| Automating Security with Policies in Web Services - Adding Security Features with a Policy on the Client
(Page 3 of 4 )
You can write a policy that adds security features to messages before they're sent. In this step, you're going to write a policy that adds security tokens, signatures, and encryption to messages without having to write any code (like you did before). You're going to create the policy using the WSE Security Settings Tool.
- Right click on the PolicyInvoiceClient project in Solution Explorer and select WSE Settings 2.0. This will open the WSE Settings Tool.
- On the General tab, verify that WSE 2.0 is enabled.
- Go to the Policy tab and click Enable Policy.
- In the Edit Application Policy section, click Add.
- In the Add or Rename Endpoint URI dialog box, leave <DefaultEndpoint>.
Note: this specifies that the policy you're about to create applies to all endpoints used by this application.
- Press OK to close the dialog. This should launch the WSE Security Settings Tool.
- Press Next and select Secure a client application.
- Press Next and ensure that Requires signatures and Requires encryption are checked for both the request and response messages.
- Press Next and select Username for the client token type.
- Press Next again (you don't need to specify a role here).
- Press Next and in the Trusted Certificates section, press Add. In the Select Certificate dialog, select the WSE2QuickStartServer certificate.
- Press OK to close the Select Certificate dialog, press Next, and Finish the wizard.
Note: the wizard creates a policy that tells the client application to: send a UsernameToken, sign the message with a DerivedKeyToken (based on the UsernameToken), and encrypt the body with the WSE2QuickStartServer certificate.
- Go to the Security tab and click to select Allow test roots, and click Yes to confirm.
- In the Store location box, select Current User.
- Press OK to close to the WSE Settings Tool.
Note:the tool made various changes to the project's app.config file and added a new file named policyCache.config.
- In Solution Explorer, verify that policyCache.config is now found in the PolicyInvoiceClient project. This file was added by the WSE Settings Tool. It contains the policy statement you defined by running the wizard.
- Open InvoiceManagerForm.vb and import the following namespace:
...
Imports Microsoft.Web.Services2. Security.Policy
...
- When you run the client application with the policy in place, WSE will look for a UsernameToken that it can use in the message. You must supply WSE with this token ahead of time by adding it to a global token cache. Open InvoiceManagerForm.vb and update ConfigureProxy to look like this:
...
Private Sub ConfigureProxy(ByVal proxy As _
WebServicesClientProtocol) PolicyEnforcementSecurity TokenCache.GlobalCache. Clear()
PolicyEnforcementSecurity TokenCache.GlobalCache.Add
(
login.Token)
End Sub 'ConfigureProxy
...
- Build the solution.
- Run PolicyInvoiceClient and test invoking an operation. Verify that everything works.
- Close the application.
- Open OutputTrace.webinfo in the PolicyInvoiceClient output directory (bin). Notice that WSE automatically adds the UsernameToken, signs the message with a DerivedKeyToken, and encrypts the body of the SOAP message with the WSE2QuickStartServer certificate. The messages now conform to the requirements of the service (as specified by the server-side policy).
When you inspect the traced message, you'll notice that the UsernameToken contains a plain text password that is not encrypted on the way out.
Next: Adjusting Policy Details (Encrypting a usernameToken) >>
More Visual Basic.NET Articles
More By MSDN Virtual Labs
|
/ 3 
