<anonymousForCertificateSecurity> Element

Article
09/13/2006

Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is not authenticated. WS-Security 1.1 is required for this assertion.

<policies> Element
<policy> Element (Policy)

<anonymousForCertificateSecurity
  clientActor
  establishSecurityContext="true|false"
  messageProtectionOrder="Signature and encryption order"
  renewExpiredSecurityContext="true|false"
  requireDerivedKeys="true|false"
  requireSignatureConfirmation="true|false"
  serviceActor
  ttlInSeconds >
  <serviceToken/>
  <protection/>
</anonymousForCertificateSecurity >

Microsoft.Web.Services3.Design.AnonymousForCertificateAssertion

Attributes and Elements

Attributes

Attribute	Description
clientActor	Optional attribute. Specifies the actor attribute on the Security SOAP header for a SOAP message destined for a Web service client to which this policy assertion applies. When the SOAP message is not routed through an intermediary, such as a SOAP router, the actor attribute is an empty string (""). When the policy assertion applies to an intermediary, specify the URI for the intermediary. The default value is an empty string ("").
establishSecurityContext	Optional attribute. Specifies whether a secure conversation is established using SecurityContextToken security tokens. Possible values are true and false. true specifies that this security assertion secures the security token request and its response (the RST and RSTR) and SOAP messages exchanged between the client and the Web service are secured using SecurityContextToken security tokens. The default value is false.
messageProtectionOrder	Required attribute. Specifies the order of operation for digital signatures and message encryption. SignBeforeEncrypt specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, but the digital signature is not encrypted. SignBeforeEncryptAndEncryptSignature specifies that a digital signature is generated for the SOAP message before any portion of the SOAP message is encrypted, and the digital signature is encrypted. The default value is SignBeforeEncrypt.
renewExpiredSecurityContext	Optional attribute. Specifies that a new SecurityContextToken security token is automatically requested as the current one expires when a secure conversation is established. This is applicable only when the establishSecurityContext attribute for this policy assertion is true. The default value is false.
requireDerivedKeys	Optional attribute. Specifies whether DerivedKeyToken security tokens are used. Possible values are true and false. The default value is true.
requireSignatureConfirmation	Optional attribute. Specifies whether the Web service sends a confirmation that verifies the client's digital signature and whether the client rejects SOAP responses without a signature confirmation. This is always false.
serviceActor	Optional attribute. Specifies the actor attribute on the Security SOAP header for a SOAP message destined for a Web service to which this policy assertion applies. When the SOAP message is not routed through an intermediary, such as a SOAP router, the actor attribute is an empty string (""). When the policy assertion applies to an intermediary, specify the URI for the intermediary. The default value is an empty string (""). Note When the serviceActor attribute is set to a value other than an empty string (""), then the establishSecurityContext attribute must be set to false.
ttlInSeconds	Optional attribute. Specifies the default number of seconds that a SOAP message is valid after its creation. The default value is 300 seconds (5 minutes).

Child Elements

Element	Description
<serviceToken> Element (Policy)	Optional element. Specifies the X509SecurityToken security token that protects the SOAP messages. If the details of the X509SecurityToken security token are not specified in the policy file, the security token must be specified using code.
<protection> Element	Required element. Specifies the portions of the SOAP message that are signed, encrypted, or both.

<serviceToken> Element (Policy)

Optional element. Specifies the X509SecurityToken security token that protects the SOAP messages.

If the details of the X509SecurityToken security token are not specified in the policy file, the security token must be specified using code.

<protection> Element

Required element. Specifies the portions of the SOAP message that are signed, encrypted, or both.

Parent Elements

Element	Description
<policy> Element	Specifies a SOAP message requirement.

Remarks

Use caution when the anonymousForCertificateSecurity turnkey security assertion is used with a secure conversation. A secure conversation is established when the establishSecurityContext attribute is set to true. A man-in-the-middle attack can extract the EncryptedKey from a security token request and then send security token requests to the security token requests that are protected using the extracted EncryptedKey. The issued security tokens are cached by default by the security token service, so two of the impacts of this attack are on the security token service's computer's available memory and available processing power.

This security assertion can have zero or more <protection> elements. Use more than one <protection> element to apply protection requirements for each operation using the requestAction attribute. Each of the <protection> elements must have a unique requestAction attribute unless the requestAction is omitted. Only one of the <protection> elements can omit the requestAction attribute, and that element defines the default protection requirements for the policy.

SOAP requests sent by the client and SOAP responses sent by the Web service are protected as specified in the following table.

SOAP message	Protection	Description
SOAP request	Digital Signature	The SOAP message parts specified in the <request> child element of the <protection> element are digitally signed using a EncryptedKeyToken security token that is created using the Web service's X509SecurityToken security token.
SOAP request	Encryption	The SOAP message parts specified in the <request> child element of the <protection> element are encrypted using a EncryptedKeyToken security token that is created using the Web service's X509SecurityToken security token.
SOAP response	Digital Signature	The SOAP message parts specified in the <response> or <fault> child elements of the <protection> element are digitally signed using the EncryptedKeyToken security token that encrypted the SOAP request.
SOAP response	Encryption	The SOAP message parts specified in the <response> or <fault> child elements of the <protection> element are encrypted using the EncryptedKeyToken security token that encrypted the SOAP request.

Example

The following code example demonstrates how to secure a SOAP message exchange using an X509SecurityToken security token. The code example defines a policy assertion named ServerPolicy that specifies that a X509SecurityToken security token is used to digitally sign the SOAP message, and to encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the same key.

<policies>
  <extensions>
    <extension name="anonymousForCertificateSecurity" type="Microsoft.Web.Services3.Design.AnonymousForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="ServerPolicy">
    <anonymousForCertificateSecurity 
      establishSecurityContext="false" 
      renewExpiredSecurityContext="true" 
      requireSignatureConfirmation="false" 
      messageProtectionOrder="SignBeforeEncrypt" 
      requireDerivedKeys="true" >
      <serviceToken>
        <x509
          storeLocation="LocalMachine"
          storeName="My"
          findValue="CN=WSE2QuickStartServer"
          findType="FindBySubjectDistinguishedName" />
      </serviceToken>
      <protection>
        <request
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <response 
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <fault
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="false" />
      </protection>
    </anonymousForCertificateSecurity>
    <requireActionHeader />
  </policy>
</policies>