Is it possible to only allow certain machines to access a web service
I am using VB.Net (VS 2005) and WSE 3.0.
Right now I am at the point where any machine with a valid certificate can access the web service as long as the certificate is verifyable. I want to make sure that only certificates I issue for certain machines are allowed to access a web service. Is it possible to create a special cert store for this purpose Would I be better off to analyze all certificates and then decide what the host is allowed access to Just thinking out loud before I go in the wrong direction with my project. Any opinions
Thanks,
Rick
Mutual authentication and allowing only certain hosts.
fugacity
mmmmmmmmmmmmmmBeeeer
I am using the same mutual authentication mentioned above. I want my client web application to encrypt the message with the web service public key and sign it with its own private key. I want the web service to authenticate the client application. I tried to test if the web service was actually authenticating my web app. I tried the following tests:-
my service config looks like this:
<policy name="ServerPolicy">
<authorization>
<allow user="CN=WSE2QuickStartClient" />
<deny user="*" />
</authorization>
<mutualCertificate11Security establishSecurityContext="true" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
my client config looks like this:
<policy name="x509ClientPolicy">
<mutualCertificate11Security establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="true" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true" ttlInSeconds="300">
<clientToken>
<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WSE2QuickStartClient" findType="FindBySubjectDistinguishedName" />
</clientToken>
<serviceToken>
<x509 storeLocation="LocalMachine" storeName="My" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
<fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
</protection>
</mutualCertificate11Security>
<requireActionHeader />
</policy>
Test 1:-
I tried to access and invoke the service directly by browsing to the service endpoint on IE. I thought the expected result would be that it would fail to invoke the web service since I am not providing the X509 certificate while invoking the web service. But, I was still able to invoke the web service by browsing to it.
Test 2:-
I tried to invoke the web service from my web application but changed my config file to not attach the X509 client token. But my web service still let my client application invoke the web service. I thought since the web service was authenticating, it would not let the client access the web service.
Can anyone tell me what could be wrong
Thanks,
Abhishek
Brent_One
A credential consist of a number of claims. An X509 cert is a type of credential and so you can look at the claims of the certificate presented in the message to make authorization decisions.
You will have to create a set of certificates where you can validate some of the claims. This could be the common name (CN) of a cert which was issued by say Verisign. Or you could issue your own certificates each with a different common name and then maintain a list of the authorized names. You will have to ensure that the certs that you issue have a trusted root certiifcate to ensure that they are genuinely issued by you.
Better still, the Thumbprint is the only unique characteristic of an X509 cert (CNs can be duplicated, there can be many certs called "MarkFussell" for example) and so you can use this for a unique identifier.
To do this, you need to create a custom X509SecurityTokenManager, pull out the client X509 certificate from the Authenticate method (there will only be one of type X509Certificate2 in this collection) and then look at some claim in order to make an authorization decision.
Finally having talked at length above, you should really read this http://msdn.microsoft.com/library/default.asp url=/library/en-us/dnpag2/html/WSS_Ch3_ImpMLSX509_WSE30.asp from the fantastic PAG WS-Security guidance doc. This describes in detail how to do the above. Notable you can do authorization with WSE 3.0 like this on the cn name out of the box
<policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy">
<policy name="x509">
<authorization>
<allow user="CN=WSE2QuickStartClient" />
<deny user="*" />
</authorization>
</policy>
...
</policies>
or with a custom X509SecurityTokenManager on the SHA1 Thumbprint like this
...
<authorization>
<allow user="ca7601381b4578502b62b8809825664f1e78dfa2" />
<deny user="*" />
</authorization>
...
Thanks.
Mark Fussell
WSE Program Manager