Share via

<username> Element

  • Article

Specifies the details for creating a new UsernameToken instance.

<policies> Element
  <policy> Element (Policy)
    <anonymousForCertificateSecurity> Element
      <clientToken> Element

<username username password />

Microsoft.Web.Services3.Design.UsernameTokenProvider

Attributes and Elements

Attributes

Attribute Description

username

The user name.

password

The password.

Child Elements

None

Parent Elements

Element Description

<clientToken> Element

Specifies the security token that authenticates the client.

Remarks

Warning

It is generally not a good security practice to place a user name and password in an unencrypted file, so you should specify the user name and password in code instead of using a <username> element. For more details about specifying the password in code, see How to: Secure a Client Using Mixed Policy and Code.

The following turnkey assertions use the <username> element:

Example

The following code example demonstrates how to secure a SOAP message exchange using an X509SecurityToken security token for protection and a UsernameToken security token for client authentication. The code example defines a policy assertion named ClientPolicy that specifies that a X509SecurityToken security token is used to digitally sign the SOAP message, and to encrypt the <body> element of the SOAP message. The keys used to generate the digital signature and encrypt the <body> element are not the same keys, but rather are derived from the same key.

Note

The following code example does not follow good security practices and places the user name and password in the policy file.

<policies>
  <extensions>
    <extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="username" type="Microsoft.Web.Services3.Design.UsernameTokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="usernameOverCertificateClient">
    <usernameForCertificateSecurity
      establishSecurityContext="false"
      renewExpiredSecurityContext="true"
      signatureConfirmation="false"
      protectionOrder="SignBeforeEncrypting"
      deriveKeys="true" >
      <clientToken>
        <username username="user" password="password" />
      </clientToken>
      <serviceToken>
        <x509 storeLocation="CurrentUser" storeName="AddressBook" findValue="CN=WSE2QuickStartServer" findType="FindBySubjectDistinguishedName" />
      </serviceToken>
      <protection>
        <request signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <response signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="true" />
        <fault signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody" encryptBody="false" />
      </protection>
    </usernameForCertificateSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Tasks

How to: Secure a Client Using Mixed Policy and Code
How to: Secure a Web Service Using a Policy File

Reference

<clientToken> Element

Concepts

Turnkey Security Assertions