I try to access a java-webservice which uses ws-security (wsse). I tried to consume it using svcutil:
svcutil *.wsdl *.xsd /language:C# /tcv:Version35
This works well, but I get an error importing this block in wsdl-file
<wsp:Policy wsu:Id="myServiceRequestResponseSoapBindingPolicy" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
saying
An unsupported security policy assertion was detected
So this gets ignored.
As you may expect communicating with the service returns an error saying "unauthorized". The information I got from the webservice owner pointed out that my message contains no WSSecurity-part.
I found this thread svcutil getting stuck on usernameToken Policy but the policy seems to differ because I don't have any certificate. So I don't get anywhere on this path.
I installed WSE3 cos I had the impression I'd need it for something, but I'm quite unsure now if this is the case and how this needs to interact with my wcf-client.
Any suggestions appreciated, thank you.
Don't worry about that warning, the WSDL section is not relevant (you can even remove it). What you should have is a sample working SOAP request from a wroking client (e.g. Java) or from a sample of the vendor, with the security in it. Then you can configure your binding to support it. Just from the WSDL section you published you might want to try basicHttpBinding with security mode of TransportWithMessageCredential.
Googling for wcf and usernametoken brought me to this solution - it's so easy if you get the right search words...
http://weblog.west-wind.com/posts/2012/Nov/24/WCF-WSSecurity-and-WSE-Nonce-Authentication
Related
I am consuming one service which only establishes the connection over TLSv1.2 protocol.
In SoapUI
-Dsoapui.https.protocols=TLSv1.2 :- This parameter works fine and able to get the response from the service in SOAP UI tool.
Need something similiar like above parameter on the mule ESB flow which allows my request to use TLSv1.2 protocol explicitly during proxing.
I am using Mule 3.7 CE & JDK 7. The message flow uses CXF proxies(cxf:proxy-service) to direct SOAP based requests over Https to the end client. When a request is sent to Mule it is throwing an exception as below.
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: TLS is not enabled {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) ~[cxf-rt-ws-policy-2.7.15.jar:2.7.15]
Already tried enabling protocol through tls-default.conf file also adding system arguments and server arguments did not work.
Here is the snippet of wsdl using security policy -
<wsp:Policy wsu:Id="XYSPolicyID">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</sp:TransportBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Any help would be much appreciated !!
You can configure your cryptographic protocols and cipher suites I'm MULE_HOME/tls-default.conf
As stated in the previous reply, enabledProtocols=TLSv1.2 should do the trick.
If you continue having problems, you can use the following to troubleshoot:
Start Mule with the following flag -M-Djavax.net.debug=ssl:handshake:verbose
In that way you will be able to see the actual handshake process.
Another useful tool is TestSSLServer to determine supported protocols and cipher suites of the target system.
Also, you may consider installing the Java Cryptography Extension package.
HTH, Nahuel.
My wsdl says Asymmetric Binding. Initiator Token and Receipienct TokenHow can I generate a binary security token for both client and server. Can I implement with kind of security with only one private key.
.
Here is the wsdl
<sp:AsymmetricBinding>
<wsp:Policy>
<wsp:ExactlyOne><wsp:All><sp:InitiatorToken><wsp:Policy><wsp:ExactlyOne>
<wsp:All><sp:X509Token><wsp:Policy>
<wsp:ExactlyOne><wsp:All><sp:WssX509V3Token11/></wsp:All>
</wsp:ExactlyOne>
</wsp:Policy></sp:X509Token></wsp:All>
</wsp:ExactlyOne></wsp:Policy></sp:InitiatorToken>
<sp:RecipientToken><wsp:Policy><wsp:ExactlyOne><wsp:All><sp:X509Token><wsp:Policy><wsp:ExactlyOne><wsp:All>
<sp:WssX509V3Token11/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:X509Token>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy></sp:RecipientToken>
<sp:AlgorithmSuite><wsp:Policy><wsp:ExactlyOne><wsp:All><sp:TripleDesRsa15/></wsp:All></wsp:ExactlyOne></wsp:Policy>
</sp:AlgorithmSuite>
</wsp:All></wsp:ExactlyOne
></wsp:Policy>
</sp:AsymmetricBinding>
In case I make a custom binding with security element like this .
`var sec = `(AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
I was able to genrte Username token with none. This was the security element
var security = TransportSecurityBindingElement.CreateUserNameOverTransportBindingElement();
The Sample soap request uses these terms to describe the binary security tokens
....(eMedNY signed user MLS cert).....
.....( eMedNY MLS web-service end-point public cert).........
...nonce,.
I have the private key for the former. But does the server one need a private key?.. It is a public certificate. What should be the security element. Do I need two security elements. One for the binary security token and one for usernametoken.?
Thank u
I'm kind of confused about setting up standard authentication for my SSL protected service. I have tried the HTTP header way, but that's non standard, and WS-I is important for me. It is possible to set up the Authentication Token to be Username on method level. This is the resulted BindingPolicy in the WSIT XML:
<wsp:Policy wsu:Id="DataStoreWSPortBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false"/>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:Wss10/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DataStoreWSPortBinding_hello_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SvcUtil warnings:
<!-- WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://webServices/': -->
<!-- <wsdl:binding name='DataStoreWSPortBinding'> -->
<!-- <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">..</sp:SupportingTokens> -->
I want to set credentials in the WCF client via ClientCredentials and then authenticate on the service side via database. What are the steps to achieve that?
If you want to have standard way on transport level why don't you use HTTP Basic authentication? That is the common standardized authentication mechanism for HTTP protocol and it works with web services as well.
The error you got is most probably because of SupportingTokens assertion. Even it is correct assertion WCF doesn't support it. Try to use SignedSupportingTokens or SignedEncryptedSupportingTokens. If you are not able to modify your service to produce such WSDL you can even try to modify the WSDL you got manually.
What you meant by WS-I? There are multiple WS-I standards and some of them don't expect policies at all - just plain SOAP services where headers are described in WSDL directly.
Scenario: I am writing a WCF client to access a Java/Metro webservice which requires several SOAP headers to be signed and encrypted:
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="... application specific headers ..."/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="... application specific headers ..."/>
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
It works for the application specific headers (the ProtectionLevel attribute is applied on the respective proxy type members). The WS-Addressing headers, however, are signed but not encrypted.
I tried to add them programmatically to the ChannelProtectionRequirements message parts collection(s) through contract or endpoint behaviors (e.g. like described here). No success.
Any ideas how to do this?
Ok, sackcloth & ashes coming up. I'm not sure what went wrong in my tests, but it does work when I add the respective headers to the IncomingSignatureParts and IncomingEncryptionParts of the service endpoint through a contract behavior.
I have a WCF service which i deployed on my test server. Trying to use it on my test project and I added a reference and I get this error
The document was understood, but it could not be processed.
- The WSDL document contains links that could not be resolved.
- There was an error downloading 'http://localhost:8731/somewhere.nowhere.com/service1/?xsd=xsd2'.
- Unable to connect to remote server
- No connection could be made because the target machine actively refused it
Metadata contains a reference that cannot be resolved: 'http://192.1.1.1/TestService/somewhere.nowhere.com.svc?wsdl'.
Content Type application/soap+xml; charset=utf-8 was not supported by service . The client and service bindings may be mismatched.
The remote server returned an error: (415) Cannot process the message because the content type 'application/soap+xml; charset=utf-8' was not the expected type 'text/xml; charset=utf-8'..
If the service is defined in the current solution, try building the solution and adding the service reference again.
I had my test app working before I added wsdlextras to my service project to include wsdl documentation.
This is the schema from my wsdl:
<wsdl:types>
<xsd:schema targetNamespace="http://tempuri.org/Imports">
<xsd:import schemaLocation="http://localhost:8731/somewhere.nowhere.com/?xsd=xsd2" namespace="http://tempuri.org/"/>
<xsd:import schemaLocation="http://localhost:8731/somewhere.nowhere.com/?xsd=xsd1" namespace="http://schemas.datacontract.org/2004/07/TestService"/>
<xsd:import schemaLocation="http://localhost:8731/somewhere.nowhere.com/?xsd=xsd0" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
<xsd:import schemaLocation="http://localhost:8731/somewhere.nowhere.com/?xsd=xsd3" namespace="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/>
</xsd:schema>
</wsdl:types>
Attempt to Fix 1:
I changed my
<host>
<baseAddresses>
<add baseAddress />
</baseAddresses>
</host>
so my addresses in my schema all mmatch up. I can update my service reference on my test project, however I cannot view any of my methods exposed by my wcf service.
My service is deployed on windows 2003 and my test app is on XP as well
Answer is here:
WCF IIS server configuration
in short...
The problem was with WCF identity permissions. The identity that is used for the application pool that hosts the WCF service must have full NTFS permissions on the %WINDIR%\temp folder. After changing that permission to my identity (LOCAL SERVICE) on C:\Windows\Temp I was able to add service reference to WCF service.
From the error message it looks as if it cannot find the imported xsd file xsd2.
The call to the service looks like it is on port 80, but the include files are referenced from point 8731.