT to use as a session token.

    But the first call returns with an exception although it successfully
    returns from the Login() call.


    I get a "ResponseProces singException" on the client when calling my
    Login() method.


    It has the following inner exception:
    InnerException {"WSE2005: Protection requirements in
    UsernameForCert ificateAssertio n are not satisfied."}


    The strange thing is that there is no further information on the
    above
    exceptions. What requirements are not being met?

    If I drill down into the exception stack I do see a
    GenericParamete rAttribute and
    GenericParamete rPosition exception, they both throw a
    System.InvalidE xception on the parameters to
    ClientInputFilt er.ValidateMess ageSecurity(). But this is deep within
    WSE and out of my control.

    I originally thought this may be a library mismatch with the parameter
    types but I have
    successfully ran the WSE 3.0 sample applications that should be using
    the same libraries. What could possibly alter the parameters to this
    call? The only real difference is in the "real" webservice I am
    trying
    to call versus the "sample" webservice that works.

    Also note that the "real" webservice project was created prior to
    adding WSE support to it. Perhaps there is a step missing in this
    scenario?


    I have tracing turned on and here are the results of a single call to
    my Login() method:

    OutputTrace.web info:


    xml version="1.0" encoding="utf-8"?>
    <log>
    <outputMessag e utc="10/29/2008 1:38:38 AM"
    messageId="urn: uuid:d07b96ee-9882-4303-8d17-3996e928e364">
    <processingSt ep description="Un processed message">
    <soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
    envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http ://www.w3.org/2001/XMLSchema">
    <soap:Body>
    <LoginRespons e xmlns="http://localhost/
    NetTiersPayroll WebServices">
    <LoginResult>Pa ss</LoginResult>
    </LoginResponse>
    </soap:Body>
    </soap:Envelope>
    </processingStep>
    <processingSt ep description="En tering SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="Ex ited SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="En tering SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="Ex ited SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="Pr ocessed message">
    <soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
    envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http ://www.w3.org/2001/XMLSchema" xmlns:wsa="http ://
    schemas.xmlsoap .org/ws/2004/08/addressing" xmlns:wsse="htt p://
    docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
    secext-1.0.xsd" xmlns:wsu="http ://docs.oasis-open.org/wss/2004/01/
    oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <soap:Header>
    <wsa:Action>http://localhost/NetTiersPayrollWebServices/
    LoginResponse</wsa:Action>


    <wsa:MessageID> urn:uuid:d07b96 ee-9882-4303-8d17-3996e928e364</
    wsa:MessageID>
    <wsa:RelatesTo> urn:uuid:55cc02 b2-
    b8e4-4ecc-973f-64fa047abdcc</wsa:RelatesTo>
    <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/
    role/anonymous</wsa:To>
    <wsse:Securit y>
    <wsu:Timestam p wsu:Id="Timesta mp-
    b96e5653-4fc6-4f6d-944a-0984d06c49d6">
    <wsu:Created>20 08-10-29T01:38:38Z</wsu:Created>
    <wsu:Expires>20 08-10-29T01:53:38Z</wsu:Expires>
    </wsu:Timestamp>
    </wsse:Security>
    </soap:Header>
    <soap:Body>
    <LoginRespons e xmlns="http://localhost/
    NetTiersPayroll WebServices">
    <LoginResult>Pa ss</LoginResult>
    </LoginResponse>
    </soap:Body>
    </soap:Envelope>
    </processingStep>
    </outputMessage>
    </log>


    *************** *************** *************** *************** *************** ­
    *************** *************** **********
    InputTrace.webi nfo


    <?xml version="1.0" encoding="utf-8"?>
    <log>
    <inputMessage utc="10/29/2008 1:38:09 AM" messageId="urn: uuid:
    55cc02b2-b8e4-4ecc-973f-64fa047abdcc">
    <processingSt ep description="Un processed message">
    <soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
    envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http ://www.w3.org/2001/XMLSchema" xmlns:wsa="http ://
    schemas.xmlsoap .org/ws/2004/08/addressing" xmlns:wsse="htt p://
    docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
    secext-1.0.xsd" xmlns:wsu="http ://docs.oasis-open.org/wss/2004/01/
    oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <soap:Header>
    <wsa:Action wsu:Id="Id-68723008-2e19-429f-90cc-
    b60854083f76">h ttp://localhost/NetTiersPayroll WebServices/Login</
    wsa:Action>
    <wsa:MessageI D wsu:Id="Id-8a252441-
    bfb4-404a-89fe-436f5e7baa83">u rn:uuid:55cc02b 2-
    b8e4-4ecc-973f-64fa047abdcc</wsa:MessageID>
    <wsa:ReplyTo wsu:Id="Id-f8dac67d-9ed9-4a7a-
    ba68-15843d3ac661">
    <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/
    addressing/role/anonymous</wsa:Address>
    </wsa:ReplyTo>
    <wsa:To wsu:Id="Id-4b502a5c-8b18-4bc9-
    bca8-1c6f8713810d">http://localhost/NetTiersPayrollWebServices/
    EasePayrollServ ices.asmx</wsa:To>
    <wsse:Securit y soap:mustUnders tand="1">
    <wsu:Timestam p wsu:Id="Timesta mp-6e434b43-
    cbc2-4d8b-8d09-1597b9e46f63">
    <wsu:Created>20 08-10-29T01:37:40Z</wsu:Created>
    <wsu:Expires>20 08-10-29T01:42:40Z</wsu:Expires>
    </wsu:Timestamp>
    <xenc:Encrypted Key Id="SecurityTok en-6783d606-38ad-4895-
    a83f-40054c4e47e8" xmlns:xenc="htt p://www.w3.org/2001/04/xmlenc#">
    <xenc:Encryptio nMethod Algorithm="http ://www.w3.org/
    2001/04/xmlenc#rsa-oaep-mgf1p">
    <ds:DigestMetho d xmlns:ds="http://www.w3.org/2000/09/
    xmldsig#" Algorithm="http ://www.w3.org/2000/09/xmldsig#sha1" />
    </xenc:Encryption Method>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityT okenReference>
    <wsse:KeyIdenti fier ValueType="http ://docs.oasis-
    open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintS HA1"
    EncodingType="h ttp://docs.oasis-open.org/wss/2004/01/oasis-200401-
    wss-
    soap-message-
    security-1.0#Base64Binar y">bOSPmOcGQlCm 8L0A110A1piq5ss =</
    wsse:KeyIdentif ier>
    </wsse:SecurityTo kenReference>
    </KeyInfo>
    <xenc:CipherDat a>
    <xenc:CipherVal ue>p42Ckf
    +vVhlF5S0rnFd9F nxeCJ2d9kOu9xuc KaTFrTYVdTjQoIz 3ycZhMgiukywOPv Zqcgp17B1IBRCId ­
    neFRdvhPOn7glet Ds8j63BujYtoeEo ydmB89CdBIDrn5m BLC4xf2+sub8+nO fMo4X700HDnwfE6 ­
    zTxSUsGar1NebtE =</
    xenc:CipherValu e>
    </xenc:CipherData >
    </xenc:EncryptedK ey>
    <wssc:DerivedKe yToken
    wsu:Id="Securit yToken-78c6f480-4f00-4a55-ab2b-7578d1393ff7"
    Algorithm="http ://schemas.xmlsoap .org/ws/2005/02/sc/dk/p_sha1"
    xmlns:wssc="htt p://schemas.xmlsoap .org/ws/2005/02/sc">
    <wsse:SecurityT okenReference>
    <wsse:Referen ce
    URI="#SecurityT oken-6783d606-38ad-4895-
    a83f-40054c4e47e8" ValueType="http ://docs.oasis-open.org/wss/oasis-
    wss-
    soap-message-security-1.1#EncryptedKe y" />
    </wsse:SecurityTo kenReference>
    <wssc:Generatio n>0</wssc:Generation >
    <wssc:Length>32 </wssc:Length>
    <wssc:Label>W S-SecureConversat ionWS-
    SecureConversat ion</
    wssc:Label>
    <wssc:Nonce>LRZ oEDWOiuFaPEoEcN Zkew==</wssc:Nonce>
    </wssc:DerivedKey Token>
    <xenc:Reference List xmlns:xenc="htt p://www.w3.org/
    2001/04/
    xmlenc#">
    <xenc:DataRefer ence
    URI="#Enc-43bf8398-6a11-44a5-9f4b-4ec86072f1a7" />
    <xenc:DataRefer ence
    URI="#Enc-54b1428c-06dc-4026-9261-5f8e51887606" />
    </xenc:ReferenceL ist>
    <xenc:Encrypted Data
    Id="Enc-43bf8398-6a11-44a5-9f4b-4ec86072f1a7" Type="http://
    W3C
    https://www.w3.org/
    The World Wide Web Consortium (W3C) develops standards and guidelines to help everyone build a web based on the principles of accessibility, internationalization, privacy and security.

    2001/04/xmlenc#Element" xmlns:xenc="htt p://www.w3.org/2001/04/
    xmlenc#">
    <xenc:Encryptio nMethod Algorithm="http ://www.w3.org/
    2001/04/xmlenc#aes256-cbc" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityT okenReference>
    <wsse:Referen ce
    URI="#SecurityT oken-78c6f480-4f00-4a55-ab2b-7578d1393ff7"
    ValueType="http ://schemas.xmlsoap .org/ws/2005/02/sc/dk" />
    </wsse:SecurityTo kenReference>
    </KeyInfo>
    <xenc:CipherDat a>
    <xenc:CipherVal ue>yf2TTGTWpTzW f7uqJm7QT9OF/
    mxe15V7xmjVqm9g kKMdIIyvPfSYJ+2 ei/+DWMgdEGKiHpWc3 dw7//
    Zg6BXy2G8samYKo Tx3EO0NaSkq17bQ MhJm0/Z+bIEh6lJJX5rCN meGRb+8CUN1wIhX e/
    IH18cdlMd7UKnSX KIFaTonHBhwn92U DhFeDl8HF0lqmpz HqiRttpHtMXwys3 r5N
    +ivoGq16eENuedE Tev6xaJx6tfaybg lPafIwSgqTpJZYP aMrigNrRwhG8wCd D4V1s35ptFcTzEx ­
    peiOZn8KmL/
    GMuJrJJshmzi1Kx tI2HSHEOczMc7aR 9vQZDHbyBm1HAgu 9q970l9TeDJ139r STFUeIO7q97WpZp ­
    bFGtym5zP8tntkh 19XlXOIJHDwVmzA nOnDVPQO0FnJr1P svM5+kEKIGNmOeF waaWekcGd548UyA ­
    Azi0gjG8EPPk5jz 4ENyPGua/
    xMg+AXuTy8GVIky aKCFt5UV
    +g1h65+FovY5Qk4 YM772ojNvQPUN2c f3NRKA3yIn4xgj3 r0oI3QpZRwiKovG Pe5aOKyWKTqvwDo ­
    nWQ6I1RdlZn6n1d ARU4D3jqKDrJh35 ST0pYT5H80jn22T uQzvz2xsnfWB9ej Zcb03rqInnmumWT ­
    VkjDqgwCalHn9NR fLdq/
    BIUDVCY+rIKPMRQ rydidR/ZNnb8tOkFCtBb3a wMiJ7G7fHh8twli DErGH8IPFbRMn5g W/
    uHBzMmmi0t2x9j/nukUfF4PpCB
    +0L09kSWtbYrpE0 hIvc4oJzlQUNwF7 7UMaWwK1kwVqP0S N8yftVH83VJVwO9 JAee4fsgS0xPmQp ­
    </
    xenc:CipherValu e>
    </xenc:CipherData >
    </xenc:EncryptedD ata>
    <wssc:DerivedKe yToken wsu:Id="Securit yToken-c6292af7-
    c89b-4c89-a45f-4a3e5dc36f8a" Algorithm="http ://schemas.xmlsoap .org/
    ws/
    2005/02/sc/dk/p_sha1" xmlns:wssc="htt p://schemas.xmlsoap .org/ws/
    2005/02/sc">
    <wsse:SecurityT okenReference>
    <wsse:Referen ce
    URI="#SecurityT oken-6783d606-38ad-4895-
    a83f-40054c4e47e8" ValueType="http ://docs.oasis-open.org/wss/oasis-
    wss-
    soap-message-security-1.1#EncryptedKe y" />
    </wsse:SecurityTo kenReference>
    <wssc:Generatio n>0</wssc:Generation >
    <wssc:Length>24 </wssc:Length>
    <wssc:Label>W S-SecureConversat ionWS-
    SecureConversat ion</
    wssc:Label>
    <wssc:Nonce>sMB bG/szCbOaObxHATB5b A==</wssc:Nonce>
    </wssc:DerivedKey Token>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    <ds:Canonicaliz ationMethod Algorithm="http ://
    www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/
    2000/09/
    xmldsig#" />
    <SignatureMetho d Algorithm="http ://www.w3.org/
    2000/09/
    xmldsig#hmac-sha1" />
    <Reference URI="#SecurityT oken-
    ddbe03d7-4aef-46fe-97d5-7932b13e058f">
    <Transforms>
    <Transform Algorithm="http ://www.w3.org/2001/10/
    xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http ://www.w3.org/2000/09/
    xmldsig#sha1" />
    <DigestValue>um NbubjBpIc2DVgi2 WZvhqwneko=</
    DigestValue>
    </Reference>
    <Reference URI="#Id-68723008-2e19-429f-90cc-
    b60854083f76">
    <Transforms>
    <Transform Algorithm="http ://www.w3.org/2001/10/
    xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http ://www.w3.org/2000/09/
    xmldsig#sha1" />
    <DigestValue>Y7 8aZjdWsViQl3v+a kyPU9LBhzo=</
    DigestValue>
    </Reference>
    <Reference URI="#Id-8a252441-
    bfb4-404a-89fe-436f5e7baa83">
    <Transforms>
    <Transform Algorithm="http ://www.w3.org/2001/10/
    xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http ://www.w3.org/2000/09/
    xmldsig#sha1" />
    <DigestValue>wh jNXB7TFArfY359/a4MuX80C9Y=</
    DigestValue>
    </Reference>
    <Reference URI="#Id-f8dac67d-9ed9-4a7a-
    ba68-15843d3ac661">
    <Transforms>
    <Transform Algorithm="http ://www.w3.org/2001/10/
    xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http ://www.w3.org/2000/09/
    xmldsig#sha1" />
    <DigestValue>ws HjgZEa4JyNvwgy3 4gP9AeBKu4=</
    DigestValue>
    </Reference>
    <Reference URI="#Id-4b502a5c-8b18-4bc9-
    bca8-1c6f8713810d">
    <Transforms>
    <Transform Algorithm="http ://www.w3.org/2001/10/
    xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http ://www.w3.org/2000/09/
    xmldsig#sha1" />
    <DigestValue>AS zsIfuwwRXTt/VWglZUOYpJQaA=</
    DigestValue>
    </Reference>
    <Reference URI="#Timestamp-6e434b43-
    cbc2-4d8b-8d09-1597b9e46f63">
    <Transforms>
    <Transform Algorithm="http ://www.w3.org/2001/10/
    xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http ://www.w3.org/2000/09/
    xmldsig#sha1" />
    <DigestValue>iu CJFGlTwKwNkURTu ulrDqM7Mzs=</
    DigestValue>
    </Reference>
    <Reference
    URI="#Id-6b1345f0-29d1-4b7b-8848-2405ff747eb3">
    <Transforms>
    <Transform Algorithm="http ://www.w3.org/2001/10/
    xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http ://www.w3.org/2000/09/
    xmldsig#sha1" />
    <DigestValue>os c5rYeQV3x611/OIGK2GxkaEgM=</
    DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue >Ax8CX4YIdpxKeM a0bF4/KhxCWXw=</
    SignatureValue>
    <KeyInfo>
    <wsse:SecurityT okenReference>
    <wsse:Referen ce URI="#SecurityT oken-c6292af7-
    c89b-4c89-a45f-4a3e5dc36f8a" ValueType="http ://schemas.xmlsoap .org/
    ws/
    2005/02/sc/dk" />
    </wsse:SecurityTo kenReference>
    </KeyInfo>
    </Signature>
    </wsse:Security>
    </soap:Header>
    <soap:Body wsu:Id="Id-6b1345f0-29d1-4b7b-8848-2405ff747eb3">
    <xenc:Encrypted Data
    Id="Enc-54b1428c-06dc-4026-9261-5f8e51887606" Type="http://
    W3C
    https://www.w3.org/
    The World Wide Web Consortium (W3C) develops standards and guidelines to help everyone build a web based on the principles of accessibility, internationalization, privacy and security.

    2001/04/xmlenc#Content" xmlns:xenc="htt p://www.w3.org/2001/04/
    xmlenc#">
    <xenc:Encryptio nMethod Algorithm="http ://www.w3.org/
    2001/04/xmlenc#aes256-cbc" />
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityT okenReference>
    <wsse:Referen ce
    URI="#SecurityT oken-78c6f480-4f00-4a55-
    ab2b-7578d1393ff7" ValueType="http ://schemas.xmlsoap .org/ws/2005/02/
    sc/
    dk" />
    </wsse:SecurityTo kenReference>
    </KeyInfo>
    <xenc:CipherDat a>
    <xenc:CipherVal ue>qSXdqTbXDVBe KxItQJRCwHVBWHf lXz7YwZwF
    +bOlgK9rSSiWsMG y1pXKu1VmnLKRot EsaDdI0EZBt++YE RpvK7TWWsV78G6a
    +0rvxVGqbXM=</xenc:CipherValu e>
    </xenc:CipherData >
    </xenc:EncryptedD ata>
    </soap:Body>
    </soap:Envelope>
    </processingStep>
    <processingSt ep description="En tering SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="Ex ited SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="En tering SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="Ex ited SOAP filter
    Microsoft.Web.S ervices3.Securi ty.Wse2Pipeline Policy
    +LegacyFilterWr apper" />
    <processingSt ep description="Pr ocessed message">
    <soap:Envelop e xmlns:soap="htt p://schemas.xmlsoap .org/soap/
    envelope/" xmlns:xsi="http ://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http ://www.w3.org/2001/XMLSchema" xmlns:wsa="http ://
    schemas.xmlsoap .org/ws/2004/08/addressing" xmlns:wsse="htt p://
    docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-
    secext-1.0.xsd" xmlns:wsu="http ://docs.oasis-open.org/wss/2004/01/
    oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <soap:Header />
    <soap:Body wsu:Id="Id-6b1345f0-29d1-4b7b-8848-2405ff747eb3">
    <Login xmlns="http://localhost/
    NetTiersPayroll WebServices" /




    </soap:Body>
    </soap:Envelope>
    </processingStep>
    </inputMessage>
    </log>

    Does anything look out of place? I know it's hard to tell off hand,
    but in the output trace file there is no SOAP fault or anything that
    points a finger at the cause of this problem.


    Any help will be greatly appreciated.


    Thanks,
    V. Grippi


    Tags: None
    • John Saunders
      #2
      Re: Microsoft Webservice Security Problem

      "VictorG" <grippiconsulti ng@yahoo.comwro te in message
      news:4934d7d9-1cf7-44c4-8fc0-5f5d571dfde1@x1 g2000prh.google groups.com...
      Hello,
      >
      >
      I am trying to secure a webservice using WSE 3.0
      ....

      Not an answer to your question, but I wanted to make sure: are you aware
      that WSE is obsolete? It's not even supported in Visual Studio 2008, and
      certainly not beyond. You might try using WCF to solve your problem, as it
      is the replacement for WSE.
      --
      John Saunders | MVP - Connected System Developer

        Comment

        • VictorG
          #3
          Re: Microsoft Webservice Security Problem

          On Oct 29, 1:40 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
          "VictorG" <grippiconsult. ..@yahoo.comwro te in message
          >
          news:4934d7d9-1cf7-44c4-8fc0-5f5d571dfde1@x1 g2000prh.google groups.com...
          >
          Hello,
          >
          I am trying to secure a webservice using WSE 3.0
          >
          ...
          >
          Not an answer to your question, but I wanted to make sure: are you aware
          that WSE is obsolete? It's not even supported in Visual Studio 2008, and
          certainly not beyond. You might try using WCF to solve your problem, as it
          is the replacement for WSE.
          --
          John Saunders | MVP - Connected System Developer

          Thanks for the reply John.

          How much refactoring is involved porting an existing ASP.NET Web
          Service and client to WCF?

          We are using NetTiers templates to auto generate the Web service
          methods that are based on a SQL schema. I'm not sure if NetTiers
          supports WCF.

          -Victor

            Comment

            • John Saunders
              #4
              Re: Microsoft Webservice Security Problem

              "VictorG" <grippiconsulti ng@yahoo.comwro te in message
              news:13b2fa90-b25d-4c59-b37c-de685cffd96d@a2 9g2000pra.googl egroups.com...
              On Oct 29, 1:40 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
              >"VictorG" <grippiconsult. ..@yahoo.comwro te in message
              >>
              >news:4934d7d 9-1cf7-44c4-8fc0-5f5d571dfde1@x1 g2000prh.google groups.com...
              >>
              Hello,
              >>
              I am trying to secure a webservice using WSE 3.0
              >>
              >...
              >>
              >Not an answer to your question, but I wanted to make sure: are you aware
              >that WSE is obsolete? It's not even supported in Visual Studio 2008, and
              >certainly not beyond. You might try using WCF to solve your problem, as
              >it
              >is the replacement for WSE.
              >--
              >John Saunders | MVP - Connected System Developer
              >
              >
              Thanks for the reply John.
              >
              How much refactoring is involved porting an existing ASP.NET Web
              Service and client to WCF?
              >
              We are using NetTiers templates to auto generate the Web service
              methods that are based on a SQL schema. I'm not sure if NetTiers
              supports WCF.
              Your first step, even if you don't move to WCF today, would be to make sure
              that NetTiers supports WCF. It's been out for two years - they would have no
              excuse for not supporting it by now.

              If they don't support WCF, then the ease of porting would depend on how they
              generate their code. If it's all monolithic classes, then you would have an
              issue. If they generate separate classes for the resultsets, then you may be
              able to reuse those, at least if you stick with the XML Serializer. Again,
              depending on how they generate the code that accesses the database, you may
              be able to reuse that as well.

              But if you didn't know that WSE is long dead, you really need to ask
              yourself why you didn't know that - and what else you might have missed in
              the same way.

              In a case like this, I often ask people if they think their competitors are
              making the same mistakes.
              --
              John Saunders | MVP - Connected System Developer

                Comment

                • VictorG
                  #5
                  Re: Microsoft Webservice Security Problem

                  On Oct 29, 2:43 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
                  "VictorG" <grippiconsult. ..@yahoo.comwro te in message
                  >
                  news:13b2fa90-b25d-4c59-b37c-de685cffd96d@a2 9g2000pra.googl egroups.com...
                  >
                  >
                  >
                  >
                  >
                  On Oct 29, 1:40 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
                  "VictorG" <grippiconsult. ..@yahoo.comwro te in message
                  >
                  >news:4934d7d 9-1cf7-44c4-8fc0-5f5d571dfde1@x1 g2000prh.google groups.com....
                  >
                  Hello,
                  >
                  I am trying to secure a webservice using WSE 3.0
                  >
                  ...
                  >
                  Not an answer to your question, but I wanted to make sure: are you aware
                  that WSE is obsolete? It's not even supported in Visual Studio 2008, and
                  certainly not beyond. You might try using WCF to solve your problem, as
                  it
                  is the replacement for WSE.
                  --
                  John Saunders | MVP - Connected System Developer
                  >
                  Thanks for the reply John.
                  >
                  How much refactoring is involved porting an existing ASP.NET Web
                  Service and client to WCF?
                  >
                  We are using NetTiers templates to auto generate the Web service
                  methods that are based on a SQL schema. I'm not sure if NetTiers
                  supports WCF.
                  >
                  Your first step, even if you don't move to WCF today, would be to make sure
                  that NetTiers supports WCF. It's been out for two years - they would haveno
                  excuse for not supporting it by now.
                  >
                  If they don't support WCF, then the ease of porting would depend on how they
                  generate their code. If it's all monolithic classes, then you would have an
                  issue. If they generate separate classes for the resultsets, then you maybe
                  able to reuse those, at least if you stick with the XML Serializer. Again,
                  depending on how they generate the code that accesses the database, you may
                  be able to reuse that as well.
                  >
                  But if you didn't know that WSE is long dead, you really need to ask
                  yourself why you didn't know that - and what else you might have missed in
                  the same way.
                  >
                  In a case like this, I often ask people if they think their competitors are
                  making the same mistakes.
                  --
                  John Saunders | MVP - Connected System Developer- Hide quoted text -
                  >
                  - Show quoted text -

                  John,

                  Thanks again for your reply.

                  WCF is not an option for my project at this time. We have existing
                  NetTiers templates (CodeSmith generated) that we do not have time to
                  refactor. NetTiers does have a patch that will allow access to the
                  data layer through WCF, however it is not an option for us at this
                  time, and has not been fully released into their build. I was brought
                  in late in the game to add security, to this project, and although
                  this is not an optimal situation, either is security in general with
                  web services, (all of it was added after the fact)

                  Many like myself are starting to use WSE because it is still available
                  for download, is still on the MSDN, and in many articles on-line or
                  otherwise. Just do a search for securing web services or SOA security.
                  The other alternative is for me to "roll my own" and add a handler to
                  inject my own token in the SOAP header. (I may have to do this)

                  With that said, there must be a solution to add security to an
                  existing web services project using VS2008. I have been able to get
                  everything to work except for the exception in the first post. The WSE
                  3.0 quick start samples all work in VS2008, after conversion, so it
                  should be a viable solution.

                  This leaves me at the original question of what could cause a
                  GenericParamete rAttribute and GenericParamete rPosition exception, they
                  both throw a System.InvalidE xception on the parameters in the call to
                  ClientInputFilt er.ValidateMess ageSecurity().

                  Thanks,
                  Victor

                    Comment

                    • John Saunders
                      #6
                      Re: Microsoft Webservice Security Problem

                      "VictorG" <grippiconsulti ng@yahoo.comwro te in message
                      news:ae656d59-9c33-454f-b689-4b3949de1184@d3 6g2000prf.googl egroups.com...
                      On Oct 29, 2:43 pm, "John Saunders" <n...@dont.do.t hat.comwrote:
                      >"VictorG" <grippiconsult. ..@yahoo.comwro te in message
                      ....
                      Many like myself are starting to use WSE because it is still available
                      for download, is still on the MSDN, and in many articles on-line or
                      otherwise. Just do a search for securing web services or SOA security.
                      I hope this teaches you and many others a lesson about depending on Google
                      or the equivalent to make your decisions for you. There's all sorts of crap
                      that you will find in an Internet search. Just because you can find it
                      doesn't mean it's any good. It _could_ just mean that nobody has bothered to
                      remove the article. Search MSDN and you'll find some very old information -
                      I easily found stuff from 1998.

                      I have spoken to Microsoft about better adjusting the search on the MSDN
                      site to be more relevant. I gave them the specific example of searching for
                      "web service security". I intend to keep following up on that. This won't
                      help people who use a different search engine.
                      The other alternative is for me to "roll my own" and add a handler to
                      inject my own token in the SOAP header. (I may have to do this)
                      >
                      With that said, there must be a solution to add security to an
                      existing web services project using VS2008.
                      There is - use WCF or roll your own, or depend on SSL.

                      I characterize WSE as obsolete for this reason alone. If it has not been
                      updated to "WSE 3.1" to support Visual Studio 2008, then that should tell
                      you something very important about continuing to use WSE. BTW, have you seen
                      any hot fixes for WSE lately? I don't know anything official, but I'd be
                      surprised to learn that anything other than the most critical security bugs
                      would be fixed.
                      >I have been able to get
                      everything to work except for the exception in the first post. The WSE
                      3.0 quick start samples all work in VS2008, after conversion, so it
                      should be a viable solution.
                      >
                      This leaves me at the original question of what could cause a
                      GenericParamete rAttribute and GenericParamete rPosition exception, they
                      both throw a System.InvalidE xception on the parameters in the call to
                      ClientInputFilt er.ValidateMess ageSecurity().
                      I hope you find an answer. If you do, then please post it here so that
                      others who find this conversation in the future will benefit from it.

                      --
                      John Saunders | MVP - Connected System Developer

                        Comment

                        Previous template Next
                        Working...