I'm writing a .NET client (WCF) that will consume a web-service that is implemented using Apache CXF (Java) and amazingly enough it's incredibly hard have WCF to set the Type attribute of the Password tag to PasswordText. I.e I would like the SOAP header to look something like:
<wsse:Security soap:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="UsernameToken-11" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">a287645857cfaaddf82e2d333651b3e0</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">oKGlwEkbkhYJH6upsbiqeQ==</wsse:Nonce>
<wsu:Created>2011-10-25T13:10:11.958Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
but the actual header looks like:
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken u:Id="uuid-5acb0b47-1b52-4535-bfaf-b9e76621b7eb-1">
<o:Username>test</o:Username>
<o:Password>a287645857cfaaddf82e2d333651b3e0</o:Password>
</o:UsernameToken>
</o:Security>
As you can see the Type attribute is missing from the Password tag. Some research on the web seems to indicate that I perhaps have to write an interceptor to fix this. I figured that there was a simple solution, i.e. config setting, to fix this but maybe there is not. Anyhow, I'm hoping for some clarifications by posting this question.
The WS server rejects the request because of the missing Type attribute. Some function checking for BSP spec. compliance (not sure what this is) throws an exception.
Regards, Ola
OK, the implementation requires using WSE 2.0 SP3. Be careful NOT WSE 3.0.
WCF cannot help you.
All you need is here.
This is a better sample.
Related
Let's say I have a function that contains List ids argument in WCF SOAP, how can I post an array of ints to that WCF SOAP vis Postman? I swear I've looked everywhere in Google, but there is no documentation about it. Help!!
You want to use postman to test your service, but postman only supports http requests. If you want to send a soap request, you need to edit it in the body, and the sending format needs to be soap-xml. For soap requests, you can use soapUI to test your SOAP service. In short, if your service uses soap binding, you can use soapUI to test your service to send parameters, if you use webhttpbinding, you can use postman to send parameters and call the service.
#Theobald Du: This is what I'm trying to do. I know it is soap-xml, yet i don't know how to send an array of ints through. Here is what I have so far:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<GetAvailabilities xmlns="http://tempuri.org/">
<bodyString>leg</bodyString>
<clinics>
--> (list of ints to send here. This is where I am stuck)
</clinics>
</GetAvailabilities>
</s:Body>
</s:Envelope>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<GetAvailabilities xmlns="http://tempuri.org/">
<bodyString>leg</bodyString>
<clinicsxmlns:a="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<a:int>594</a:int>
</clinics>
</GetBranchAvailabilities>
</s:Body>
</s:Envelope>
This is the correct way to do it. Since there is no documentation about it whatsoever, i will leave it up there for anyone that needs an example
I want to test my wcf service endpoint using SOAP UI tool which is built in wsHttpBinding along with x509certificate authentication. It supports for basicHttpBinding and working properly but giving an error for wsHttpBinding. Any help would be appreciated. I'm getting below error message in response.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>uuid:81f1ec47-0bd4-4dd0-b958-648ee934be24</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-US">An error occurred when verifying security for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>
We are capable of testing the WCF service in SOAPUI if WCF service is created by Wshttpbinding and the required client credential is a certificate.
Please refer to the reply I wrote several days ago.
Test WCF with Mutual Certificate Authentication using SOAPUI
Merely based on the security error. I could not infer that the code design on the server-side. I would like that you could post more details of the security binding configured on the server-side and the client's credential type so that I could make an example.
Besides, here are some links, wish it is useful to you.
WCF wsHttpBinding in SoapUI
https://www.soapui.org/docs/functional-testing/sending-https-requests.html
Feel free to let me know if there is anything I can help with.
After looking around the forums and the internet in general, I was unable to find anything that answered my problem, so I have resorted to placing my question here.
Firstly, sorry if this has already had an answer supplied.
My problem is this. I have an existing C# WCF service hosting in IIS and secured by an SSL. This is working code and is currently in our Live, UAT, Test and Development environments.
I have been asked to use SoapUI for testing firstly on existing services and any new services that we are about to build.
So far, I have created the project by supplying the WDSL, setup the keystore with the SSL cert, created an outgoing and incoming WS-Sec config.
When in the request, I have created a basic authorization using the defined outgoing and incoming configs created above.
After clicking on the submit button, I get the following response.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" ns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>uuid:89964641-b66d-42c7-b40a-bdd3b7acdddf</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-GB">An error occurred when verifying security for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>
I did see an article that inferred that I should switch the 'Enable WS_A addressing' switch off. I did this, but this just caused the submit request to timeout.
I have checked that the service is running by viewing the WSDL from the IIS server and also using the application to call the service and all is OK.
I am sure that I missed a simple step, so would be grateful for any help.
Thanks
After looking around, I have started to use WCF Storm which does appear to work with WCF using SSL.
General notes
We're using IdentityServer3 and have been very happy with it so far.
We've gotten to secure MVC and ASP.NET Web API applications very easily with the help of both MS and Thinktecture OWIN middlewares.
The client we're working for still has a lot of SOAP WCF services, and this is where we're getting stuck.
The Setup
I'm not gonna lie, I'm far from being experienced with WCF, I've only used it for very basic scenarios - understand basicHttpBinding, no transport nor message security.
This is what I want to achieve:
A client gets a JWT access token from IdentityServer
Somehow the token ends up in the SOAP message headers
WCF reads and validates the token
WCF inspects the claims and performs authorization based on some criterion
I can't get the third step working.
The server setup
I'm using a ws2007FederationHttpBinding with TransportWithMessageCredential security mode. The message contains a BearerKey and the token is of type urn:ietf:params:oauth:token-type:jwt
The service uses the WIF identity pipeline, in which I added the JwtSecurityTokenHandler from the System.IdentityModel.Tokens.Jwt NuGet package
The client setup
The JWT token issued by the STS is wrapped in a BinarySecurityToken XML element, itself wrapped in a GenericXmlSecurityElement
This token is used as a parameter of the CreateChannelWithIssuedToken of the ChannelFactory
What happens
The token is found in the SOAP header and passed on to the JwtSecurityTokenHandler.
But then an exception is thrown:
System.ServiceModel.Security.MessageSecurityException: Message security verification failed. ---> System.IndexOutOfRangeException: Index was outside the bounds of the array.
at System.Xml.XmlBufferReader.GetChars(Int32 offset, Int32 length, Char[] chars)
at System.Xml.XmlBufferReader.GetString(Int32 offset, Int32 length)
at System.Xml.StringHandle.GetString()
at System.Xml.XmlBaseReader.ReadEndElement()
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
--- End of inner exception stack trace ---
After JustDecompiling, it looks like there's an error when further reading the XML elements in the SOAP header. What's strange is that the token is the last element. Here's what the whole message looks like:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IService/GetListOfStrings</a:Action>
<a:MessageID>urn:uuid:5c22d4e2-f9b8-451a-b4ca-a844f41f7231</a:MessageID>
<ActivityId CorrelationId="554fc496-7c47-4063-9539-d25606f186b0" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">1213dcd7-55b7-4153-8a6d-92e0922f76dd</ActivityId>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo90CpMlUwLBOmEPkZ5C8fRQAAAAAVWkkf2rJS0qImBv+Yx1recUXdbBLjThDkAMkwfW3/2AACQAA</VsDebuggerCausalityData>
<a:To s:mustUnderstand="1">https://localhost.fiddler:44322/Service.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2015-05-21T06:41:45.362Z</u:Created>
<u:Expires>2015-05-21T06:46:45.362Z</u:Expires>
</u:Timestamp>
<wsse:BinarySecurityToken ValueType="urn:ietf:params:oauth:token-type:jwt" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><!-- Removed --></wsse:BinarySecurityToken>
</o:Security>
</s:Header>
<s:Body>
<GetListOfStrings xmlns="http://tempuri.org/" />
</s:Body>
</s:Envelope>
Doesn't look like there's something malformed or anything. From the stack trace, the exception must be thrown when reading the </o:Security> end element since the token was properly read and handled.
Repro
I forked the samples repo so you can have a look if you feel like it.
Here are the relevant projets:
SelfHost (Minimal) in the sources folder. This is the STS
In the Clients solution, the WCF service is in the APIs folder
In the Clients solution, the WCF client is the Console Client Credentials With Wcf project
Best way to fire it up is to start the STS first, then Right click -> Debug -> Start new instance on the WCF service, then the same on the WCF client.
Thanks in advance!
I didn't get to solve this problem but Dominick Baier, one of the developers of IdentityServer, found a workaround.
He thinks the exception comes from a bug in WCF or an incompatibility between WCF and the JwtSecurityTokenHandler. Since he considers WCF done, he doesn't expect someone to take a look at it.
His solution is to wrap the JWT token in a SAML token. Then, by subclassing SamlSecurityTokenHandler, get it back and validate it against an instance of JwtSecurityTokenHandler.
Here are the links:
Dominick's blog post
Samples repo on GitHub where he put the code
Specific commit on GitHub
Everybody have fun, now :-)
While calling from my Web Application, WCF response i am getting is :
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header />
<s:Body>
<getSOAPDataResponse xmlns="http://localhost/WebServices">
<getSOAPDataResult> INFORMATION </getSOAPDataResult>
</getSOAPDataResponse>
</s:Body>
</s:Envelope>
The Web Application is very old and has some hard coded stuff that looks for "Soap" as prefix in Response.
Previously Web Services were used but now Web Services has been migrated to WCF Services.
The expected response from WCF is something like this:
<Soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<Soap:Header />
<Soap:Body>
<getSOAPDataResponse xmlns="http://localhost/WebServices">
<getSOAPDataResult> INFORMATION </getSOAPDataResult>
</getSOAPDataResponse>
</Soap:Body>
</Soap:Envelope>
So i need to change the WCF Response Prefix "S" to "Soap". How can it be done. Any help will be highly appreciated.
Thanks in advance.
This blog post addresses your exact problem. You basically need to create a custom message encoder. Be aware though, if you're using WsHttpBinding with message security, the approach in the post won't work. If you're using BasicHttpBinding, refer to the comments at the end of the post (you need to ensure you're replacing the right text, as the basic binding uses SOAP 1.1 and the WS binding uses SOAP 1.2).