Cygnus X-1

Is there a special way to set client credentials for a web service client that needs to specify client and service actors in its policy If I have actors on my usernameForCertificateSecurity or usernameOverTransportSecurity assertion specified in my policy file, then even if I call SetClientCredentials on the proxy, I get an error similar to "unable to determine client token to use". You can easily reproduce in the RoutingClient project in the SecureRouting WSE 3.0 sample. Just change the client's policy to use one of the "username" assertions.

I've gotten a little farther by using proxy->RequestSoapContext->Credentials->SetCredentials to specify a "credential set", but it either doesn't like the actor value I use or for some reason doesn't send the password when connecting to the router.

My ultimate goal is to implement a router service that validates a user with some token service and then passes on the user credentials along with a new token to an inner service. Does anyone know of a good sample to do this



Re: ASMX Web Services and XML Serialization UsernameToken with actor

Pablo Cibraro

Hi,

Try with this sample, Perimeter Service Router extension 1, http://msdn2.microsoft.com/en-us/library/aa480601.aspx

That sample does something similar, the router is configured with two different policies, one policy to receive requests and another to forward them.

Regards,

Pablo.






Re: ASMX Web Services and XML Serialization UsernameToken with actor

Cygnus X-1

Hi Pablo,

Unfortunately that sample doesn't address setting up client credentials or performing client validation at the router. What I need is something like the "SecureRoutingToUltimateReceiver" sample but with the following conditions:

1) The client needs to specify a UsernameToken either via usernameForCertificateSecurty or usernameOverTransportSecurity.

2) The router needs to intercept the request, use custom authentication, and then forward along the request with the UsernameToken intact or with some other token that that is generated in the custom authentication phase. Basically, forward the request to a trusted subsystem.

My major obstacle at the moment is using "clientActor" and "serviceActor" in the client's policy assertion. Unless I code the username and password in the policy file, I will recieve the "unable to determine client token to use" error, but only if "clientActor" and "serviceActor" are used. If I use empty values for the actors, then I don't get that error, but then I can't have the router intercept the request and perform custom validation.

I've read the sample you gave and it's maddeningly close to what I need. In particular, it reads "In a trusted subsystem model, if you need to forward security claims from the original caller in the routed message, you must create a custom filter to add the claims to the security header of the request message". But, it doesn't say how to do that.





Re: ASMX Web Services and XML Serialization UsernameToken with actor

Cygnus X-1

Update: I figured out how to programmatically specify the UsernameToken for my assertion. I use code like this:

Code Snippet

Policy^ clientPolicy;

UsernameForCertificateAssertion^ clientAssertion;

clientPolicy = Policies::Default[L"MyClientPolicy"];

clientAssertion = (UsernameForCertificateAssertion^) clientPolicy->Assertions[0];

clientAssertion->UsernameTokenProvider = gcnew UsernameTokenProvider(userName, password);

serviceProxy->SetPolicy(clientPolicy);

serviceProxy->CallMyWebMethod();

My issue now is in processing the client's credentials at a router with a custom UsernameTokenManager class and then forwarding on with a new policy (in this case mutualCertificate11Security) between the router and the service while passing along some token to identify the client's original creditials. This can be a simple 32-bit integer if necessary.

Has anyone had any luck implementing SoapFilters in WSE 3.0 I've been reading this example:

How to: Create a Custom Policy Assertion that Secures SOAP Messages

It seems to be a bit of overkill for what I need, though. I certainly don't want to get in the business of actually parsing the XML. I just want to add a token that my sevice can easily find and use to identify the originall caller.