Exam 70-554 - Implement a policy for a Web service application.
Section 1
- Part 3
- Topic 3
- Create a policy file manually.
- Declare the set of policies in a policy file.
- Map policies to SOAP endpoints.
- Configure a policy file in a configuration file.
- Create and enforce a custom policy.
- Create a policy file by using the WseConfigEditor3 tool.
- Set a policy in a client application and in a client computer.
Summary
Policy files enable you to define the available policies that you can tie to your web services using the policy attribute. To manually create a policy file you need to define a microsoft.web.services3 section in configSections as mentioned in the first topic on WSE 3.0. Then in the actual microsoft.web.services3 node, you need to define a policy node that points to the actual file where you define the policies: Here is an example of that from msdn:
<configuration>
<microsoft.web.services3>
<policy fileName="Policies.config"/>
</policy>
</microsoft.web.services3>
</configuration>
Once you have a policy file you need to define policies and extensions. Extensions represent the configuration of the custom or out of the box Security Assertions that can be applied to a SOAP message (Details of the assembly and types). The policy itself can define several turn key scenarios including:
- Anonymous Certificate Security – Client is not authenticated but X509 certificate is used to protect the messages.
- Mutual Certificate 10 Security – X509 certificates are used to authenticate the client and protect the messages (compatible with WSE 1.0 and 1.1)
- Mutual Certificate 11 Security – X509 certificates are used to authenticate the client and protect the messages (compatible with WSE 1.1 only)
- Kerberos Security – Uses Kerberos to authenticate the client and protect the messages.
- Require Action Header – Requires action header
- Require SOAP Header – Requires SOAP Header
- User Name for Certificate Security – Authenticates the user with a UserName Token but protects the message with an X509 certificate
- User Name over transport Security – Uses UserName for authentication only, but message is not protected. (transport should be secured using SSL if using this option)
Here is a sample policy file from msdn:
<policies>
<extensions>
<extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
<extension name="requireActionHeader"
type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</extensions>
<policy name="ServicePolicy">
<usernameForCertificateSecurity
establishSecurityContext="false"
renewExpiredSecurityContext="true"
signatureConfirmation="false"
protectionOrder="SignBeforeEncrypting"
deriveKeys="true" >
<serviceToken>
<x509
storeLocation="LocalMachine"
storeName="My"
findValue="CN=WSE2QuickStartServer"
findType="FindBySubjectDistinguishedName" />
</serviceToken>
<protection>
<request
signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
encryptBody="true" />
<response
signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
encryptBody="true" />
<fault
signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
encryptBody="false" />
</protection>
</usernameForCertificateSecurity>
<requireActionHeader />
</policy>
</policies>
Once you have defined your policies, you can attach the policy to a webservice by using the policy attribute. Here is an example of the Policy attribute being applied to a Web Service class from msdn:
[WebService(Namespace = "http://www.contoso.com/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[Policy("ServicePolicy")]
public class Service : System.Web.Services.WebService
{
To Use the WSE Settings 3.0 tool, right Click on your project in solution explorer and select the WSE configuration tool option from the context menu. This brings up a wizard that allow you to easily configure any of the turn key solutions that WSE 3.0 supports. In this wizard you can click on the Policy tab to create a policy file.
To secure the client using a policy, you must register the config section in the applications config file and define the Microsoft.web.services3 node in the config file and point to a policy file. Here is an example of doing this from msdn:
<configSections>
<section name="microsoft.web.services3"
type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections> <microsoft.web.services3>
<policy fileName="..\..\wse3policyCache.config" />
</microsoft.web.services3>
Then you must create your policy file as needed. To enforce it you must call the SetPolicy method of the web service proxy class you create to access the web service. The following is an example of calling the SetPolicy method from msdn:
proxy.SetPolicy("ClientPolicy");
Other Resources & Links:
How to: Secure a Web Service Using a Policy File
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse3.0/html/61997a78-c671-4b6d-94cc-1172bad549d5.asp
Policy Element
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse3.0/html/61997a78-c671-4b6d-94cc-1172bad549d5.asp
How to: Secure an Application Using a Custom Policy Assertion
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse3.0/html/01fafe6b-1c1d-46cc-944b-c005a9dd8296.asp