locked
Implement a web service with WWSAPI that support a WS-Security header with a nonce and a password digest RRS feed

  • Question

  • Hi !

    I search through the WWSAPI examples but found no explanation concerning the handling of a WS-Security header like this:

       <soapenv:Header>
          <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
             <wsse:UsernameToken wsu:Id="UsernameToken-5094D0E1418B986BF215754539660332">
                <wsse:Username>test</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">sqPh/Bap7ER6j+n+2iYlI+4Qt9A=</wsse:Password>
                <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">1ROYkV/ZftvGi17KmsvgnQ==</wsse:Nonce>
                <wsu:Created>2019-12-04T10:06:06.032Z</wsu:Created>
             </wsse:UsernameToken>
          </wsse:Security>
       </soapenv:Header>

    I understand how to handle a simple user/password, using the WS_USERNAME_MESSAGE_SECURITY_BINDING_TYPE binding, but I don't figure how to configure the web service to receive the username, passworddigest, nonce and created values ?

    - Is there a callback similar to the WS_VALIDATE_PASSWORD_CALLBACK of the WS_USERNAME_MESSAGE_SECURITY_BINDING structure ?

    - Where must the WS_SECURITY_HEADER_VERSION_1_1 value be specified ?

    Thanks



    Thursday, December 12, 2019 8:28 AM

Answers

  • Hi Didier,

    Is the username and password relative to the Windows Account? If not, the manual route your client is taking to parse the tokens are the only viable option as of now. 

    Regards & Fei


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by d_d_v Thursday, January 16, 2020 8:02 AM
    Thursday, January 16, 2020 2:15 AM

All replies

  • Hello,

    I think you are in the wrong forum. IMO you should better ask here: https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=wwsapi

    Regards, Guido

    Thursday, December 12, 2019 8:37 AM
  • Oh ! Thanks, I didn't see this forum.
    Thursday, December 12, 2019 9:39 AM
  • Hi d_d_v,

    WS-Security is intended to work in conjunction with basic authentication.

    In view of your problems, I suggest you learn the following documents first, which will help you a lot.

    And in order to help you learn web service better. Here's the collection of pages I ended up forming.

    A good introductory article:

    Introductory demo:

    Blogs on WWSAPI:

    WWSAPI Home page:

    Using WWSAPI Tracing:

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Friday, December 13, 2019 3:47 AM
  • Hi Strive,

    I spent several hours reading documentation concerning web services and WWSAPI, I thought I learnt enough to work on my web service.

    I am just surprised I can't see any example anywhere concerning such a common type of authentication.

    I was naively expecting simple security settings to specify the basic digest authentication and a callback to receive the usernametoken items.

    Anyway, thanks for the answer.


    • Edited by d_d_v Monday, December 16, 2019 10:43 AM
    Monday, December 16, 2019 8:26 AM
  • Hi d_d_v,

    Glad to hlep :)

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 17, 2019 3:37 AM
  • Hello again,

    Maybe you could validate my implementation.

    The only way I succeeded in handling the WS-Security header with the username token as described in my first post was to handle this completely manually. That is, I just configured an authorization callback in the WS_SERVICE_ENDPOINT structure, but I used none of the predefined bindings/settings like WS_SECURITY_HEADER_VERSION, WS_SECURITY_BINDING_TYPE (except WS_SSL_TRANSPORT_SECURITY_BINDING_TYPE).

    Then in the authorization callback, I retrieve the input message via WsGetOperationContextProperty, I create a xml reader, and I manually parse the header with the WsGetReaderNode, WsReadNode functions, to retrieve each xml tag and value. Then, for the current user, I read the nonce and the created values that I use to compute the password digest with my SHA-1 algorithm.

    Is there a simpler way to do this, because this seems quite strange to do this completely manually ?

    Tuesday, December 24, 2019 9:52 AM
  • Hi d_d_v,

    For the issue, I will discuss with relevant engineer. As soon as there is  a conclusion,  I will update in the first time.

    Best regards,

    Strive


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, December 25, 2019 9:10 AM
  • Thanks for your help, Strive,

    Best regards,

    Didier

    Thursday, December 26, 2019 4:04 PM
  • Hi Didier,

    Is the username and password relative to the Windows Account? If not, the manual route your client is taking to parse the tokens are the only viable option as of now. 

    Regards & Fei


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by d_d_v Thursday, January 16, 2020 8:02 AM
    Thursday, January 16, 2020 2:15 AM
  • Ok, thanks for the confirmation.

    Regards,

    Didier

    Thursday, January 16, 2020 7:36 AM