Secure Conversation in WSE 3

Setup secure conversation using WSE 3 was very simple. You just need to add two attributes to the secure policy assertion (usernameOverCertificate, mutual, etc).
establishSecurityContext="true" renewExpiredSecurityContext="true"
The problem was when I wanted to establish the secure conversation, get the token and use it in further requests. Secure conversation means just this:
  1. Send a first request with a UsernameToken (username/password), BinarySecurityToken (certificate).
  2. The service will reply with two messages: the response of the original request and a RequestSecurityTokenResponse which will have the SecurityContextToken issued
  3. Grab the SecurityContextToken
  4. Send a second request with a SecurityContextToken (now there is no need to send UsernameToken or whatever which means more performance and security)
How this four steps are translated into code?

1 and 2.
WseProxy proxy = new WseProxy();
proxy.SetClientCredential(new UsernameToken(txtUser.Text, txtPass.Text, PasswordOption.SendPlainText));
SomeResponse respone = proxy.DoRequest();
SecureConversationCorrelationState correlationState = proxy.ResponseSoapContext.SessionState.Get();
if (correlationState != null)
// Get the SCT for the current conversation sct = correlationState.Token as SecurityContextToken;
WseProxy proxy = new WseProxy();
SomeResponse respone = proxy.DoRequest();
The trick is in the step 3 where we are getting the SecurityContextToken from the session state under the response soap context. We could store this sct in the ASP.Net Session, or in a static variable for Winforms and use it for further requests.

Published: October 01 2005

blog comments powered by Disqus