Share via

<token> Element

  • Article

Specifies the details needed to create an instance of a security token.

<policies> Element
  <policy> Element (Policy)
    <kerberosSecurity> Element

<token>
  <kerberos />
</token>

Attributes and Elements

Attributes

None.

Child Elements

Element Description

<kerberos> Element

Specifies details about a KerberosToken security token.

Parent Elements

Element Description

<kerberosSecurity> Element

Represents a turnkey security assertion that uses a KerberosToken security token to authenticate the client, digitally sign a SOAP message, or encrypt the <body> element of a SOAP message.

Remarks

Use the <token> element with the <kerberosSecurity> Element turnkey security assertion to specify the KerberosToken security token that protects the SOAP message exchange. WSE provides the <kerberos> Element to specify the details. When you need to provide additional details, use a custom security token provider that derives from the KerberosTokenProvider class. After the class is created, register it in the policy file using an <extension> Element element.

The <token> element can be used only with one of the Turnkey Security Assertions. It does not work with custom security assertions.

Example

The following code example demonstrates how to secure one portion of an application that contains a Web service using a KerberosToken security token. The code example defines a policy assertion named kerberosAuthenticationKerberosProtection that specifies that a KerberosToken security token is used to authenticate the client, digitally sign the SOAP message, and encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the key for the KerberosToken security token.

Note

This code example is designed to demonstrate WSE features and is not intended for production use.

<policies>
  <extensions>
    <extension name="kerberosSecurity"
               type="Microsoft.Web.Services3.Design.KerberosAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="kerberos"
               type="Microsoft.Web.Services3.Design.KerberosTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="kerberosAuthenticationKerberosProtection">
    <kerberosSecurity establishSecurityContext="false" signatureConfirmation="false" protectionOrder="SignBeforeEncrypting" deriveKeys="true">
      <token>
        <kerberos targetPrincipal="host/contoso4@contoso.com" impersonationLevel="Identification" />
      </token>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </kerberosSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Reference

<kerberosSecurity> Element
<kerberos> Element
KerberosToken