I am writing a web service that uses WSE3.
I want to require that all method calls to the web service have a valid UsernameToken in the SOAP header. Encryption and signing of the messages is not required. (I do not want to use X509 or Kerberos either.)
I have created a custom UsernameTokenManager class and it is configured to validate the credentials in the token.
I have been able to create a usernameToken and attach it to the client proxy successfully, with a valid password, and have the token manager validate it at the other end.
I have also been able to create a usernameToken with a bad password and have the token manager reject it.
However, I can still call the web method without any security token in the SOAP header at all, in other words, anonymously.
I think I must be missing something in the WSE policy on the server end. My policy file looks like this:
<
policies xmlns="http://schemas.microsoft.com/wse/2005/06/policy"><extensions>
<extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader" type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="AuthenticatedWebservice">
<usernameOverTransportSecurity/>
<requireActionHeader />
</policy>
</policies>
How can I ensure that all method calls made to a webservice have a validated UsernameToken in the SOAP header
Mike
Requiring authentication using WSE3 and UsernameToken
Rajesh Choudhary
Well, thankfully I found my mistake.
I did not include the <Policy("myNamedPolicy")> attribute on the web service source file.
This is mentioned in the documentation, but compared to all the other descriptions, this one was easy for me to miss (several times). I kept wondering how a named policy in the .config file would be applied to a particular web service.