Following the Security Review for WSE 2.0 we have added a new feature that makes all services, both ASMX and SoapService, capable of using Secure Conversation automatically.
In the configuration file, you enable automatic Secure Conversation. Thereafter, all services in your application respond to a request to issue a SecurityContextToken (SCT), including ASMX-based services. This behaviour is enabled directly in SoapService and the WebServicesExtension classes and uses the SecurityContextTokenService class to handle the RST / RSTR messages. With additional configuration, or method overrides for SoapServices, you can utilize your own token issuer instead of the built-in one.
Also as a result of the security review, the default behaviour of the SecurityTokenService class is very strict: it requires signed and encrypted requests and signs and encrypts responses. The SecurityTokenServiceClient also has stricter rules to ensure that the tokens used across RST and RSTR match and thus provides a further element of mutual authentication. Both the client and service classes were also modified to provide a consistent framework of protected, virtual methods for verifying and processing requests and securing the responses.
Posted by herveyw at April 8, 2004 10:10 PMSince web services can automatically issue SCT, does that mean the STS and hense the SCT cache is inproc for the web services? Is the idea of a seperate token issuer service obsolete? In a web farm, the SCT issued by one server won't work for another server unless they either share a SCT cache or share a token issuer.
In fact, I've found that when the token issuer is separated from the web services, the SCT won't work.
SCT's in a web farm scenario do work in the WSE 2.0 Tech Preview, but you need appropriate entries in your web.config to trigger the session key to be carried inside the SCT itself rather than simply stored in memory. Check out the <serviceToken> config elements in the <tokenIssuer> config.
For WSE 2.0 RTM, a lot of this has changed, unfortunately I cannot give specifics at this time.
Posted by: herveyw at April 9, 2004 02:35 PMI have a question about configuration. I am well aware of how to configure web services and web services clients using the configuration files.
However, for some web services I have a need to set some configuration values from code (in order to encapsulate web services client calls in class libraries, for example). I can find no information on whether or not this is possible, and if so how. It would seem to be a critical limitation if the only way to set these configurations was via the config file.
Posted by: code library developer at April 14, 2004 11:28 AM