none
How to impement Policy in HelloWorld Sample RRS feed

  • Question

  • Dear all,

     

    I want to know that can we impement policy in CSF DevLite Edition.

    When i am trying to create session without providing username and password tokens 

      in HelloWorld Sample then Session is created. But the session is not created When I am trying to implent policy by providing username and password .

     

    What should be done to resolve the issue?

    Wednesday, May 2, 2007 8:56 AM

Answers

  • Hi Asutosh,

     

    Session uses SessionManagerAdminServer policy to validate the incoming message for creating a session as described below.

     

    <policy name="SessionManagerAdminServerPolicy">

    <authorization>

    <allow role="DomainName\Requestors@CSF_SessionManagerAdmin"/>

    <deny user="*"/>

    </authorization>

    <!--<traceAssertion remoteServerUri="http://csftraceservername:9502/LogWriter.soap" />-->

    <dynamicSecurity>

    <usernameOverTransportSecurity/>

    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">

    <protection>

    <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>

    </protection>

    </kerberosSecurity>

    </dynamicSecurity>

    <requireActionHeader/>

    </policy>

     

    In the SessionPolicyMapping.config file there has to be an entry for this.

     

    <AddressToPolicyMapping DestinationAddress="SessionManagerAdmin" PolicyName="SessionManagerAdminServerPolicy"/>

     

    Now if you don't provide username or kerberos token while creating a session, session will reject that message (You can try this.)

    Finally, if you are logged in Session MMC as current user, session won't fetch all the sessions created by that owner (this is by design.)

    After logging in you can specify filter criteria (like "CreatedBy", "State" etc.) to fecth specific sessions.

    The current owner is displayed as the DNS address of the session server.

    Hope this clarifies your doubt.

    regards,

    Subhodip

     

    Tuesday, July 17, 2007 6:49 AM

All replies

  • Hi Ashutosh,

     

    CSF core services use policies to define how other services iteract with them. Policy contains some rules which have to be followed in order to have successful communication.

     

    By default you get 2 configuration files which deal with policies - xPolicy.config and xPolicyMapping.config. Here x stands for the CSF core component e.g. Session, IDM etc. These files can be found in configuration folder. The role of xPolicy.config is to conytain policy details and xPolicyMapping.config contains mapping of policies defined in xPolicy.config to the end points. You will see two types of mappings - one each for incoming messages and outgoing nmessages.

     

    In your case you can check SessionPolicyMapping.config file to see what policy does Session apply for incoming message. Once you find the policy which Session applies for incoming messages, you can see the details of that policy in  SessionPolicy.config file and  then you will come to know what is the exact requirement to be met when sending message to Session. I think the policy for incoming messages to SessionManagerAdmin do not require any username token cerdentials and since you are providing them thats why SessionManagerAdmin is not able to process your message.

     

    Similar thing is applicable for all other core CSF services.

     

    Also suggest you to go through the documentation to understand policy mapping better.

     

    Thanks,

     

    Ashish Malhotra

     

     

     

     

     

    Thursday, May 3, 2007 9:42 AM
  •  

    Hi Ashish,

     

    Thanks for Replying.

    I had a look in the SessionPolicyMapping and SessionPolicy Config files .

    There i found out that the session is using "SessionServerPolicy" for creating session and it is not asking for  username credentials for creating session. So, that may be the reason for not creating the session when i am providing the username and password credentials.

     

    But then could you please tell me that , since i am having windows authentication , why in CSF Session Management Console the owner of the session is being displayed as "Anonymous".

     

     

    Thanks,

     

    Ashutosh Rai

     

    Thursday, May 3, 2007 10:42 AM
  • Hi Ashitosh,

     

    I have not been working with CSF Session Management console, but solely rely on log files, hence not in a position to answer your query.

     

    Thanks,

     

    Ashish Malhotra

    Friday, May 4, 2007 5:54 AM
  • Hi Asutosh,

     

    Session uses SessionManagerAdminServer policy to validate the incoming message for creating a session as described below.

     

    <policy name="SessionManagerAdminServerPolicy">

    <authorization>

    <allow role="DomainName\Requestors@CSF_SessionManagerAdmin"/>

    <deny user="*"/>

    </authorization>

    <!--<traceAssertion remoteServerUri="http://csftraceservername:9502/LogWriter.soap" />-->

    <dynamicSecurity>

    <usernameOverTransportSecurity/>

    <kerberosSecurity establishSecurityContext="false" renewExpiredSecurityContext="true" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="false" ttlInSeconds="300">

    <protection>

    <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true"/>

    <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false"/>

    </protection>

    </kerberosSecurity>

    </dynamicSecurity>

    <requireActionHeader/>

    </policy>

     

    In the SessionPolicyMapping.config file there has to be an entry for this.

     

    <AddressToPolicyMapping DestinationAddress="SessionManagerAdmin" PolicyName="SessionManagerAdminServerPolicy"/>

     

    Now if you don't provide username or kerberos token while creating a session, session will reject that message (You can try this.)

    Finally, if you are logged in Session MMC as current user, session won't fetch all the sessions created by that owner (this is by design.)

    After logging in you can specify filter criteria (like "CreatedBy", "State" etc.) to fecth specific sessions.

    The current owner is displayed as the DNS address of the session server.

    Hope this clarifies your doubt.

    regards,

    Subhodip

     

    Tuesday, July 17, 2007 6:49 AM