How to: Decrypt a SOAP Message Encrypted Using a User Name and Password

The following procedures detail how to configure WSE to decrypt SOAP messages encrypted using a user name and password and how to use code to require that the SOAP <Body> element be encrypted.

Note

The UsernameToken security token should only be used as a token that identifies the client and not for digital signing or encrypting SOAP messages. When a SOAP message is digitally signed or encrypted by using a UsernameToken security token, it is susceptible to a dictionary attack. Instead, use the UsernameToken security token for identity and an EncryptedKeyToken security token to digitally sign or encrypt the SOAP messages. The <usernameForCertificateSecurity> Element turnkey security assertion uses this model.

To decrypt SOAP messages encrypted using a user name and password

• In the Web.config file for the Web application that is hosting the Web service, include an <soapServerProtocolFactory> Element element in the <webServices> section.

  When the SOAP message recipient is a Web service client, this configuration entry is not required. Instead, the base class of the proxy class must be changed to derive from the WebServicesClientProtocol.

  The following code example shows the configuration entry that must be placed in the Web.config file for WSE to run with a Web service. The type attribute of the <soapServerProtocolFactory> Element element must be on one line, even though the following sample shows it split across multiple lines for readability.

  <configuration>
     <system.web>
          <webServices>
              <soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> 
          </webServices>
      </system.web>
     </system.web>
  </configuration>
  

To use code to require that the <Body> element of incoming SOAP messages is encrypted using a user name and password

1. Create a custom policy assertion.

   For more details about creating custom policy assertions, see How to: Create a Custom Policy Assertion that Secures SOAP Messages.

2. In the input SOAP filter for the client or the Web service that receives the signed SOAP messages, override the ValidateMessageSecurity method.

   The following code example overrides the ValidateMessageSecurity method for the Web service input SOAP filter.

   Public Overrides Sub ValidateMessageSecurity(ByVal envelope As SoapEnvelope, ByVal security As Security)
   

   
   public override void  ValidateMessageSecurity(SoapEnvelope envelope, Security security)
   {
   

3. Verify that the expected XML elements are encrypted using a UsernameToken security token.

   The following code example verifies that the <Body> element for SOAP requests are encrypted using a UsernameToken security token.

   Dim IsEncrypted As Boolean = False
   Dim element As ISecurityElement
   For Each element In security.Elements
       If TypeOf element Is EncryptedData Then
           ' The given context contains an EncryptedData element.
           Dim encrypt As EncryptedData = CType(element, EncryptedData)
   
           ' The SOAP message is encrypted.
           If (TypeOf encrypt.SecurityToken Is UsernameToken) Then
               ' The SOAP body is encrypted by a UsernameToken.
               IsEncrypted = True
           End If
       End If
   Next
   If (Not IsEncrypted) Then
       Throw New SecurityFault("Message did not meet security requirements.")
   

   bool IsEncrypted = false;
   foreach (ISecurityElement element in security.Elements)
   {
       if (element is EncryptedData)
       {
           // The given context contains an EncryptedData element.
           EncryptedData encrypt = element as EncryptedData;
   
           // The SOAP message is encrypted.
           if (encrypt.SecurityToken is UsernameToken)
               // The SOAP body is encrypted by a UsernameToken.
               IsEncrypted = true ;
       }
   }
   if (!IsEncrypted)
       throw new SecurityFault("Message did not meet security requirements.");
   

Example

The following code example is the ValidateMessageSecurity method for a policy assertion that verifies that the <Body> element for SOAP requests are encrypted using a UsernameToken security token

Public Overrides Sub ValidateMessageSecurity(ByVal envelope As SoapEnvelope, ByVal security As Security)
    Dim IsEncrypted As Boolean = False
    Dim element As ISecurityElement
    For Each element In security.Elements
        If TypeOf element Is EncryptedData Then
            ' The given context contains an EncryptedData element.
            Dim encrypt As EncryptedData = CType(element, EncryptedData)

            ' The SOAP message is encrypted.
            If (TypeOf encrypt.SecurityToken Is UsernameToken) Then
                ' The SOAP body is encrypted by a UsernameToken.
                IsEncrypted = True
            End If
        End If
    Next
    If (Not IsEncrypted) Then
        Throw New SecurityFault("Message did not meet security requirements.")
    End If
End Sub 'ValidateMessageSecurity

      
public override void  ValidateMessageSecurity(SoapEnvelope envelope, Security security)
{
    bool IsEncrypted = false;
    foreach (ISecurityElement element in security.Elements)
    {
        if (element is EncryptedData)
        {
            // The given context contains an EncryptedData element.
            EncryptedData encrypt = element as EncryptedData;

            // The SOAP message is encrypted.
            if (encrypt.SecurityToken is UsernameToken)
                // The SOAP body is encrypted by a UsernameToken.
                IsEncrypted = true ;
        }
    }
    if (!IsEncrypted)
        throw new SecurityFault("Message did not meet security requirements.");
}

See Also

Tasks

How to: Encrypt a SOAP Message by Using a User Name and Password
How to: Encrypt a SOAP Message

Reference

UsernameToken