Web Services Enhancements 2.0: Security and Policy (VB.NET) - Signing with a UsernameToken

(Page 6 of 7 )

In addition to security token authentication, it may also be desirable to sign the message in order to achieve integrity (prevent tampering). In this step, you'll add code to sign the SOAP messages with a DerivedKeyToken, based on the UsernameToken you're already using.

1. Return to InvoiceManagerForm.vb in the SecureInvoiceClient project.
    
2. Return to the ConfigureProxy method you wrote earlier and instantiate a DerivedKeyToken supplying the UsernameToken to the constructor. 
   
   
3. Add the DerivedKeyToken to the Tokens collection of the proxy's RequestSoapContext. 
   
   
4. Instantiate a MessageSignature object, based on the new DerivedKeyToken and add this to the Elements collection of the proxy's RequestSoapContext.
   
   
5. Your ConfigureProxy method should look something like this now:
   
   ...
   Private Sub ConfigureProxy(ByVal proxy As _  
     WebServicesClientProtocol) proxy.RequestSoapContext.
   Security.Tokens.Add(login.
   Token)
      Dim dk As New DerivedKeyToken(login.Token)   
      proxy.RequestSoapContext.
   Security.Tokens.Add(dk)  
      proxy.RequestSoapContext.
   Security.Elements.Add(
   _
         New MessageSignature(dk))
   End Sub 'ConfigureProxy
   ...
   
   
6. Build and run SecureInvoiceClient. Verify that everything still works as before.
   
   
7. Return to Windows Explorer and open the output trace file C:Microsoft Hands-on-LabDEV-HOL34VBExercisesAbeforeSecure
   InvoiceClientbinOutputTrace.
   webinfo and notice that the last SOAP request was signed using the provided UsernameToken.
   
   
8. Close OutputTrace.webinfo.
   
   
9. Since the message is signed with a UsernameToken, the signature itself can be used as proof of possession, thereby removing the need to send a password altogether. Return to login.vb and, in the button1_Click method, change the password option from PasswordOption.SendHashed to PasswordOption.SendNone.
   
   
10. Build, run, test, and verify that everything still works.

Requiring a Signature

The only problem with this situation is that the WebMethod's don't current require a signature. And if the user doesn't provide a signature or a password, the infrastructure will let the request through. Try commenting out the line of code that adds the signature and rerun the client application. Provide bad password and verify that the request still works. You'll have to add code to each WebMethod to require a signature like you did before for UsernameTokens.

1. Open WseSecurityHelpers.vb in the SecureInvoiceServiceA project.
   
   
2. Add a new method to the WseSecurityHelpers class named CheckForSignature. It should take a SoapContext as input and return void as illustrated here:
   
   ...
   Public Shared Sub CheckForSignature(ByVal context
   As SoapContext)
   End Sub
   ... 
   
   
3. Within the method, write code to check the SoapContext for a MessageSignature object. It will be found in the SoapContext.Security.Elements collection if present. If a signature is not present, throw a SoapException indicating "missing signature".
   
   ...
   Public Shared Sub CheckForSignature(ByVal context
   As SoapContext)
      If context Is Nothing Then
         Throw New Exception("Only SOAP requests are permitted.")
      End If
      If context.Security.Elements.Count = 0 Then
   Throw New SoapException("Missing signature",
   _   
   soapException.ClientFaultCode) 
      End If
      Dim foundSignature As Boolean = False
      Dim se As ISecurityElement
      For Each se In context.Security.Elements
         If TypeOf se Is MessageSignature Then 
            foundSignature = True
         End If
      Next se
      If Not foundSignature Then
         Throw New SoapException("Missing signature",  
    SoapException.ClientFaultCode) 
      End If
   End Sub 'CheckForSignature
   ... 
   
   
4. At the beginning of the GetUsernameToken method in the same class, add a call to this new method. Since all of the WebMethod's currently call GetUsernameToken, we know this method will also be called.
   
        Public Shared Function GetUsernameToken(ByVal context _
           As SoapContext) As UsernameToken 
      CheckForSignature(context)
   … 
   
   
5. Build the project and test invoking the client without a signature. Verify that you get the "missing signature" exception. Test invoking the client with a signature, and without providing a password (PasswordOption.SendNone), and verify that it works.

Next: Encrypting with a UsernameToken >>
 

More Visual Basic.NET Articles
More By MSDN Virtual Labs

Comments On: Web Services Enhancements 2.0: Security and Policy (VB.NET)

· This lab is excerpted from a larger document titled "Web Services Enhancement 2.0:...    · I wonder that where I can find SecureInvoiceA.sln you mentioned in Web Services...    · Please check our link to the Microsoft Virtual Labs website, ...    · i havent got the SecureInvoiceA.sln...i checked in the link u provided...can u...    · Microsoft must have moved a few things around -- try this:...    · Web Services Enhancements 2.0: Security and Policy (VB.NET), The reason for going...    · Can you specify the location of SecureInvoiceClient project.Urgent reply soon   >>> Post your comment now!