.Net ramblings
# Wednesday, 03 November 2004
using the same WSE2 web service with 2 different policies..

did you know you can configure multiple policies for the same web service?  it's possible because endpoint uri's are case-sensitive, so you can have WebService1.asmx and WEBSERVICE1.asmx, which are treated as separate web services in the policyCache.config file. see the sample below:

<endpoint uri="http://localhost/winDB.asmx">
 <defaultOperation>
  <request policy="#username-token-signed" />
  <response policy="" />
  <fault policy="" />
 </defaultOperation>
</endpoint>

<endpoint uri="http://localhost/WINDB.asmx">
 <defaultOperation>
  <request policy="" />
  <response policy="" />
  <fault policy="" />
 </defaultOperation>
</endpoint>

the first one uses a username-token-signed policy for authentication.  clients who wish to use this policy must have a reference to the web service matching the case of the endpoint uri exactly. 

the second endpoint has no policy enforcements and this means even a non-WSE request can use the web service.

some WSE implementations, (especially custom username tokens..) will have a method like "checkAuth()" that every web method calls at the start to verify programattically that the message obeys the rules.  this method throws soap faults for any missing WSE elements in the message header.  in my case, i want to allow requests originating from the web server itself (.aspx pages using the web methods) to bypass the authentication checks, so i put the following lines of code at the top of my "checkAuth()" method to allow requests made on the same server to go through:

// allow local ws requests to bypass security
if(HttpContext.Current.Request.ServerVariables["REMOTE_ADDR"].ToString() == "127.0.0.1")
  return;  // skip further checks

i could also invoke the web methods using the web service class directly, (not go through a web service proxy) because it's within the same assembly, but i'm sure there are circumstances where this approach may prove useful.  if you find any, post them here as a comment, i'd be interested to hear.  


Wednesday, 03 November 2004 17:43:16 (GMT Standard Time, UTC+00:00)  #    Comments [0]  Asp.Net