Securing Web Services with X.509 Certificates - Encrypting a UsernameToken with a Certificate

(Page 4 of 4 )

In the last step, you wrote code to encrypt the body of the SOAP message. You may also wish to encrypt headers on an individual basis. For example, one header that you may wish to encrypt is the UsernameToken header, especially when including the plain text password in the header. Doing this would allow you to leverage Windows authentication without having to write a custom UsernameToken manager or send the messages over HTTPS.

You'll continue working in SecureInvoiceB.sln for this step.

1. Open InvoiceManagerForm.vb in the SecureInvoiceClient project. 
   
2. Return to the ConfigureProxy method in InvoiceManagerForm.vb. You're going to add code to this method to encrypt the UsernameToken header in the message.
   
3. At the end of the method, instantiate another EncryptedData element based on the serverToken (like in the last step) but this time you need to specify the reference id of the UsernameToken header as the second parameter to the constructor. Then, add this new EncryptedData element to the proxy's RequestSoapContext.Security. Elements collection as illustrated here:
   
   ... ' ConfigureProxy
   ' Encrypt the body proxy.RequestSoapContext. Security.Elements.Add( _
      new EncryptedData(serverToken))
   
   proxy.RequestSoapContext. Security.Elements.Add(
      new EncryptedData(serverToken,
   string.Format("#{0}",
         login.Token.Id)))
   
   
4. Open login.vb in the SecureInvoiceClient project, navigate to the button1_Click method, and change the password option to PasswordOption.SendPlainText when instantiating the UsernameToken. 
   
5. Open web.config in the SecureInvoiceServiceB project and comment out the <securityTokenManager> element in configuration/microsoft.web.services2  /security. Doing this will disable the custom UsernameToken manager that you've been using.
   
   ...  
     <microsoft.web.services2>
       ...
       <security>
         <!--<securityTokenManager type="SecureInvoiceServiceB. MyUsernameTokenManager, SecureInvoiceServiceB-
   
   After" xmlns:wsse="http://dovb. oasis-
   
   open.org/wss/2004/01/oasis-200401-wss-wssecurity-
   
   secext-1.0.xsd" qname="wsse:UsernameToken" />-->
       <x509 storeLocation="LocalMachine" allowTestRoot="true" allowRevocationUrlRetrieval= "false" verifyTrust="true" /> 
       </security>  
    </microsoft.web.services2>
   ...
   
   Note: Now that you've disabled the custom UsernameToken manager, you'll have to provide the passwords that you setup for the local user accounts when logging in. The password “password” will no longer work.
   
   
6. Build the solution and run the client application. Make sure you specify the credentials for the local user accounts (instead of those required by the custom UsernameToken manager) when logging in. Verify that it everything works. 
   
7. Close the application. 
   
8. Refresh and view the OutputTrace.webinfo file. Notice that the body of the SOAP message is encrypted as well as the UsernameToken header. You should not be able to read the password, which was originally sent in plain text.
   
9. Click File | Close Solution.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Securing Web Services with X.509 Certificates

· We hope you found this exercise from MSDN Virtual Labs to be educational and...   >>> Post your comment now!