Section 1
- Part 3
- Topic 7
Add and verify security credentials.
- Add security credentials to a SOAP message.
- Verify security credentials.
Summary
This was sort of discussed in the section on signing messages.
To add security credentials to a SOAP message you must create a custom policy assertion that secures SOAP Messages. To do this you must create a classes that inherits from the ReceiveSecurityFilter class and classes that inherits from SendSecurityFilter Class. You need one set of classes for the Client and one set for the Server. In the SendSecurityFilter classes you will override the SecureMessage Method and add the token to the base classes security.tokens collection. The following is an example adding a Kerberos token to the SOAP Header from msdn:
public override void SecureMessage(SoapEnvelope envelope, Security security)
{
KerberosToken kerbToken = new KerberosToken("host/" + hostname + "@" + domainName); // Add the security token.
security.Tokens.Add(kerbToken);
}
To verify the credential on the other side you will need to loop through the elements of the security collection that belongs to the current SoapRequest Context. This should be typically handled in it’s own method and called from all the web service methods that you would like to verify credentials for. An example of this from msdn is below:
[WebMethod]
public string SayHello()
{
// Ensure that the request is a SOAP request.
SoapContext requestContext = RequestSoapContext.Current;
if (requestContext == null)
throw new ApplicationException("Only SOAP requests are permitted."); // Get the KerberosToken security token that was used to sign the SOAP
// request.
KerberosToken token = GetBodySigningToken(requestContext); if (token == null || !token.Principal.IsInRole("Tellers"))
throw new UnauthorizedAccessException(); return "Hello World"; } public KerberosToken GetBodySigningToken(SoapContext requestContext)
{
KerberosToken token = null;
foreach (ISecurityElement securityElement in
requestContext.Security.Elements)
{
if (securityElement is MessageSignature)
{
MessageSignature sig =
(MessageSignature)securityElement;
if ((sig.SignatureOptions &
SignatureOptions.IncludeSoapBody) != 0)
{
SecurityToken sigToken = sig.SigningToken;
if (sigToken is KerberosToken)
token = (KerberosToken)sigToken;
} } } return token; }
Other Resources & Links:
How to: Add Security Credentials to a SOAP Message
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse3.0/html/7f7d76fb-569a-4e31-809d-a993f821e4a7.asp
How to: Authorize the Message Sender Based on a Kerberos Ticket
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse3.0/html/f29c8bcf-e8f9-44ad-add5-03f41223ad4a.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wse3.0/html/5dd294ed-4510-481a-a8f6-857ec72ba6eb.asp