HELP!!!!!!! WSE driving me CRAZY

[Eric Dugal]

Hi!!

I'm just trying to pass user and password in SOAP header using WSE. In
my current project, im doing it manually and it take me 10 lines of
simple code to do the job. So, i've heard that WSE is SUPOSSED to
simplify programmer life and decided to give it a try.... Since 2
days, i tried to pass username and password in token, but always
received the message :

Microsoft.Web.Services2.Security.SecurityFault: The security token
could not be authenticated or authorized ---> System.Exception:
WSE562: The incoming username token contains a password hash. The
built-in UsernameTokenManager does not support this type of
UsernameToken. Please see the documentation for more details on the
UsernameTokenManager.AuthenticateToken method. at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyHashedPassword(UsernameToken
token, String authenticatedPassword) at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyPassword(UsernameToken
token, String authenticatedPassword) at
Microsoft.Web.Services2.Security.Tokens.UsernameTokenManager.VerifyToken(SecurityToken
securityToken) at Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecurityToken(XmlElement
element) --- End of inner exception stack trace --- at
Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.LoadXmlSecurityToken(XmlElement
element) at Microsoft.Web.Services2.Security.Tokens.SecurityTokenManager.GetTokenFromXml(XmlElement
element) at Microsoft.Web.Services2.Security.Security.LoadToken(XmlElement
element, SecurityConfiguration configuration, Int32& tokenCount) at
Microsoft.Web.Services2.Security.Security.LoadXml(XmlElement element)
at Microsoft.Web.Services2.Security.SecurityInputFilter.ProcessMessage(SoapEnvelope
envelope) at Microsoft.Web.Services2.Pipeline.ProcessInputMessage(SoapEnvelope
envelope) at Microsoft.Web.Services2.WebServicesExtension.BeforeDeserializeServer(SoapServerMessage
message)

The web service code are :

[WebMethod]
public string HelloWorld()
{
SoapContext ctxt = RequestSoapContext.Current;
foreach (SecurityToken tok in ctxt.Security.Tokens)
if (tok is UsernameToken)
{
UsernameToken user = (UsernameToken)ok;
if (user.Username == "DOOGIE")
{
return "Hello, King DOOGIE";
}

}

return "Hello, Liar";

}

I also created a custom UsernameToken Manager in the web service. :

namespace WS_WSE
{
/// <summary>
/// Summary description for Class1.
/// </summary>
[SecurityPermissionAttribute(SecurityAction.Demand,
Flags=SecurityPermissionFlag.UnmanagedCode)]
public class CustomUsernameTokenManager : UsernameTokenManager
{
// Returns the password or password equivalent for a user name.
protected override string AuthenticateToken(UsernameToken token)
{
// Ensure the SOAP message contained a UsernameToken.
if (token == null)
throw new ArgumentNullException();

// This is a very simple provider.
// In most production systems the following code
// typically consults an external database to obtain the password
or
// password equivalent for a given user name.

byte[] password =
System.Text.Encoding.UTF8.GetBytes(token.Username);
Array.Reverse(password);

return Convert.ToBase64String(password);
}
}

}

The web.config of my webservice look like :

<webServices>
<soapExtensionTypes>
<add type="Microsoft.Web.Services2.WebServicesExtension,
Microsoft.Web.Services2, Version=2.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35" priority="1" group="0" />
</soapExtensionTypes>
</webServices>
</system.web>
<microsoft.web.services2>
<diagnostics>
<trace enabled="true" input="InputTrace.webinfo"
output="OutputTrace.webinfo" />
<detailedErrors enabled="true" />
<policyTrace enabled="true" input="ReceivePolicy.webinfo"
output="SendPolicy.webinfo" />
</diagnostics>
<tokenIssuer>
<autoIssueSecurityContextToken enabled="true" />
</tokenIssuer>
<security>
<securityTokenManager type="WS_WSE.CustomUsernameTokenManager,
WS_WSE" xmlns:wsse="http://localhost/WS_WSE/WS_WSE"
qname="wsse:UsernameToken" />
</security>
</microsoft.web.services2>

and the code that call the webservice look like that :

UsernameToken userToken = new UsernameToken("DOOGIE", "TEST",
PasswordOption.SendHashed );
localhost.Service1 serviceProxy = new localhost.Service1();
SoapContext requestContext = serviceProxy.RequestSoapContext;
requestContext.Security.Tokens.Add(userToken);

requestContext.Security.Timestamp.TtlInSeconds = 60;
serviceProxy.HelloWorld();

What is wrong!!!! im verry frustrated and started thinking that WSE is
pure crap!!!!!! plz... help me before i throw that fuc*?%*?&*
technologie by the windows.

Thanks,

[Sami Vaaraniemi]

There may be some initial hurdles with WSE but once you get it going it
gives you many powerful features pretty much for free.

Anyway, in your case it seems that WSE is using its own built-in
UsernameTokenManager which requires the password to be sent in plain text
(PasswordOption.SendPlainText). That's what the error is about.

I suspect the reason that WSE is not picking up your custom
UsernameTokenManager implementation is that the namespace declaration in the
securityTokenManager tag in the web.config file is wrong. Instead of
xmlns:wsse="http://localhost/WS_WSE/WS_WSE", it should be
xmlns:wsse=http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd.
Try changing it and see if it helps.

Regards,
Sami

"Eric Dugal" <eric....@protectron.com> wrote in message
news:c96b58bb.05010...@posting.google.com...

[doogie]

thanks for the fast answer!!!

Unfortunatly, i chenged the namespace declaration as mentionned and it
doesn't work... ;-(

he always take is built-in token manager instead of mine.... maybe it
because of my type declaration which is :
WS_WSE.CustomUsernameTokenManager, WS_WSE

thanks,

[Sami Vaaraniemi]

Make sure you have the double quotes (I seem to have missed them from the
previous post):

xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

Also, double check that the name of the assembly that contains your customer
UsernameTokenManager class is WS_WSE.dll and that the assembly is in the
same directory where you have the web.config file. With all these properly
set up, it should work.

Regards,
Sami

"doogie" <eric....@protectron.com> wrote in message
news:1105127924.4...@c13g2000cwb.googlegroups.com...

[doogie]

thanks,

I have the double quote!!

I think my problem is a permission problem. I read on Ms site that on
XP and 2000, the the ASPNET account must be given the log on locally
permission.

I'm waiting for the system administrator to give the rights to ASPNET
user.

Thanks,

[Eric Dugal]

That doesn't work with the ASPNET set to log locally!!!

I hate WSE!!!

[Dilip Krishnan]

Hello Eric,

Is there are reason for the

<autoIssueSecurityContextToken enabled="true" /> entry
in the web.config? Try removing this entry and see if it works

HTH
Regards,
Dilip Krishnan
MCAD, MCSD.net
dkrishnan at geniant dot com
http://www.geniant.com

[Sami Vaaraniemi]

I made a little experiment by changing the xmlns:wsse attribute in the
securityTokenManager tag in my web.config file to something else than what
it is supposed to be. In this case I get the same exception as you reported
in the first post. This sort of makes sense as then WSE will use the
built-in UsernameTokenManager, and the authentication fails because the
built-in UsernameTokenManager does not support hashed passwords.

As soon as I change the xmlns:wsse attribute back to what it is supposed to
be, it works.

I can't think of any other explanation to the problem than maybe the config
file is in wrong directory. Since you are hosting the web service in IIS,
the config file should be in the virtual directory.

If you post the web.config file and the full source to the assembly that
contains the custom UsernameTokenManager, I'll try it and see if I can
reproduce the problem.

Regards,
Sami