Still more on WSE and WS-Security

The wse 2.0 samples have helped tremendously.  The ws-security is beginning to make some sense.  I am still having trouble with some of the samples, especially those involving X509. I think that is user error.  I don't really need to encrypt the messages but I want to know - so I will make the WSE samples work.

I was confused about how the password digest was created.  There was a comment in one of the articles I read about it being the hash of a combination of the password, nonce and creation date. I finally found a spec at http://www.oasis-open.org/committees/wss/documents/WSS-Username-11.pdf

A tool that I've found very useful is SoapScope at http://www.mindreef.com.  I purchased a copy to help me look at messages and it's been worth it.

I have implemented username signing in my DosEquis “learning” project.  I already had an authentication scheme in place using a custom soap header, ala Yasser Shohoud' book.

One thing that I don't understand though is how a person perusing my web service site or wsdl would know about ws-security.  I was looking at the microsoft.com webservice stuff and was wondering the same thing.  If my client app had obtained a reference to a webservice via UDDI how would it know or be able to find out.  More things that I don't understand about “real-world” webservices.

The next big thing is to start working with DIME.  My DosEquis project will be collecting, processing and returning large amounts of data.

I also plan to start using the WS-I tools on my webservices.  I have listened to Yasser Shohoud's web cast http://msdn.microsoft.com/msdntv/episode.aspx?xml=episodes/en/20030724WEBSVCSYS/manifest.xml and just need to “code“.

 

Published Wednesday, September 10, 2003 1:34 PM by cloudycity

Comments

# re: Still more on WSE and WS-Security

You mention how a person interacting with your web service will know about the security and real-world webservices. Its a good thought.

My 2 cents...
If you want everyone to use your web-service, then your foray into WS-Security is really academic and its implementation is probably not applicable.

If you need to implement a security scheme, then ws-security is the answer for interoperatbility and your clients must understand the security contract you are imposing.

For example, if you are using X509 then you must do something to not only acknowledge that the calling application is using a valid X509 Certificate, but it is a certificate that you will accept.

I have been doing a bit with WS-Security and what helped me understand a valid implementation were for me to answer the following questions: How do I implement Authorization? How do I implement Authentication? How do I implement Integrity? How do I implement Confidentiality? How do I implement Non-Repudiation? .... I think that is all of them.

Thanks for letting me rant ;)
Mathew Nolton

Wednesday, September 10, 2003 7:36 PM by Mathew Nolton

# re:Still more on WSE and WS-Security

^_^,Pretty Good!

Sunday, April 10, 2005 10:16 AM by TrackBack

# Still more on WSE and WS-Security

Pingback from  Still more on WSE and WS-Security

Tuesday, November 27, 2007 6:25 AM by Still more on WSE and WS-Security

# re: Still more on WSE and WS-Security

www.message_acelactroc.com

Friday, January 02, 2009 5:09 PM by nick_zeltro

# re: Still more on WSE and WS-Security

www.message_pascnaactr.com

Thursday, May 14, 2009 11:18 PM by nick_caracb

# Finasteride.

Finasteride. Generic finasteride.

Thursday, October 08, 2009 2:51 PM by Finasteride generic.

Leave a Comment

(required) 
(required) 
(optional)
(required)