Web Services Enhancements 2.0: Security and Policy (VB.NET) - Encrypting with a UsernameToken

(Page 7 of 7 )

In addition to authentication and signatures, you may also wish to encrypt the message in order to ensure confidentiality (and prevent eavesdropping). In this step, you'll add code to encrypt the SOAP messages with the UsernameToken you're already using.

Note: encrypting messages with a UsernameToken is not very secure. You would typically use a binary security token (e.g., X.509 certificate) to perform the encryption. We'll cover this approach later. 

1. Open InvoiceManagerForm.vb in the SecureInvoiceClient project.
   
2. Return to the ConfigureProxy method you wrote earlier and add an EncryptedData object, based on the UsernameToken, to the proxy. 
   
3. Your ConfigureProxy method should look something like this now:
   
   ...
   Private Sub ConfigureProxy(ByVal proxy As _  
     WebServicesClientProtocol) proxy.RequestSoapContext.
   Security.Tokens.Add(login.
   Token)
      Dim dk As New DerivedKeyToken(login.Token)  
      proxy.RequestSoapContext.
   Security.Tokens.Add(dk)  
      proxy.RequestSoapContext.
   Security.Elements.Add(
   _
         New MessageSignature(dk)) 
      proxy.RequestSoap Context.
   Security.Elements.Add(
         New EncryptedData(dk)) End Sub 'ConfigureProxy
   ... 
   
4. Build and run SecureInvoiceClient. Verify that everything still works as before.
   
5. Open the output trace file (OutputTrace.webinfo) in the application directory (SecureInvoiceClientbin) and notice that the last SOAP request was both signed and encrypted using the UsernameToken information.
   
6. Close OutputTrace.webinfo.
   
   Note: the message should look much different at this point, and you shouldn't be able to read the contents of the body since it's now encrypted.

Requiring Encryption

At this point, the service does not require encryption. If you invoke an operation without providing an EncryptedData element, it still works. In this step, you'll write code to require encryption. 

1. Open WseSecurityHelpers.vb in the SecureInvoiceServiceA project.
   
2. Add a new method to the WseSecurityHelpers class named CheckForEncryption. It should take a SoapContext as input and return void as illustrated here:
   
   ...
   Public Shared Sub CheckForEncryption(ByVal context
   As SoapContext)
      ...
   End Sub
   ...
   
3. Within the method, write code to check the SoapContext for an EncryptedData object. It will be found in the SoapContext.Security.Elements collection if present. If it's not present, throw a SoapException indicating "encryption required".
   
    ...
   Public Shared Sub CheckForEncryption(ByVal context
   As SoapContext)
      If context Is Nothing Then
         Throw New Exception("Only SOAP requests are permitted.")
      End If
      If context.Security.Elements. Count = 0 Then
   Throw New SoapException("Encryption
   required", _  
      SoapException.ClientFault Code)
      End If
      Dim foundEncryption As Boolean = False
      Dim se As ISecurityElement
      For Each se In context.Security.Elements
         If TypeOf se Is EncryptedData Then 
            foundEncryption = True
         End If
      Next se
      If Not foundEncryption Then
         Throw New SoapException("Encryption required",   
           SoapException.Client Fault Code)
      End If
   End Sub
   ... 
   
4. Modify the GetUsernameToken method in the same class to call this new method. Since all of the WebMethod's currently call GetUsernameToken, we know this method will also be called.
   
         Public Shared Function GetUsernameToken(ByVal context _
          As SoapContext) As UsernameToken 
      CheckForSignature(context)
      CheckForEncryption(context)
   … 
   
5. Build the project and test invoking the client ensuring that it works as before.
   
6. Close the Invoice Manager application. 
   
7. Click File | Close Solution.

Please check back next week for the continuation of this article.

DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

Comments On: Web Services Enhancements 2.0: Security and Policy (VB.NET)

· This lab is excerpted from a larger document titled "Web Services Enhancement 2.0:...    · I wonder that where I can find SecureInvoiceA.sln you mentioned in Web Services...    · Please check our link to the Microsoft Virtual Labs website, ...    · i havent got the SecureInvoiceA.sln...i checked in the link u provided...can u...    · Microsoft must have moved a few things around -- try this:...    · Web Services Enhancements 2.0: Security and Policy (VB.NET), The reason for going...    · Can you specify the location of SecureInvoiceClient project.Urgent reply soon   >>> Post your comment now!