Web Services Enhancements 2.0: Security and Policy (VB.NET) - Implementing a UsernameTokenManager (Page 5 of 7 ) In the previous examples, WSE 2.0 was able to automatically authenticate the supplied UsernameToken against local Windows accounts. WSE 2.0 can only do this when the password is sent in plain text (using PasswordOption.SendPlainText). This is not the most common approach in practice because of the obvious security risks. You should only send passwords in plain text when you're sending messages over a secure channel (e.g., HTTPS) or when you're simply not concerned about confidentiality in the application environment. Another approach is to send a hashed password (using PasswordOption.SendHashed) or no password at all. This technique requires you to implement a class that assists in the UsernameToken authentication process. In this step, you're going to write a custom UsernameTokenManager-derived class.
- Open WseSecurityHelpers.vb and define a new class named MyUsernameTokenManager. It should derive from UsernameTokenManager.
- Override the AuthenticateToken method as illustrated here:
...
Public Class MyUsernameTokenManager
Inherits UsernameTokenManager
Protected Overrides Function AuthenticateToken(ByVal token _
As UsernameToken) As String
...
End Function
End Class ...
Note: you can use Visual Studio.NET's Class View to automatically override the method. Navigate to the AuthenticateToken method, right click, and select Add | Override.
- Within AuthenticateToken, you can inspect the supplied token to perform authentication. You must return the password for the supplied token, which WSE 2.0 will check against what was supplied in the message. For this example, simply return "password" for all tokens. You'll now need to provide "password" as the password when running the client application.
Note: You would typically look up the password in a database or some other password store (e.g., an XML file).
- In addition, you need to manually set the token's Principal property. Do this by creating a new GenericPrincipal object and assign it to all of the roles that the supplied user belongs to (according to what we defined earlier). Here's an example of AuthenticateToken:
...
Public Class MyUsernameTokenManager
Inherits UsernameTokenManager
Protected Overrides Function
AuthenticateToken(ByVal token _
As UsernameToken) As String
Dim roles As New ArrayList()
Select Case token.Username
Case "admin"
roles.Add(String.Format("{0}User",
Dns.GetHostName()))
roles.Add(String.Format("{0}Vendor",
Dns.GetHostName()))
roles.Add(String.Format("{0}Manager", _
Dns.GetHostName()))
roles.Add(String.Format("{0}Accounting",
Dns.GetHostName()))
token.Principal = New
GenericPrincipal(
New GenericIdentity(token.Username),
roles.ToArray(GetType(String)))
Case "aaron"
roles.Add(String.Format("{0}User",
Dns.GetHostName()))
roles.Add(String.Format("{0}Accounting", _
Dns.GetHostName()))
token.Principal = New
GenericPrincipal( _
New GenericIdentity(token.Username),
roles.ToArray(GetType(String)))
Case "mike"
roles.Add(String.Format("{0}User",
Dns.GetHostName()))
roles.Add(String.Format("{0}Manager",
Dns.GetHostName()))
token.Principal = New
GenericPrincipal(
New GenericIdentity(token.Username), _
roles.ToArray(GetType(String)))
Case "vick"
roles.Add(String.Format("{0}User",
Dns.GetHostName()))
roles.Add(String.Format("{0}Vendor",
Dns.GetHostName()))
token.Principal = New
GenericPrincipal(
New GenericIdentity(token.Username),
roles.ToArray(GetType(String)))
Case Else
MyBase.Authenticate
Token(token)
End Select
Return "password"
End Function 'AuthenticateToken
End Class 'MyUsernameTokenManager
....
- To use this UsernameTokenManager, you need to configure it in the project's Web.config file. The easiest way to accomplish this is to open the WSE Settings 2.0 tool.
- Right-click on the SecureInvoiceServiceA project and click WSE Settings 2.0….
- Click the Security tab.
- Click Add in the Security Tokens Managers section. The SecurityToken Manager dialog will then open.
- In the Type field, type SecureInvoiceServiceA. MyUsernameTokenManager, SecureInvoiceServiceA.
- In the Namespace field, enter http://docs.oasis-
open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd.
- In the QName field, enter wsse:UsernameToken.
- Click OK.
- Click OK.
- Open the project's web.config file and confirm that it contains the following sections:
<configuration>
...
<configSections>
<section name="microsoft.web.services2" type="Microsoft.Web.Services2.
Configuration.WebServices Configuration, Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"
/>
</configSections>
<microsoft.web.services2>
<security>
<securityTokenManager type="SecureInvoiceServiceA.My
UsernameTokenManager, SecureInvoiceServiceA" xmlns:wsse="http://dovb.oasis-
open.org/wss/2004/01/oasis-200401-wss-wssecurity
-secext-1.0.xsd" qname="wsse:UsernameToken" />
</security>
</microsoft.web.services2>
...
- Build SecureInvoiceServiceA.
- Run the client again and verify that the security functionality has remained the same, even with our custom UsernameTokenManager class.
Note: the client application is still sending the password in plain text at this point.
- In the Solution Explorer, in the SecureInvoiceClient project, right-click login.vb and click View Code.
- In the button1_Click method, replace PasswordOption.SendPlainText with PasswordOption.SendHashed.
- Rebuild the project and test. Verify that everything still works as before.
Next: Signing with a UsernameToken >>
More Visual Basic.NET Articles
More By MSDN Virtual Labs |
/ 4 
