Share via

<clientToken> Element

  • Article

Specifies the security token that authenticates the client.

<policies> Element
  <policy> Element (Policy)
    <anonymousForCertificateSecurity> Element

<clientToken>
  <username />
  <x509 />
</clientToken>

Attributes and Elements

Attributes

None.

Child Elements

Element Description

<username> Element

Specifies the details for creating a new UsernameToken instance.

<x509> Element

Specifies the details about a X509SecurityToken security token.

Parent Elements

Element Description

<mutualCertificate10Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.0 and 1.1 can be used with this assertion.

<mutualCertificate11Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.1 is required for this assertion.

<usernameForCertificateSecurity> Element

Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is authenticated using a UsernameToken security token. WS-Security 1.1 is required for this assertion.

<usernameOverTransportSecurity> Element

Represents a turnkey security assertion that authenticates the client using a UsernameToken security token. The SOAP message is not encrypted or digitally signed, so a secure transport should be used with this assertion. WS-Security 1.1 or 1.0 can be used with this assertion.

Remarks

Use the <clientToken> element with the following turnkey security assertions:

Note

The child element of the <clientToken> element is extensible. Instead of being one of the default child elements, the child element may be an element that represents a custom security token provider. The custom security token provider must be a generic type with a constraint that matches the turnkey security assertion. That is, if the turnkey security assertion expects a X509SecurityToken security token, then the generic type must have an X509TokenProvider constraint. Likewise, if the turnkey security assertion expects a UsernameToken security token, then the generic type must have a UsernameTokenProvider constraint. Additionally, the security token provider must be able to parse the custom XML element and be registered in the policy file using an <extension> Element element.

Example

The following code example demonstrates how to secure a SOAP message exchange using the mutualCertificate11Security turnkey security assertion. The sender's X.509 certificate is specified in the <clientToken> element.

<policies>
  <extensions>
    <extension name="mutualCertificate11Security" type="Microsoft.Web.Services3.Design.MutualCertificate11Assertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="ClientPolicy">
    <mutualCertificate11Security 
      establishSecurityContext="false" 
      renewExpiredSecurityContext="true" 
      signatureConfirmation="false" 
      protectionOrder="SignBeforeEncrypting" 
      deriveKeys="true" >
      <clientToken>
        <x509 
          storeLocation="CurrentUser"
          storeName="My"
          findValue="CN=WSE2QuickStartClient"
          findType="FindBySubjectDistinguishedName" />
      </clientToken>
      <serviceToken>
        <x509
          storeLocation="CurrentUser"
          storeName="AddressBook"
          findValue="CN=WSE2QuickStartServer"
          findType="FindBySubjectDistinguishedName" />
      </serviceToken>
      <protection>
        <request
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <response 
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <fault
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="false" />
      </protection>
    </mutualCertificate11Security>
    <requireActionHeader />
  </policy>
</policies>

See Also

Tasks

How to: Secure a Web Service Using a Policy File

Reference

<x509> Element
<protection> Element
<policy> Element
X509SecurityToken

Concepts

Turnkey Security Assertions