<BaseToken> Element
Specifies the base token for for a SecurityContextToken security token.
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Confidentiality> Element
<KeyInfo> Element (WSE for Microsoft .NET) (1)
<SecurityToken> Element
<Claims> Element
<policyDocument> Element
<policies> Element
<Policy> Element (WSE for Microsoft .NET) (1)
<Integrity> Element
<TokenInfo> Element
<SecurityToken> Element
<Claims> Element
<wse:BaseToken>
<wssp:SecurityToken
xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext">
</wssp:SecurityToken>
</wse:BaseToken>
Attributes and Elements
Attributes
None.
Child Elements
Element | Description |
---|---|
Required element. The base token that must have been sent in the security token requests for a SecurityContextToken security token. |
Parent Elements
Element | Description |
---|---|
Specifies requirements that are specific to a security token type. |
Remarks
Use the <BaseToken> element when SOAP messages are sent to or received by Web services that issue SecurityContextToken security tokens. When the <BaseToken> element is used in the target Web service's policy, policy can enforce that the base token sent in the security token request matches the base token specified in the <BaseToken> element.
When policy is used to verify that security token requests sent to Web services that issue SecurityContextToken security tokens include a specific base token, two policy assertions must be defined: One for security token requests and one for SOAP requests sent to the Web service. Two <operation> Element elements are required to accomplish this, but either one or two <endpoint> Element elements are required depending on how the Web service is configured. When the <autoIssueSecurityContextToken> Element element is used to automatically issue SecurityContextToken security tokens, the Web service and the security token service share the same endpoint, so only one <endpoint> Element element is needed. Requests sent to the endpoint are differentiated by their SOAP action. Therefore, the policy mapping for the security token service is specified using an <operation> Element element with a requestAction attribute set to https://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
. All other <operation> Element elements have a requestAction set to the SOAP action for the Web service method, as specified in the WSDL file for the Web service.
Example
The following code example is a policy file for a target Web service that issues SecurityContextToken security tokens. The policy requires that security token requests sent to the https://www.contoso.com/SecureConvService.asmx
endpoint include a base token that is a UsernameToken security token. SOAP requests sent to the Web service must be signed and encrypted using the issued SecurityContextToken security token.
Note
This code example is designed to demonstrate WSE features and is not intended for production use.
<?xml version="1.0" encoding="utf-8" ?>
<policyDocument xmlns="https://schemas.microsoft.com/wse/2003/06/Policy">
<mappings>
<endpoint uri="https://www.contoso.com/SecureConvService.asmx">
<operation
requestAction="http://stockservice.contoso.com/StockQuoteRequest">
<!-- Requests must be signed and encrypted with an SCT -->
<request policy="#SignAndEncryptWithSCT" />
<!-- Responses must be signed and encrypted with an SCT -->
<response policy="#SignAndEncryptWithSCT" />
<!-- No policy for faults -->
<fault policy="" />
</operation>
<!--
The following section describes the policy requirements for the
SCT issuing service. The built in SecurityContextTokenManager
will send requests to an SCT's token issuer as described in policy
and the following policy mapping demonstrates how to use policy
make sure the requests get signed with an appropriate base token.
-->
<operation
requestAction="https://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT">
<request policy="#SignWithUsernameToken" />
<response policy="" />
<fault policy="" />
</operation>
</endpoint>
</mappings>
<policies
xmlns:wsa="https://schemas.xmlsoap.org/ws/2004/03/addressing"
xmlns:wse="https://schemas.microsoft.com/wse/2003/06/Policy"
xmlns:wsp="https://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wssp="https://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<!--
This policy is used for the target Web service. It requires
the body and addressing headers to be signed with the
SecureContextToken and the body to be encrypted with token.
-->
<wsp:Policy wsu:Id="SignAndEncryptWithSCT">
<!--
MessagePredicate is used to require the headers.
This assertion should be used along with the
Integrity assertion when the presence of the
signed element is required.
NOTE: this assertion doesn't do anything for
enforcement (send-side) policy.
-->
<wsp:MessagePredicate
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()
</wsp:MessagePredicate>
<!--
Integrity is used to require the headers to be signed
Note that a only an authenticated SCT token is
required. Many Web services will also use the token
for authorization, such as by using the <wse:Role>
claim.
-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<wssp:SecurityToken wse:IdentityToken="true">
<wssp:TokenType>https://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType>
<wssp:Claims>
<wse:Parent>
<wssp:SecurityToken wse:IdentityToken="true">
<wssp:TokenType>https://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType>
<wssp:Claims>
<wse:BaseToken>
<wssp:SecurityToken xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext">
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
</wssp:SecurityToken>
</wse:BaseToken>
</wssp:Claims>
</wssp:SecurityToken>
</wse:Parent>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wse:Timestamp() wse:Addressing() wsp:Body()
</wssp:MessageParts>
</wssp:Integrity>
<!--
Confidentiality is used to require that the body be encrypted
with the SCT.
-->
<wssp:Confidentiality wsp:Usage="wsp:Required">
<wssp:KeyInfo>
<wssp:SecurityToken wse:IdentityToken="true">
<wssp:TokenType>https://schemas.xmlsoap.org/ws/2004/04/security/sc/dk</wssp:TokenType>
<wssp:Claims>
<wse:Parent>
<wssp:SecurityToken wse:IdentityToken="true">
<wssp:TokenType>https://schemas.xmlsoap.org/ws/2004/04/security/sc/sct</wssp:TokenType>
<wssp:Claims>
<wse:BaseToken>
<wssp:SecurityToken xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext">
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
</wssp:SecurityToken>
</wse:BaseToken>
</wssp:Claims>
</wssp:SecurityToken>
</wse:Parent>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:KeyInfo>
<wssp:MessageParts
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body()
</wssp:MessageParts>
</wssp:Confidentiality>
</wsp:Policy>
<!--
This policy is used for the token issuer service. It requires
the body and addressing headers to be signed with a
UsernameToken.
-->
<wsp:Policy wsu:Id="SignWithUsernameToken">
<!--
MessagePredicate is used to require the headers.
This assertion should be used along with the
Integrity assertion when the presence of the
signed element is required.
NOTE: this assertion doesn't do anything for
enforcement (send-side) policy.
-->
<wsp:MessagePredicate
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wsp:Body() wsp:Header(wsa:To) wsp:Header(wsa:Action) wsp:Header(wsa:MessageID) wse:Timestamp()
</wsp:MessagePredicate>
<!--
Integrity is used to require the headers to be signed
Note that a only an authenticated username token is
required. Many Web services will also use the token
for authorization, such as by using the <wse:Role>
claim.
-->
<wssp:Integrity wsp:Usage="wsp:Required">
<wssp:TokenInfo>
<SecurityToken xmlns="https://schemas.xmlsoap.org/ws/2002/12/secext">
<wssp:TokenType>http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken</wssp:TokenType>
</SecurityToken>
</wssp:TokenInfo>
<wssp:MessageParts
Dialect="https://schemas.xmlsoap.org/2002/12/wsse#part">
wse:Timestamp() wse:Addressing() wsp:Body()
</wssp:MessageParts>
</wssp:Integrity>
</wsp:Policy>
</policies>
</policyDocument>
See Also
Reference
<SecurityToken> Element
<Claims> Element