Automating Security with Policies in Web Services - Requiring Security Features with a Policy (Page 2 of 4 ) You can write a policy that requires certain security features. In this step, you're going to write a policy that requires security tokens, signatures, and encryption without having to write any code (like you did before). You're going to create the policy using the WSE Security Settings Tool.
- Right click on the PolicyInvoiceService project in Solution Explorer and select WSE Settings 2.0. This will open the WSE 2.0 settings tool.
- On the General tab, verify that both check boxes are checked to enable WSE 2.0.
- Go to the Policy tab and click Enable Policy.
- In the Edit Application Policy section, click Add.
- In the Add or Modify Endpoint URI dialog box, enter the following URL: http://localhost/PolicyInvoiceService/ ViewInvoices.asmx.
Note: this specifies the endpoint that you're going to describe with the policy you're creating. Make sure you get the case right as the current implementation is case sensitive.
- Press OK to close the dialog. This should launch the WSE Security Settings Tool:
- Press Next and select Secure a service application.
- Press Next and ensure that Requires signatures and Requires encryption are checked for both the request and response messages.
- Press Next and select Username for the client token type.
- Press Next and in the Allowed User or Role section, press Add Role. In the Add Role Name dialog, enter CLIENT1\User. Press OK to close the dialog.
- Press Next and in the Choose X.509 Certificate section, press Select Certificate. In the Select Certificate dialog, select the WSE2QuickStartServer certificate.
- Press OK to close the Select Certificate dialog, press Next, and Finish the wizard.
Note: the wizard creates a policy that requires the following: a UsernameToken, a signature based on a DerivedKeyToken (based on the UsernameToken), and an encrypted body (where the encryption should be performed using the WSE2QuickStartServer certificate). It also specifies that the authenticated UsernameToken must belong to the
MACHINE_NAME\User role in order to authorize access.
- Repeat these steps to create a policy for each of the .asmx endpoints in the PolicyInvoiceService project (SubmitInvoice.asmx, ApproveInvoice.asmx, and PayInvoice.asmx). You should choose the same settings described above. The only difference will be the URL you enter after pressing Add to launch the wizard.
- Go to the Security tab and click to select Allow test roots, click Yes to confirm test roots, and verify that the Store location box contains Local Machine.
- Press OK to close to the WSE Settings Tool.
Note: the tool made various changes to the project's web.config file and added a new file named policyCache.config.
- In Solution Explorer, verify that policyCache.config is now found in the PolicyInvoiceService project. This file was added by the WSE Settings Tool. It contains the policy statements you defined by running the wizard.
- Open policyCache.config and take a look at the XML representation of the policy statements.
- Open Web.config in the PolicyInvoiceService project. Notice the new entries in the microsoft.web.services2 section:
...
<microsoft.web.services2>
...
<security>
<x509 allowTestRoot="true" verifyTrust="true"
storeLocation= "LocalMachine" />
</security>
<policy>
<cache name"C:\HOLDEVL34\ = "policyCache.config" />
</policy>
</microsoft.web.services2>
...
Note: the x509 element tells the WSE 2.0 infrastructure which certificate store to use and that test certificate authorities are OK. The policy element specifies which policy file to use for this application.
- Build the solution.
- Run PolicyInvoiceClient and test invoking an operation. At this point, you should get an error indicating: The message does not conform to the policy it was mapped to. This is because the service now requires various security features that the client isn't currently sending in the messages. Now the client needs a policy to figure out what to send.
- Click OK.
- Close the Invoice Manager application.
|
/ 3 
