Thank you to everyone who attended the webcast this morning on interop. I wanted to share with you some resources I have on interoperability, and some future plans happening at IASA.

First, resources:

• My latest article on The Server Side .NET summarizes my webcast demonstrations and more...plus links to the code: http://www.dasblonde.net/CategoryView.aspx?category=Interoperability#a96e93182-d627-4625-b671-9b024c9381d0
• Architcture podcast on WS*, see podcast 1-4 here: http://www.microsoft.com/architecture/default.aspx?pid=share.podcast&abver=FEEB2E89-4412-4C58-A7F8-9B2CA0E0BDAC
• WSE links that have code showing off customization of WSE for interop among other things:
• http://www.dasblonde.net/PermaLink.aspx?guid=b2518a69-c715-49e9-b2bc-e71415263032
• http://www.dasblonde.net/PermaLink.aspx?guid=e3db75c6-02c5-4b0d-a681-b733035f112f

IASA plans:

• Earlier this year I kicked off 3 interop events for IASA (International Association of Software Architects). They were user group driven events, where java and .NET communities (among others) united to enjoy some human interop as well as get some top notch interop experts to show their stuff. If your user groups want to do this locally, IASA can help. And don't worry, we are non-profit...and the events can be free if there is enough support of the community and sponsorship. All we need is to get the user group leads to buy in and say “we want an interop event too!!!“
• We are building knowledge communities (just now!) related to architecture, including interop...I have not had a chance to post much there yet (blogs links, articles) but we 'd love to get your feedback, and referrals if you run across something poingnant that should be referenced here...let me know and participate in the growth of the community resource!

More stuff...

• I found some very interesting things as I tested WSE 3.0 and Workshop 8.1 SP5 - keep an eye on this blog for more on that!
• WebLogic 9.0 is the go forward stack to use, since it supports more WS* and will have an integrated IDE summer-ish 2006...to replace Workshop today. Use Workshop if you need WS* today and can't take the time to be a plumber...if you can, use the WL 9.0 stack now (already released with better WS-Security among other standards support)
• We have another big interop event coming at SD West 2006, so you can expect some content out of that one in Q1 2006, including some of the original Apache Axis founding members helping us out!

Just a quick post to let you know about a new article I completed for TheServerSide.NET...enjoy:

http://www.theserverside.net/articles/showarticle.tss?id=InteropWSE

For example, creating a new example with the UsernameToken security token, based on the OASIS WS-Security standard, requires some minor adjustments to your web.config settings. Previously, when you configure a custom security token manager to handle <wsse:UsernameToken>, you would add the following <securityTokenManager> element:

Of course the namespace and qualified name of the OASIS WSS UsernameToken profile haven't changed, but the way ASP.NET 2.0 handles application assemblies has, along with the WSE 3.0 configuration schema.

First point: ASP.NET no longer has a single application assembly (DLL) for the application code. You can't count on a specifically named assembly like MyWSE30Service.DLL to be deployed to the \bin directory. In fact several assemblies are generated from the Web site source, and the assembly names are dynamically generated. So, you can't specify the name of the assembly in the type attribute of the <securityTokenManager> element, the custom token manager type is compiled with the ASP.NET application code. In this case the type attribute should only include the fully qualified type name with its full namespace.  And, you'll be glad to know that when you sign the Web site application output assemblies, the setting remains the same.

For types that are compiled into a separate assembly, then referenced, the traditional format for the type attribute would be used. The fuly qualified namespace and assembly name are provided for unsigned assemblies. For signed assemblies provide the full assembly name which includes version, culture, and public key token.

Second point: there is a new namespace attribute, and qname has changed to localname...and they aren't the same thing. Qname refers to a fully qualified XML name which means namespace and local name. Now, the QName property of the SecurityTokenManager at runtime can be generated from the namespace and localname in configuration.

Third point: with WSE 3.0 you can configure more than one token manager for each type of security token manager (binary or XML). THis changes the configuration schema for <securityTokenManager> which now supports the traditional pattern of add, remove, clear - as discussed in the WSE 3.0 specification:

<securityTokenManager>
<add localName namespace type />
<remove localName namespace />
<clear />
</securityTokenManager >

And so now your custom UsernameTokenManager should be configured like this:

Of course, you could just read through the WSE 3.0 documentation to find these things out...but I betcha browsed the Web first, so here ya go...

Thanks very much to everyone who attended this talk in Orlando. The demonstration code can be found here:

WSESecurityDemo_MemberRoles.zip

You’ll also notice that there is some set up required to run the code, so be sure and review the readme document for those instructions. The sample uses the 1.1 version of the MemberRoles API.

I also have a resource site where other WSE samples have been posted, many that do not require the database setup:

http://www.dotnetdashboard.net/resources/wse.aspx

This may help those of you that are newer to the subject get your arms around it as well.

In this talk I demonstrated the following WSE 2.0 example for WS-Security implementation, followed by a demonstration of .NET and BEA interoperability. The BEA interoperability sample is available from the InteropWarriors site, however keep in mind that this requires you to set up a BEA Workshop 8.1 machine, and deploy the project files accordingly. The .NET examples shows the end to end code used for WS-Security that is also demonstrated with Workshop sandwiched in the middle, so this will still be useful to you for the .NET perspective.

WSESecurityDemo_MemberRoles.zip

I also have a resource site where other WSE samples have been posted, many that do not require the database setup:

http://www.dotnetdashboard.net/resources/wse.aspx

This may help those of you that are newer to the subject get your arms around it as well.

Yesterday I whipped over to Arizona to deliver an INETA (www.ineta.org) presentation for the Arizona .NET User Group run by Scott Cates (who I didn't realize, even thought we have met several times, is the owner of www.kbalerts.com!). My fellow RD Michael J. Palermo dropped in as well, you know, the one that wrote the hilarious Valentine's Day blog:

I was shocked to arrive and find that people (like Scott) are still somehow finding my 1996 glam shot photo, the one with all the big hair, and posting it in places (like their user group site) that I'm not aware of. THis is crazy, when will that photo go away! It only demonstrates that I still had 80's hair in the 90's...how embarrassing!!! Ok, well it's not that big of a deal...but I always laugh when I see that thing...what people must be thinking!

On to more serious matters, the PDF for my presentation, and my reference materials for the group after my talk. Here are the links you are looking for.

My PDF with slides for this event: wsesecurity_arizonaineta.zip (162.16 KB)

My resource site for WSE materials is here: http://www.dotnetdashboard.net/resources/wse.aspx. You'll find links to my WSE article for CoDe Magazine and the latest code sample link which demonstrates everything I did in the talk last night and more.

WSE 2.0 is now on SP3, so you'll want to download that: http://www.microsoft.com/downloads/details.aspx?FamilyId=1BA1F631-C3E7-420A-BC1E-EF18BAB66122&displaylang=en. Not all of my code samples are yet up to date with SP3, but the larger sample for my article is up to SP2 right now, stay tuned for changes on this site as I post more samples. Easier to go forward than go back to all my past work :)

For my interop demonstration, see www.interopwarriors.com.

For information about IDesign go to: www.idesign.net. You'll be able to find a list of all my articles on the site, plus IDesign utility downloads (not specifically for WSE, but lots of other interesting things).

I had a great time, thanks for having me present! You're fantastic hosts and a great, interactive crowd. 

Yet another review of WS-Security, where we dug into the meat of the issues, including key management issues and the benefits of WS-Trust, WS-SecureConversation, and SAML. I did demonstrate some .NET samples in this talk, and you can find code for this on this WSE resource page: http://www.dotnetdashboard.net/resources/wse.aspx

Please see this InteropWarriors blog for a new post with code samples demonstrating WS* interop.

http://www.interopwarriors.com/PermaLink.aspx?guid=8b01c523-59d6-47be-9843-139f710c5a84

If you were up at 8am for this session at VS Connections, I hope you had a coffee first because we covered a lot of ground! My resources for this talk are on this site:

http://www.dotnetdashboard.net/resources/wse.aspx

Some of my new code samples I showed you in the talk have been written with WSE SP2 (pre-release version), so I'll post those shortly once the service pack is public. Should be very very soon.

Also, you'll notice my DIME example on this site is pre SP1, I am working on an article to discuss the specifications around attachments, and will compare DIME with SwA for interoperability between platforms. Stay tuned for an update there. (this was not part of the security session, of course)

Just wanted to mention that the Interop Warriors are at it again. We have a number of events coming soon that we're beginning to prepare for, and we'll be showing off our latest in San Diego at this FREE event. For more information, check this out:

http://www.interopwarriors.com/PermaLink.aspx?guid=f3f79b24-a4df-49d2-9323-b8fb3b59b832

Thanks to everyone that attended this on Thursday night, it's one of my favorite topics! I mentioned several resources you could access now, and that I'm adding some new content for an upcoming article and an advanced presentation at Dev Connections.

For now, get my latest version of these resources here:

http://www.dotnetdashboard.net/Resources/wse.aspx

I will be updating this site with more in late October, when I formalize my new code samples. That will include my password hashing example.

Thanks again!

Tonight I'm presenting at our local .NET Developers Group in San Diego how to secure your Web services with WS-Security and WS-SecurityPolicy using WSE 2.0. I will post any new code samples or slides here for reference after the talk, but my current resources page on this subject can be found here:

http://www.dotnetdashboard.net/resources/wse.aspx

After spending the past week *immersed* in mostly ASP.NET 2.0, primarily using all the new localization features for a whitepaper I just completed (cool stuff, more on that later), today I'm *immersing* myself in my WSE 2.0 presentation content. Surely I will soon have new things to share on that subject...just a matter of time to post them between deadlines :)

In less than 10 minutes I just created a VB.NET demo for an upcoming SearchVB.com webcast, using WSE 2.0. Policy rocks! However...even though I've been through this before, once again I was momentarily baffled by the fact that my service seemed to be authorizing my UsernameToken even though I submitted a bad password. Well, that's the policy cache baby!

Steps to create the sample:

• Create a Web service project, enable WSE 2.0 extensions for the service
• Add a custom UsernameTokenManager class to handle, well, UsernameToken authentication.
• Add code to authenticate by performing a database lookup and returning the password from the AuthenticateToken method. In this case, I'm just returning password, clearly not a real example.

  Public Class CustomUsernameTokenManager
   Inherits UsernameTokenManager
  
   Protected Overrides Function AuthenticateToken(ByVal token As UsernameToken) As String
     Return GetUserPassword(token)
    End Function
  
  End Class
  

  Even without specifying a service side policy that requires a UsernameToken, the UsernameTokenManager will be invoked on each request and will validate the <wsse:UsernameToken> element passed with any requests. You should specify a policy as a best practice

• Create a Windows Forms client, add WSE 2.0 support BEFORE you add a Web reference to the Web service just created. This ensures that you get a WSE-aware proxy class.
• Add a couple of textboxes and a button to the Form, and handle the button click event by creating an instance of the WSE-enabled proxy, and invoking the service.
• Create a policy for the client to require UsernameToken signature
• Add code BEFORE invoking the WebMethod to create a UsernameToken object, and add it to the policy cache. Note: Here you'll notice that I'm clearing the cache before adding the token to the cache. This is where you'll run into trouble since the cache is not cleared unless you explicitly clear it.

    Dim svc As New localhost.Service1Wse
    Dim userToken As New
     UsernameToken(Me.TextBox1.Text, Me.TextBox2.Text, PasswordOption.SendNone)
  
    PolicyEnforcementSecurityTokenCache.GlobalCache.Clear()   PolicyEnforcementSecurityTokenCache.GlobalCache.Add(userToken)   Dim s As String = svc.GetSecret()

This brings up an interesting point about the policy cache. When should you populate it? When should it be cleared? Should we create policy cache managers that handle updating existing tokens when a new password is supplied?

Of course, this is a demo, so on most occasions, we wouldn't happily modifying passwords for the same user during the same session. However, a new UsernameToken is still added to the cache even if it refers to the same user, so beware of a) bloating the cache with tokens, and b) sending the wrong token (the first on in the cache wins!). In short, based on your client application, determine an efficient way to keep the cache free of junk. Perhaps store the token in the cache at login time, and reuse that token for each Web service request.