Web Services enhancements 3.0 Quick Start (3)

The last two chapters mainly illustrate how to use Web Services enhancements 3.0 to create a security policy. Now, we mainly use an example to describe Web Services enhancements 3.0 to build a secure web service.
In June CTP, there are six types of turnkey declarations. The first one is anonymousovercertificatesecurity. In this case, the Web Service verifies itself to the caller through its X.509 Certificate. All callers are anonymous. Message-level integrity and confidentiality are provided by Using symmetric keys exchanged by the server public key. Logically, this model is similar to what happens when you access your favorite online bookstore and purchase a book. There are too many bookstore customers and it is impossible to verify each customer one by one. But it is a good way to accept the credit card number and Bill Receiving address, so that the responsibility for verifying the transaction will be transferred to the Bank. In many enterprise web services, clients and servers are assigned certificates. In this case, you can choose one of the following two types of declarations: certificatemutualauthenticationprofile or mutualcertificatesecurity. They are logically similar. The client and server verify each other by presenting an X.509 Certificate and prove the ownership of the corresponding private key. Message-level integrity and confidentiality are provided by Using symmetric keys exchanged by the server public key. The first type of declaration depends on the existing WS-Security 1.0 specification, while the second type uses the draft WS-Security 1.1 specification, which includes some new features (such as encrypted SOAP Headers ). Although it is a good choice to verify the client with a certificate, it is usually simple but not feasible because it increases maintenance (required to issue and manage client certificates) public Key Infrastructure (PKI) overhead. Generally, it is more reasonable to verify the client with a simple user name and password. The following two types of turnkey declarations support such verification: usernameovertransportsecurity and usernameovercertificatesecurity. If you want to rely on SSL to verify the server and provide integrity and confidentiality for the channel, you should use usernameovertransportsecurity. Usernameovercertificatesecurity is useful when SSL is not applicable (for example, when there is an intermediary and end-to-end authentication is required. Finally, if you want to build a web service (in a modern Windows Domain environment) for an Intranet that supports Kerberos, The kerberossecurity statement is a very suitable choice. Because Kerberos uses a traditional encryption method to verify the client and service, it does not impose a huge burden on the service compared with the certificate-based solution. However, the biggest advantage of Windows Domain environment so far is that it supports single logon. Verify by using the default logon creden。 of the client without querying the client password. PKI is not required either. The server can use the Windows Group as the role to authorize resource access or just simulate the client, and let windows handle the access check. (From http://www.microsoft.com/china/MSDN/library/WebServices/WebServices/issues0602WSE30.mspx? MFR = true)
We use usernameforcertificatesecurity as an example.
The first two tools, makecert.exeand certmgr.exe, are introduced.
Makecert.exe is an X.509 certificate generated by the certificate creation tool for testing purposes only. It creates a public key and private key pair for digital signature, and stores it in the certificate file. This tool also associates the key pair with the name of the specified issuer and creates an X.509 Certificate that binds the user-specified name to the public part of the key pair. (Http://msdn2.microsoft.com/zh-cn/library/bfsktky3.aspx)
The certmgr.exe Certificate Manager tool manages certificates, certificate trust lists (CTL), and Certificate Revocation Lists (CRL ). (Http://msdn2.microsoft.com/zh-cn/library/e78byta0.aspx)
Now we use these two tools to generate the tools we use. Makecert.exe-Sr localmachine-SS my-A sha1-N CN = % Wse2quickstartserver %-sky exchange-PE
Certmgr.exe-add-r localmachine-s my-C-N % wse2quickstartserver %-r currentuser-s addressbook
Makecert.exe-Sr currentuser-SS my-A sha1-N Cn = % wse2quickstartclient %-sky exchange-PE

View certificates
Start-> run... MMC
File-> Add/delete snap-in-> Add-> Certificate-> Add-> Computer Account-> personal-> Certificate-> wse2quickstartserver
File-> Add/delete snap-in-> Add-> Certificate-> Add-> current user-> individual-> Certificate-> wse2quickstartclient
File-> Add/delete snap-in-> Add-> Certificate-> Add-> current user-> others-> Certificate-> wse2quickstartserver


Program Implementation
1. Create a New webservie and create a security policy (http://www.cnblogs.com/jiekeng/archive/2006/10/25/539962.html) for the security token that the client needs to include the userNameToken username and password)
The letter creates a class customusernametokenmanager inherited from Microsoft. Web. services3.security. tokens. usernametokenmanager

Using System;
Using System. xml;
Using System. Security. permissions;

Using Microsoft. Web. services3.security;
Using Microsoft. Web. services3.security. tokens;

Namespace Microsoft. Web. services3.quickstart
{
Public   Class Customusernametokenmanager: usernametokenmanager
{
Public Customusernametokenmanager ()
{
}

Public Customusernametokenmanager (xmlnodelist nodes)
: Base (Nodes)
{
}
Protected   Override   String Authenticatetoken (userNameToken token)
{
Byte[] Password=System. Text. encoding. utf8.getbytes (token. username );

Array. Reverse (password );

ReturnConvert. tobase64string (password );
}
}
}
 

Create a web service and return a string
Using System;
Using System. Collections. Generic;
Using System. Web;
Using System. Web. Services;
Using System. Web. Services. Protocols;
Using System. xml. serialization;

Using Microsoft. Web. services3;

Using Microsoft. Web. services3.quickstart;

[WebService (namespace =   " Http://stockservice.contoso.com/wse/samples/2005/10 " )]
[Webservicebinding (conformsto = Wsiprofiles. basicprofile1_1)]
[Policy ( " Serverpolicy " )]
Public   Class Wssecurityusernameservice: system. Web. Services. WebService
{
Public Wssecurityusernameservice ()
{
}


Public   String Helloworld ()
{
Return "Helloworld"
}
}

2. Create a console project and set WSE (http://www.cnblogs.com/jiekeng/archive/2006/10/26/541210.html (using username Client Access ))
Add service reference. In the proxy class, you can see public partial class wssecurityusernameservicewse: Microsoft. Web. services3.webservicesclientprotocol, Not
System. Web. Services. Protocols. soaphttpclientprotocol

Using System;
Using System. Collections. Generic;
Using System. text;

Using Microsoft. Web. services3;
Using Microsoft. Web. services3.design;
Using Microsoft. Web. services3.security;
Using Microsoft. Web. services3.security. X509;
Using Microsoft. Web. services3.security. tokens;

Using Localhost;


Namespace Wssecurityusernameclient
{
Class Wssecurityusernameclient
{
Static   Void Main ( String [] ARGs)
{
Wssecurityusernameclient Client =   Null ;

Try
{
Client= NewWssecurityusernameclient ();
Client. Run ();
}
Catch (Exception ex)
{
}
Console. writeline ( "" );
Console. writeline ( " Press [enter] to continue " );
Console. Readline ();
}

Public   Void Run ()
{

Wssecurityusernameservicewse serviceproxy =   New Wssecurityusernameservicewse ();
UserNameToken token =   Null ;
Bool Usecorrectpassword =   True ;
String Username = Environment. Username;
Byte [] Passwordbytes = System. Text. encoding. utf8.getbytes (username );
Array. Reverse (passwordbytes );
If (Usecorrectpassword)
{
StringPasswordequivalent=Convert. tobase64string (passwordbytes );
Token= NewUserNameToken (username, passwordequivalent );
}
Else
{
Token= NewUserNameToken (username,"Badpassword");
}
Serviceproxy. setclientcredential (token );
Serviceproxy. setpolicy ( " Clientpolicy " );
Console. writeline ( " Calling {0} " , Serviceproxy. url );
Console. writeline ( "" );
Console. writeline ( " Helloworld: "   + Serviceproxy. helloworld ());

}
}
}

Run the command to see the effect,
Summary
I have always wondered how the client installs certificates.ProgramThen the BS program will bring about deployment problems. If manual import and export are involved, it will not be even more depressing. I am still studying it. I hope someone can help me a lot.