Share via


<requireActionHeader> Element

Represents a security assertion that requires the presence of the Action header for the ultimate recipient of SOAP requests sent to a Web service.

<policies> Element
  <policy> Element (Policy)

<requireActionHeader />

Microsoft.Web.Services3.Design.RequireActionHeaderAssertion

Attributes and Elements

Attributes

None

Child Elements

None

Parent Elements

Element Description

<policy> Element (Policy)

Specifies one or more SOAP message requirements.

Remarks

Use the <requireActionHeader> Element to help mitigate attacks against SOAP requests that contain the SOAPAction HTTP header, but do not include the WS-Addressing <Action> SOAP header. When WSE receives a SOAP message that does not contain an <Action> SOAP header, but does contain a SOAPAction HTTP header, it dispatches the SOAP message to the Web service method based on the SOAPAction header. The SOAPAction header, however cannot be digitally signed and thus is prone to being changed without a recipient knowing so. By contrast, the <Action> SOAP header, which WSE dispatches the SOAP message on when present by default, a Web service's policy can require to be digitally signed by including the IncludeAddressing option in the signatureOptions attribute of the <request> element. By combining the use of the <requireActionHeader> Element and requiring the <Action> header to be signed allows WSE to detect for a Web service that the action value has changed. WSE throws a SOAP fault when it detects that it has changed.

Note

Avoid using the System.Web.Services.Protocols.SoapServiceRoutingStyle.RequestElement routing style, which is not the default, because an unexpected policy might be applied to incoming SOAP requests. This problem arises when a Web service has a policy that has per-action protection requirements and the System.Web.Services.Protocols.SoapServiceRoutingStyle.RequestElement routing style, which causes ASP.NET to dispatch incoming SOAP requests to a Web service method's code base upon the first child element of the <Body> element. Per-action protection requirements are specified by using the requestAction attribute of the <protection> Element in a policy file. When the SOAP message's action is different than the name of the first child element of the <Body> element, then the policy requirements are enforced based on the action, yet the SOAP message is not dispatched to the Web service method corresponding to the action. It is dispatched to the Web service method that is named the same as the first child element of the <Body> element. To ensure the routing style is not set to RequestElement, check the RoutingStyle property of the System.Web.Services.Protocols.SoapDocumentServiceAttribute that is applied to the class implementing the ASP.NET Web service. When the RoutingStyle property is not specified, the default value is SoapAction.

Example

The following code example demonstrates how to secure a SOAP message exchange using an X509SecurityToken security token for protection and a UsernameToken security token for client authentication. The code example does two things, first it defines a policy named ServicePolicy that specifies that an X509SecurityToken security token is used to digitally sign the SOAP message; second, it encrypts the <body> element of the SOAP message. The policy requires the presence of the Action header that is intended for the ultimate recipient of the SOAP message.

<policies>
  <extensions>
    <extension name="usernameForCertificateSecurity" type="Microsoft.Web.Services3.Design.UsernameForCertificateAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="x509" type="Microsoft.Web.Services3.Design.X509TokenProvider, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <extension name="requireActionHeader"
               type="Microsoft.Web.Services3.Design.RequireActionHeaderAssertion, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </extensions>
  <policy name="ServicePolicy">
    <usernameForCertificateSecurity 
      establishSecurityContext="false" 
      renewExpiredSecurityContext="true" 
      signatureConfirmation="false" 
      protectionOrder="SignBeforeEncrypting" 
      deriveKeys="true" >
      <serviceToken>
        <x509
          storeLocation="LocalMachine"
          storeName="My"
          findValue="CN=WSE2QuickStartServer"
          findType="FindBySubjectDistinguishedName" />
      </serviceToken>
      <protection>
        <request
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <response 
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="true" />
        <fault
          signatureOptions="IncludeAddressing, IncludeTimestamp, IncludeSoapBody"
          encryptBody="false" />
      </protection>
    </usernameForCertificateSecurity>
    <requireActionHeader />
  </policy>
</policies>

See Also

Tasks

How to: Secure a Web Service Using a Policy File

Reference

<policy> Element

Concepts

Turnkey Security Assertions