I have a JAX-WS endpoint which uses WS-Security, specifically the WebLogic pre-written Wssp1.2-2007-Wss1.1-UsernameToken-Plain-X509-Basic256.xml policy. I have a working command-line client where I build all the client credential providers and trust managers. Everything works great.
Now I also need to have another EE module deployed separately to the same server. According to http://docs.oracle.com/cd/E12839_01/web.1111/e13713/message.htm#i251852 I'm supposed to code the EE client as-if there was no security related WS-Policy at all but it doesn't work. Either I'm completely failing on setting up the credential mapping (which wouldn't surprise me because the documentation is lacking) or what I think seems to be more likely, the credential mapping isn't actually happening because I'm talking to localhost.
How do you create an JAX-WS EE client that uses a WS-Security enabled service on localhost? (I'd also like to see an remote host example too)
Related
I'm using Worklight 6.0.0.1 which deployed on WebSphere Liberty 8.5.5.0 and I have my Application which using 2 HTTP adapters.
In the first adapter I putted my Login and logout functions (based form authentication).
In the second adapter I putted some others procedures.
So my problem is as bellow :
When I deployed Worklight (.war) on WebSphere and my other WAR file which containing the Webservices on an other server (Tomcat), Things is going good.
But when I deployed the WAR of worklight and the one containing my Webservices on the same server (WebSphere Liberty), things going wrong with the second adapter (the one that doesn't contain the login function). In each invocation procedure in the second Adapter, I get "authentication required" as response.
But when I invoke a procedure in the first adapter, it returns me the right response.
any idea ? I couldn't figure out the problem
I add that I'm calling the same web services in the two adapter.
This is the log I get :
{"status":200,"invocationContext":null,"invocationResult":{"responseID":"64","statusCode":200,"result":{},"errors":["authentication required"],"isSuccessful":true,"statusReason":"OK","responseHeaders":{"Content-Language":"en-US","Transfer-Encoding":"chunked","Date":"Thu, 05 Dec 2013 06:13:15 GMT","Content-Type":"application/json;charset=UTF-8","X-Powered-By":"Servlet/3.0"},"success":0,"totalTime":280,"responseTime":271}}
When you invoke a procedure in your first adapter, does it call the web service?
If not, I'm assuming that only the second adapter is trying to access the web service.
Considering that, I'm guessing your Tomcat server is not securing the web service. Which means that you can access your web service without any authentication.
WAS or Liberty on the other hand could have application security enabled. Which means that if you try to access your web service deployed on WAS or Liberty, you will be prompted for authentication.
As it works with WAS and Tomcat, the issue seems occurring only under Liberty Profile. In this case only the Worklight trace and the Liberty Profile security trace can allow to understand the possible cause of the issue.
I have a WCF service which is exposed using a single endpoint with netTcpBinding which sits on Server A, hosted on IIS7.5/WAS on our internal LAN on our domain.
This service is then consumed by an ASP.NET web client application sitting on Server B, also hosted on IIS7.5 with an external hosting provider outside of our domain, and linked to our LAN via a VPN secured to allow only traffic between Server A and Server B.
During development while I was testing the concept I ran the web client application on another IIS server internally on our domain using binding security mode="Transport" and transport clientCredentialType="Windows" which worked fine.
I then moved the web client application to the external Server B for further proof-of-concept testing setting the binding security mode="None", as obviously with this server being outside of our domain I cannot use Windows authentication, and it still works fine.
What I need to do now, to enable the switch back to using transport security is to set the clientCredentialType="Certificate", as you cannot have transport security with clientCredentialType="None".
This is where I have started to come unstuck. I seem to be going around in circles as to where in the web.config of the service and the client web.config to define the certificate and where to store which bits of the certificate.
Essentially what I'm trying to do is authenticate that Server B is indeed Server B calling the service on Server A, thus preventing any spoofing or DNS subversion issues, which could result in the service at Server A being illegally accessed.
My thinking is that I need to create a certificate for Server B to which Server A holds the public key to validate it? If this is the case Server B already has a wildcard SSL certificate installed on it as it serves various applications of ours as subdomains. Could this certificate be used for the WCF authentication?
None of the SO questions I've found seem to cover this, and all the various websites and book examples I've found aren't that clear. It's starting look like WCF configuration is somewhat of a black art.
This is all built using .NET 4 and Visual Basic. Any help would be greatly appreciated.
This MSDN example has examples of how to configure netTcpBinding with certificates in both code and config. Just pick the scenario that suits you. The certificate should be issued by a public (commercial) certificate authority like VeriSign or Thwate so it will be trusted by your external host provider and your internal server.
If SSL is handled by a load balancer, do I still need to configure it in the WCF serviceCertificate node? My scenario is to use message level security. If someone can explain how load balancing with wcf and ssl works, that would be very nice.
WCF requires security tokens to be passed over a secure transport if the message itself is not signed/encrypted. Since traffic is HTTP between your Big-IP and your individual web servers, you need a way to have security tokens that you know are secured between the client and the Big-IP up front still be passed to your server farm. There's a couple ways to do that depending on what version of WCF you're using:
If you're using WCF 4.0 you can just create a custom binding and set the AllowInsecureTransport property on the built in SecurityBindingElement to signify that you don't care that the transport isn't secure.
If you're using WCF 3.5 you have to "lie" about security with a custom TransportSecurityBindingElement on the server side. You can read my old post about this here.
FWIW, they created a hotfix release for 3.5 SP1 that adds the AllowInsecureTransport to that version, but I don't know if your company will allow you to install custom hotfixes.
If you want to use message security then each message is encrypted and signed separately - there is no secure connection and load balancer behaves as with any other HTTP transport. Loadbalancer doesn't know about security and doesn't need certificate.
There are two gotchas:
All load balanced application servers hosting your WCF service must use the same certificate
You must ensure that your WCF binding doesn't use sessions (reliable, security) otherwise you will need load balancing algorithm with sticky sessions (all request for single session always routed to the same server)
It doesn't. Don't bother with this. You will be in a world of hurt. Just install the certs on each machine. We've recently been through this fiasco. WCF is not worth the effort it thinks it needs SSL but sees that it doesn't have it. Take a look at openrasta or something else if you want to do all your SSL on the loadbalancer. #microsoftfail
I have created and tested a WCF REST service that is protected with SSL and Windows Authentication through IIS 7. I have also created and tested a pure html/javascript web client that is hosted in IIS 7 that is protected with SSL and Windows Authentication -- same server, different "site" within IIS. The REST service is not public, but the web client is.
Without security, everything works beautifully, but now we are ready for field testing and security must be implemented.
My end goal is to have the user visit mywebclient.com and authenticate using their Active Directory accounts. Initially I thought it would be safe to leave the service calls from the client to the REST service unprotected (since the traffic from the web client to the web service would be internal), but this does not protect us from an internal attacker. Also, in the future, the REST services will be available to handhelds through native applications.
I've tried to gain as much information on this subject as possible, but every piece of Microsoft documentation contains client examples written in .NET.
How can I share the security context between these sites without converting the web client to a .NET-based application? Could this be accomplished by combining the web client and service into one IIS "site"?
Edit: If the client and service exist in the same app pool, does that mean they could share authentication information between client and server processes?
Here is my scenario:
I have a proxy that actually has the SSL Cert installed and this sits in front of a load balanced web farm. Each IIS server does not have SSL so I can't use transport security via wsHttp binding. I have not investigated basicHttp because we want to provide SOAP 1.2 going forward w/ this solution. In addition to this, my network team won't allow any use of certs to encrypt at the message level. (this alone would solve my dilemma i'm sure)
My security group has a requirement that we use Forms Authentication (membership provider).
The final solution must allow SSL via the front proxy, yet some type of WCF binding to keep complexity encapsulated in a config file.
I was working with a custom binding that allowed for username/password sent via clear text, but when I try to connect via https i get the usual "http expected" uri error.
How can I use SSL via the proxy to connect securely from client app to web service, but not have SSL installed on IIS and leverage the WCF stack + forms authentication?
I'm not new to WCF, but this very custom setup seems to have me unsure if the requirements allow for any type "easy" solution.
Thank you in advance!
EDIT: I did finally get this working and decided to write a short blog post with complete source code required to write the custom binding.
I think this is similar to a problem many have had when wanting to provide WCF services over SSL when the actual service in IIS is behind an SSL-offloading device. In which case, the following two pages should help you out:
http://blog.hackedbrain.com/archive/2006/09/26/5281.aspx
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/87a254c8-e9d1-4d4c-8f62-54eae497423f/
Basically you need to lie to WCF and say that the service is secure, even though the traffic will be conducted over HTTP (between the service and the proxy).