Partilhar via


<usernameOverTransportSecurity> Element

Represents a turnkey security assertion that authenticates the client using a UsernameToken security token. The SOAP message is not encrypted or digitally signed, so a secure transport should be used with this assertion. WSE does not verify that the transport is providing the message protection. WS-Security 1.1 or 1.0 can be used with this assertion.

<policies> Element
  <policy> Element (Policy)

<usernameOverTransportSecurity 
  clientActor
  serviceActor 
  ttlInSeconds >
  <clientToken />
</usernameOverTransportSecurity >

Microsoft.Web.Services3.Design.UsernameOverTransportAssertion

Attributes and Elements

Attributes

Attribute Description

clientActor

Optional attribute. Specifies the actor attribute on the Security SOAP header for a SOAP message destined for a Web service client to which this policy assertion applies. When the SOAP message is not routed through an intermediary, such as a SOAP router, the actor attribute is an empty string (""). When the policy assertion applies to an intermediary, specify the URI for the intermediary. The default value is an empty string ("").

serviceActor

Optional attribute. Specifies the actor attribute on the Security SOAP header for a SOAP message destined for a Web service to which this policy assertion applies. When the SOAP message is not routed through an intermediary, such as a SOAP router, the actor attribute is an empty string (""). When the policy assertion applies to an intermediary, specify the URI for the intermediary. The default value is an empty string ("").

ttlInSeconds

Optional attribute. Specifies the default number of seconds that a SOAP message is valid after its creation. The default value is 5 minutes (300 seconds).

Child Elements

Element Description

<clientToken> Element

Optional element. Specifies the security token that authenticates the client.

Parent Elements

Element Description

<policy> Element

Specifies a SOAP message requirement.

Remarks

When you use the <usernameOverTransportSecurity> policy assertion, it is recommended that you do not specify the client's user name and password in the policy file.

Example

The following code example demonstrates how to use the usernameOverTransportSecurity turnkey security assertion to send the client's user name and password in a SOAP message. The following code example does not place the user name and password in the policy file. Placing the user name and password is not recommended. In this case, the user name and password must be added in code.

<policies>
  <extensions>
    <extension name="usernameOverTransportSecurity" type="Microsoft.Web.Services3.Design.UsernameOverTransportAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="username" type="Microsoft.Web.Services3.Design.UsernameTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="ClientPolicy">
    <usernameOverTransportSecurity />
    <requireActionHeader />
  </policy>
</policies>

See Also

Tasks

How to: Secure a Web Service Using a Policy File

Reference

<serviceToken> Element (Policy)
<protection> Element
<policy> Element
X509SecurityToken

Concepts

Turnkey Security Assertions

Other Resources

Implementing Direct Authentication with UsernameToken