Web Services Enhancements 2.0: Security and Policy (VB.NET) - Requiring a UsernameToken

(Page 4 of 7 )

You can require clients to supply a security token by adding some code to your WebMethods.

 

1. Open WseSecurityHelpers.vb and add the following namespaces to the top of the file:
   
   ...
   Imports Microsoft.Web.Services2 Imports Microsoft.Web.Services2.
   Security
   Imports Microsoft.Web.Services2.
   Security.Tokens
   ... 
   
   
2. Open WseSecurityHelpers.vb in the SecureInvoiceServiceA project and locate the WseSecurityHelpers class. Add a single method to the class named GetUsernameToken that looks like this:
   
   ... ' WseSecurityHelpers.vb Public Class WseSecurityHelpers 
       Public Shared Function GetUsernameToken(ByVal context As
          SoapContext) As UsernameToken
       End Function
   End Class
   ... 
   
3. In GetUsernameToken, verify that context is not null and that it contains a UsernameToken object, which needs to be returned. Here's an example of how you can accomplish this:
   
   ... ' WseSecurityHelpers.vb
   Public Class WseSecurityHelpers 
       Public Shared Function GetUsernameToken(ByVal context _
           As SoapContext) As UsernameToken
           If context Is Nothing Then
               Throw New Exception(
                "Only SOAP requests are permitted.")
           End If
           If context.Security.Tokens.
   Count = 0 Then
     throw New SoapException("Missing security token",  
    SoapException.Client
   FaultCode)
           Else
               Dim tok As UsernameToken
               For Each tok In context.Security. Tokens 
                Return tok
            Next tok
            Throw New Exception("UsernameToken not supplied")
           End If
       End Function 'GetUsernameToken
   End Class
   ... 
   
4. Open ViewInvoices.asmx.vb in code view and add the following namespaces to the top of the file:
   
   ...
   Imports Microsoft.Web.Services2 Imports Microsoft.Web.Services2.
   Security
   Imports Microsoft.Web.Services2.
   Security.Tokens
   ... 
   
5. Within ViewInvoices.asmx.vb, update the View method to call GetUsernameToken before doing anything:
   
   ...
   <WebService([Namespace] := "http://example.org/
   invoices")> _
   Public Class ViewInvoices
       Inherits WebService 
       <WebMethod()> _ 
       Public Function View() As DataSet    WseSecurityHelpers.
   GetUsernameToken( _  
        RequestSoapContext.
   Current)
       ... ' remainder of method as before
       End Function
   End Class
   ...
   
   
6. Repeat the last two steps and make the same changes to the following files: SubmitInvoice.asmx.vb, ApproveInvoice.asmx.vb, and PayInvoice.asmx.vb.
   
7. Build SecureInvoiceServiceA.
   
8. Run the client and try invoking View again. View shouldn't work now since the client still isn't sending a UsernameToken in the request.
   
9. Return to InvoiceManagerForm.vb and update all of the button handlers to call ConfigureProxy before invoking the operation (like you did earlier for Approve).
   
   Note that the call to ConfigureProxy for the View operation will be placed in the ViewInvoices() method. 
   
   
10. Build SecureInvoiceClient.
    
11. Run the client again and verify that you must provide a valid user account before you can invoke any of the operations.
    
    Note: in addition to requiring UsernameTokens, you can also programmatically require signature and encryption elements using similar techniques.

Authorization

At this point, SecureInvoiceServiceA is performing (and requiring) message authentication but it isn't distinguishing between different users and what they're authorized to do. Authorizing messages based on the supplied token is made possible by the token's Principal property. WSE 2.0 populates Principal with the Windows account information mapped to the supplied token.

 

1. Within each WebMethod add a call to Principal.IsInRole to verify that the authenticated user is in the appropriate group for the given operation. 
   
2. The following code illustrates how to check for the Accounting group before executing Pay in PayInvoice.asmx in the SecureInvoiceServiceA project:
   
   ...
   <WebService([Namespace] := "http://example.org/invoices")>
   Public Class PayInvoice 
       Inherits WebService 
       <WebMethod()> _
       Public Sub Pay(ByVal id As String)
           Dim tok As UsernameToken = _ 
            WseSecurityHelpers. Get UsernameToken( _  
            RequestSoapContext. Current)
           If Not tok.Principal.IsInRole(
             String.Format("{0}Accounting", Dns.GetHostName())) Then 
               Throw New Exception("access denied") 
           End If 
           InvoiceManager.Pay(id)
       End Sub 'Pay
   End Class 'PayInvoice
   ...
   
3. Repeat this for each WebMethod specifying the appropriate group (as outlined earlier).
   
4. Build SecureInvoiceServiceA.
   
5. Run the client again and verify that vick can submit invoices, mike can approve invoices, aaron can pay invoices, and admin can do everything. Try to do something that isn't allowed for the current user and verify that you get "access denied".

Next: Implementing a UsernameTokenManager >>
 

More Visual Basic.NET Articles
More By MSDN Virtual Labs

Comments On: Web Services Enhancements 2.0: Security and Policy (VB.NET)

· This lab is excerpted from a larger document titled "Web Services Enhancement 2.0:...    · I wonder that where I can find SecureInvoiceA.sln you mentioned in Web Services...    · Please check our link to the Microsoft Virtual Labs website, ...    · i havent got the SecureInvoiceA.sln...i checked in the link u provided...can u...    · Microsoft must have moved a few things around -- try this:...    · Web Services Enhancements 2.0: Security and Policy (VB.NET), The reason for going...    · Can you specify the location of SecureInvoiceClient project.Urgent reply soon   >>> Post your comment now!