Share via

<serviceToken> Element (Policy)

  • Article

Specifies the X509SecurityToken security token that protects the SOAP messages.

<policies> Element
  <policy> Element (Policy)
    <anonymousForCertificateSecurity> Element

<serviceToken>
  <x509 />
</serviceToken>

Attributes and Elements

Attributes

None.

Child Elements

Element Description

<x509> Element (Policy)

Specifies details about a X509SecurityToken security token.

Parent Elements

Element Description

<anonymousForCertificateSecurity> Element

Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is not authenticated. WS-Security 1.1 is required for this assertion.

<mutualCertificate10Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.0 and 1.1 can be used with this assertion.

<mutualCertificate11Security> Element

Represents a turnkey security assertion that uses X509SecurityToken security tokens to authenticate the client and protect SOAP messages. WS-Security 1.1 is required for this assertion.

<usernameForCertificateSecurity> Element

Represents a turnkey security assertion that uses an X509SecurityToken security token to protect SOAP messages. The client is authenticated using a UsernameToken security token. WS-Security 1.1 is required for this assertion.

Remarks

Use the <serviceToken> element with the <anonymousForCertificateSecurity> Element, <mutualCertificate10Security> Element, <mutualCertificate11Security> Element, <usernameForCertificateSecurity> Element turnkey security assertions to specify the Web service's X509SecurityToken security token. WSE provides the <x509> Element (Policy) to specify the details of the security token.

The <serviceToken> element can only be used with one of the Turnkey Security Assertions. It does not work with custom security assertions.

Note

The child element of the <serviceToken> element is extensible. Instead of being one of the default child elements, the child element may be an element that represents a custom security token provider. The custom security token provider must be a generic type with an X509TokenProvider constraint. Additionally, the security token provider must be able to parse the custom XML element and be registered in the policy file using an <extension> Element.

Example

The following code example demonstrates how to secure a SOAP message exchange using an X509SecurityToken security token for protection and a UsernameToken security token for client authentication. The code example defines a policy assertion named ClientPolicy that specifies that a X509SecurityToken security token is used to digitally sign the SOAP message, and to encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the same key. In the following code example, the user name and password need to be added in code.

<policies>
  <extensions>
    <extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="ClientPolicy">
    <usernameForCertificateSecurity 
      establishSecurityContext="false" 
      renewExpiredSecurityContext="true" 
      signatureConfirmation="false" 
      protectionOrder="SignBeforeEncrypting" 
      deriveKeys="true" >
      <serviceToken>
        <x509
          storeLocation="CurrentUser"
          storeName="AddressBook"
          findValue="CN=WSE2QuickStartServer"
          findType="FindBySubjectDistinguishedName" />
      </serviceToken>
      <protection>
        <request
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <response 
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <fault
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="false" />
      </protection>
    </usernameForCertificateSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Reference

<x509> Element (Policy)
<protection> Element
<policy> Element
X509SecurityToken