WSSF and WSE 3.0

Topics: General Discussion Forum
May 24, 2007 at 11:15 PM
Edited May 24, 2007 at 11:48 PM
I am using wssf and although I understand how to implement the project into my existing website, I am unsure how to include WSE 3.0 into the WSSF application. My problem is this: I would like to create a login service that accepts a UsernameToken as a request but there is no datatype that will allow me to add it in. Is there any tutorials available that show how I can implement WSE 3.0 into the WSSF project? Can WSE 3.0 be integrated into WSSF without much difficulty? Thanks in advance.

Edit: I had read the previous post regarding wse and x.509 certificates, but I am still unsure as to which method would be most beneficial in my application. In provious projects, I used basic authentication against an sql db and I have used tokens to authenticate the users, but nothing according to X.509 certificates. Any input would be appreciated.
Developer
May 25, 2007 at 1:13 AM
Edited May 25, 2007 at 1:14 AM
If you implement this security pattern Implementing Direct Authentication with UsernameToken in WSE 3.0 it should fit your needs and at the same time you may not need to add any changes to your service interface since WSE decouples the security concerns from your service implementation, so you may add your authentication and authorization logic from built in providers or custom providers that you plug in your config file.

Charly
May 25, 2007 at 3:04 PM
Edited May 25, 2007 at 3:04 PM
Charly,

I have read those articles that you have posted, but my concern is how to implement a WSE turnkey security pattern within the software factory. If I were to choose direct authentication with usernametokens, there is no provision to create it within the software factory. I may be overthinking the scenario, but I am unsure how to fit the pattern within the logic of the WSSF.

eg. A user logs in through the login.aspx page. Upon selecting 'login' a usernametoken was created to perform authorization. That token is sent to the web service to check the users credentials. How can I send the token to the wssf if I cannot include the token within a message type nor create a new data type that has the usernametoken as a request/response.

Am I making this more complicated than it really is? Sorry for any confusion; your help is appreciated.
Developer
May 25, 2007 at 5:20 PM
The WSSF includes the Security Guidance package that allows you to secure your service with WCF.
If you have an ASMX web service, the only way is using the guideline provided in the link that I sent you using WSE.
If your client is a web application you can apply the same strategy for securing a "Winform client-web service" scenario.
In this case you will need to configure your web.config of the web application along with youe service web.config file and add both policy files to each application as well.
You will also need to add the code in your web app client authentication page that set the user credentials using the WSE proxy API so you will fill the username token and send it out to your service.
Let me know if you need any further help or sample.

Charly
May 25, 2007 at 5:54 PM
If I am not mistaken, the WCF Security guidance package uses ASP.NET 3.0. My projects are being developed 2.0 and I would rather not migrate to 3.0 at this time. If I am incorrect, please provide me with the link where I can download the package and other software requirements. I appreciate your help.

Kal
Developer
May 25, 2007 at 6:35 PM
In your case you should use the ASMX guidance package included in WSSF that target 2.0 and the way to secure your services is following the guidance for securing services using WSE (no guidance package here), so hopefully you may solve this using the links and tips that I gave you.

Chalry
May 28, 2007 at 6:39 PM
Thanks again for your help, Charly. The more I read into it, the more I realize that I must implement a custom provider. Because I am using my own SQL database that contains the user information and roles, it seems like the best possible solution. Hopefully this post will help others in the same situation.

Kal
May 29, 2007 at 10:24 AM
Kal,

I struggled with exactly the same issues you are now facing. When I finally found a solution I was so happy with it that I said “I must document this put it on Codeplex”. Alas, the idea has not been any more than just that?

Anyway I know I can not do anything this week about the documentation, but I’ll quickly advise how I sorted in out

1. Don’t use the WSE Wizard.
2. Read this article about 10 times. I had to read it 20 times<g> but the answer lies within. The link is http://www.codeproject.com/soap/WSE30UsernameAssertion.asp
3. Now do what the article says just copy the code as described into your web service.
4. The sample is a windows form, and not a web page but the logic is still the same

You'll have to give me a glue on how your web pages are calling your web service (i.e. sync, async) and perhaps I can then give you a few glues on the web side.

Good Luck!

Developer
May 29, 2007 at 6:01 PM
Thanks Allan.
This approach seem to be quite flexible but at the same time a bit more involved than the provider (plug-in) approach that I pointed out in my first post in this thread.
So I would choose the simplest approach that will satisfy your requirements regardless of any additional extensibility features that may not be required for the current scenario.
Aug 9, 2007 at 2:53 AM
Some time has gone by since we had this discussion but I thought I would bring it to the table again because I am in the process of implementing a WCF service. So I thought I better ask “if there is a better way”?

In the WCF documentation includes a section on how to secure your WCF Service using direct Authentication. This documentation provides a solution like Charly suggests.

I need clarification on the following.

X.509 certificates scare the pants off me. When I read up about them I only get more confused. The instructions on how to create “TEST” certificates is clear enough and easy to follow. My perception of X.509 is that I have will issues when my project is finished and goes live. When this happens where do the certificates come from and how many do you need. Who is this certificate authority they talk about? What is the cost to the end user?

The solutions that Charly is promoting require the X.509 certificate so clarification on the above would be advantages.

I know everyone scenario is different, but my solution involves the Service sitting on a server out is cyberland and not in-house. The client also can be anywhere on the planet.

Do I need X.509?

__Allan
Developer
Aug 20, 2007 at 2:21 AM
Allan,

From what you describe, X509 is one of some options that you have when implementing Direct Authentication. For example if you don't want to distribute X509 certificates to all your clients and manage a PKI infrastructure, then you may choose Windows authentication or SQL (Custom provider) to handle your authentication (aka user credential identity validation).
You may also want to take a look at Windows CardSpace http://msdn2.microsoft.com/en-us/library/aa480189.aspx and see how you can secure your services with it http://msdn.microsoft.com/msdnmag/issues/07/04/identity/