WSE 2.0 and Encryption

Many thanks.

Couple things: Although I've never really tested it, I've heard anecdotally that foreach is not a very efficient way to do things. You can try for(int i=0;i < myDataTable.Rows.Count;i++) and then refering to myDataTable.Rows[i] inside of the loop. More significantly: I think you should reconsider pulling 67000 rows into your client application. If you need to change that large a chunk of data, doing it in SQL on the database server will likely be faster. Just my $0.02...Hope it helps, Bill

Thanks for the follow-up Heath. The cert is self-signed, so I am assuming that I need to add the certificate itself to my trusted CA store...right? Assuming this is correct, I exported the cert from Local Computer \ Personal and then imported it into Local Machine \ Trusted Root Authority...but the problem remains. How can I tell for sure if it is trusted? How can I tell if I have enable[ed] the right attributes for the key to sign and encrypt data? Thank for entertaining my questions...I've been through the WSE2.0 docs 1/2 a dozen times and cannot find the answer, so I am a little at whit's end. Any other good sources of documentation? Bill

Thanks Heath, I should know better than to post such a detail-bare question. My bad. My client application is a .net web application, running on the same machine that the web service runs on: a win2kpro development machine. I am trying to: 1) sign the request from the client with an x509 cert. 2) sign the response with an x509 cert, and 3) encrypt the response with an x509 cert. 1) and 2) are no problem. But when I add the code for 3) I get this exception:

System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ComponentModel.Win32Exception: Bad Key at Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] plaintext, Boolean useOAEP) at Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.EncryptKey(Byte[] plainKey) at Microsoft.Web.Services2.Security.EncryptedKey.Encrypt() at Microsoft.Web.Services2.Security.EncryptedKey.GetXml(XmlDocument document) at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document) at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope) at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(SoapEnvelope envelope) at Microsoft.Web.Services2.WebServicesExtension.AfterSerializeServer(SoapServerMessage message) --- End of inner exception stack trace ---

This exception is reported by the client and occurs sometime after the return in the web method is called. The stack trace is:

SoapHeaderException: System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ComponentModel.Win32Exception: Bad Key
at Microsoft.Web.Services2.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] plaintext, Boolean useOAEP)
at Microsoft.Web.Services2.Security.Cryptography.RSA15KeyExchangeFormatter.EncryptKey(Byte[] plainKey)
at Microsoft.Web.Services2.Security.EncryptedKey.Encrypt()
at Microsoft.Web.Services2.Security.EncryptedKey.GetXml(XmlDocument document)
at Microsoft.Web.Services2.Security.Security.SerializeXml(SoapEnvelope document)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessHeader(Security security, SoapEnvelope envelope)
at Microsoft.Web.Services2.Security.SecurityOutputFilter.ProcessMessage(SoapEnvelope envelope)
at Microsoft.Web.Services2.Pipeline.ProcessOutputMessage(Soap

Hi all, Sorry in advance if the C# forum is the wrong place for this question, but none of the others looked quite right either... I am trying to implement asymmetrical encryption on a web service using WSE 2.0. The example the MS includes in the Quick Start Examples that come with WSE works just fine, but I am trying to switch from the x509 cert that they provide to one that I created with makecert. Trouble is: I keep getting an error message saying that the key is bad when WSE 2.0 attempts the encryption. My certs have private keys and the users under which both the client and server are running have full control over the directories that contain the private key files... Has anyone managed to get this to work? Can you tell me what command line arguements you passed to makecert? Any guidance appreciated. Thanks, Bill

Oh! That is easier. ;) I do not know what writer1 is, since none of your previous posts contain a declaration...but in many cases there is a .Write() method as well as a .WriteLine. Is so you can do:for (int i=0;i < PARAMS.Length; i++) writer1.Write(PARAMS[i].ToString() + " "); writer1.WriteLine() //to get the line-feed
If you have no Write, just build the string up before you print it.System.Text.StringBuilder sb = new System.Text.StringBuilder(); for (int i=0;i < PARAMS.Length; i++){ SB.Append(PARAMS[i].ToString() ); SB.Append(" "); } writer1.WriteLine(SB.ToString())

Can't you just nest another loop? Like:int cols=3; //for example; int testCount=PARAMS.length; for (int rowIndex=0;rowIndex < Math.Ceiling (Convert.ToDouble (testCount) / Convert.ToDouble (cols));rowIndex++) { for (int colIndex=0;colIndex < cols;colIndex++) { if (rowIndex * cols +colIndex < testCount) { writer1.Write(PARAMS[rowIndex * cols +colIndex].ToString () + " "); } } writer1.WriteLine(); }
That should write it one row at a time: 0 1 2 3 4 5 6 etc. Hope this helps Bill

Hi, There are. Check out http://www.tartarus.org/~martin/PorterStemmer/. I have used the ".NET Compliant Csharp" version in a search engine application...works like a champ. A word of warning though: The stems are often not english words. The goal of the algorithm is not to reduce related English words to the same English word, but rather to reduce related English words to a common string. Bill

Steven Campbell wrote: * do not use sa to login I strongly agree. That's one of the reasons I like sprocs: I can create a user that has only execute permissions on the sprocs, no direct select, insert, update (much less schema change) permissions. Steven Campbell wrote: * encrypt your database connection string One point to make here: no matter how you encrypt/protect your connection string, your application has to have the ability to decrypt it. So it's inherently vulnerable. It has to be, or your application could not read it. Certainly: it adds another layer of protection I am not sure it's worth the effort. Just my thoughts...I certainly cannot quantify any of this. Bill btw: I have enjoyed reading this thread. Thanks!

Mhmoud, As far as I know triggers cannot be made to work this way. They fire. Period. I would take you logic in the trigger and make a stored procedure out of it. Then call the new stored procedure after you commit the original transaction. You will not have access to Inserted and Deleted but this is the only way I know to do what you describe Hope this helps Bill

Hi Mark, Is this a paging problem or a sql problem? I mean: do the two sprocs return the same rows in the same order? If so, can't you just grab the current page# from the datagrid (CurrentPageIndex) and then set it again before you bind to the new data? Bill ps: code snippets would help...asp.net datagrid ?

Hi Jacob, I have a couple of fairly phylisophical points to add. Ignore them as you please :). First off, it's not a really good idea to change database schema from within your code. Creating and deleting view (and table and sprocs, etc) are really design-time processes. Do it before-hand and be done. Why? Well, what happens when user #2 tries to create the view before user #1 drops? You've got an exception to handle... It just get's too messy. Related to the first point, I am very leary of a program running with a sql user that has sufficient privileges to alter the db schema. Just my $0.02 Bill

I cannot echo Colin's last point strongly enough. Modularity is A GOOD THING. As Colin suggests, using sprocs frees the rest of your application from needing any knowledge about the underlying table structure. This will matter when you have to make a schema change for V2.0 and spend an eternity tracking down broken select/insert/deletes all over your code. If you use sprocs, all you need to do is assure that they still behave the same, and you're done. Web apps are actually quite risky, especially if you use query string data to build your sql statements. There are ways to exploit this to get malicious code run on your sql box. Passing the query string data as parameters to a sproc eleviates much of this problem (My experience here is a little limited, so if I am way off, someone please contradict me :-O ) Bill

I stand corrected. Thanks Mike.

Have you tried adding the label to the Page's Controls collection? It would look something like:this.LabelArray[i]=new Label(); LabelArray[i].Text = "Some Message"; LabelArray[i].Height = 10; LabelArray[i].Width = 50; this.Controls.Add(LabelArray[i]);
Where i is an int and you have already declared the the LabelArray as a private member of the page. I do not believe that you can set position directly at run-time. Instead, you can add LiteralControls between adding Labels, like this:this.Controls.Add(new LiteralControl(""); this.Controls.Add(new LiteralControl(""); this.Controls.Add(new LiteralControl(""); this.Controls.Add(new LiteralControl(""); this.Controls.Add(new LiteralControl(""); this.Controls.Add(new LiteralControl(" "); this.Controls.Add(LabelArray[0]); this.Controls.Add(new LiteralControl(" "); this.Controls.Add(LabelArray[1]); this.Controls.Add(new LiteralControl(" ");
As an aside, when I have to do something this involved, I usually do it in a custom web control. Hope this helps, Bill

Didi, Forget code for a second...tell us in words how to decide where to split the text string into pieces. Is it always 4 characters, then 8 then 4, then 8? Bill

Check to be sure that the localhost\aspnet user has access to the file. By default, asp.net runs as this user.

Hi, I have a couple of ideas...I've only done this kind of thing a few times, so please don't take any of the following as gospel. When I need to do something like this, creating a custom web control class seems to really simplify matters. Basically you: 1) write the control as a class the derives from WebControl. 2) Override the CreateChildControls() method to create your stuff. 3) Override Render() to get it to draw correctly (mostly just for designer support). Below is a demo control that draws a table of 10 buttons. Remember, you need to keep a reverence to each Button object around if you want the event handlers to work. I hope this helps...please let me know if you're still stuck. Billusing System; using System.Web.UI; using System.Web.UI.WebControls; namespace WatsonControls { /// /// Summary description for ctrlDemo. /// public class ctrlDemo: WebControl,INamingContainer { Button[] btns; int iRows=10; public ctrlDemo() { } protected override void CreateChildControls() { this.btns = new Button [iRows]; Controls.Add (new LiteralControl ("")); Controls.Add (new LiteralControl ("")); Controls.Add (new LiteralControl ("")); Controls.Add (new LiteralControl ("")); for (int i=0;i")); Controls.Add (new LiteralControl ("")); Controls.Add (new LiteralControl ("")); } Controls.Add (new LiteralControl (" A columns of buttons")); Controls.Add (new LiteralControl (" ")); this.btns[i]=new Button(); this.btns[i].Text = "Button: " + i.ToString (); this.btns[i].Click +=new EventHandler(ctrlDemo_Click); Controls.Add (this.btns[i]); Controls.Add (new LiteralControl (" ")); } protected override void Render(System.Web.UI.HtmlTextWriter writer) { this.EnsureChildControls (); base.Render (writer); } private void ctrlDemo_Click(object sender, EventArgs e) { //do something Page.Response.Write("Clicked"); } } }

Hi Mark, I think you have to wait for asp.net 2.0 for this kind of functionality. In fact, I've seen exactly this kind of thing in product demos for Visual Studio 2k5. So it's in the pipeline, but I do not know of a way to do it presently. Best of luck, Bill

Hi Dave, AFAIK, Sessions will not (really SHOULD not) function across applications. Why should App A. know anything about the sessions open on App B, after all? My first thought was: If these pieces of functionality are really this closely linked, are you sure they belong in two seperate applications? Especially if some of the "applications" are really simple. Second thought: develope a user-config architecture in a database and pass a userID between applications (do it in the querystring or cookie). This way, each application can use the user ID to look into the database and determine how to display various aspect of the screen. Hope this helps, Bill ps: web.config is for application level config settings. It's not an appropriate place for user specific items.