Is it possible to create a WebService using JAX-WS, that whould then be consumed by a WCF client using such a binding?
<bindings>
<basicHttpBinding>
<binding name="CaseObjectServicePortBinding" >
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
</bindings>
I created such a service without WSIT for now, just a plain service and wanted to just ignore the "Security" header in incoming SOAP message. But it fails with:
"Could not establish secure channel for SSL/TLS with authority 'xxxxxxxxxx'."
If I change:
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
to:
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
<message clientCredentialType="Certificate" />
</security>
everything works flawlessly. Any ideas what am I doing wrong?
The answer is yes. You can use BasicHttpBinding or WsHttpBinding
The error was occurred because when you use TransportWithMessageCredential, the WCF client will impose additional security to your message sent through the wire, which is interoperable only to WCF service.
Once you changed it to Transport, only transport security( SSL using certificate) is applied , so that why both client and service can understand how to communicate with each other.
Cheers.
When defining security as TransportWithMessageCredential you say: I want a service which will communicate over secured transport channel (HTTPS) and I want to pass client credentials in SOAP header.
If you define Certificate credential type in message element you say: The SOAP header will transport client credentials as x.509 Certificate token profile. It is interoperable format which requires WS-Security on the service.
If you define Certifiate credential type in transport element you say: I want mutual SSL authentication. I'm actually not sure if this is used if you define TransportWithMessageCredential
This happened on the step of initiating the request; the TLS exception pops out to you because the certificate set on the client is not trusted. Use a certificate with the common destination name, if you are using the service on public use the domain name else use the destination IP address as a common name and it will work just fine .
PS: Use the 'basichttps' binding in case you want to proceed with the https content type 'text/xml' soap 11 the the default from jaxws
Related
I have a SSL secured (https) restful WCF service hosted in IIS (7.5). This service has 2 endpoints. One endpoint is expects a client certificate and other do not expect a client certificate.
Client certificate setting in IIS is
Now, when i run my test case from Visual studio, everything works fine. No problems.
Problem is when the actual client (which is a website hosted in IIS), tries to communicate with the WCF service over the endpoint which do NOT expect client certificate.
When the website make such call, the browser (IE, Chrome), pops up a dialog box to select the client certificate.
If the endpoint is not expecting client certificate then why the browser is popping up this dialog box to select a client certificate?
Endpoint bindings look like this
<webHttpBinding>
<binding name="webBinding">
<security mode="Transport">
<transport clientCredentialType="None"/>
</security>
</binding>
<binding name="webSecureBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</webHttpBinding>
I have a WPF application, and I'm using WCF to consume a php webservice over Https, I've created a self-singed certificate on the server to test it and configured the client to use this certificate, but an exception appeared and tell me that I need to pass the client certificate also.
Actually I just want to secure the transmitted message, I don't need to authenticate the client, so how could I disable the client authentication.
I'm using security model "Transport" with clientCredentialType "Certificate" and .Net 3.5.
thanks in advance for opinions..
UPDATE
As I've mentioned, I don't need the service to verify the identity of the client so I have used Transport Security with an Anonymous Client instead of Transport Security With Certificate Authentication, the following is the client configurations:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="bindingName" closeTimeout="00:0:04"
openTimeout="00:00:04" receiveTimeout="00:00:04" sendTimeout="00:00:04"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647">
<security mode="Transport">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://myServer/myApp/myWebService"
binding="wsHttpBinding" bindingConfiguration="bindingName"
contract="xx.yy" name="zz">
</endpoint>
</client>
Now the issue is: when I called the service a timeout error appears "The HTTP request to {My Service URL} has exceeded the allotted timeout".
Additional Info: The service worked fine over HTTP, the issues appear only when I moved to the HTTPS, and I can see the service WSDL if I open it through the internet browser, but the browse told me that there are insecure resources and I should enforce it to show me all resources in order to see the WSDL.
Probably your issue is:
// Create the endpoint address. Note that the machine name //
must match the subject or DNS field of the X.509 certificate //
used to authenticate the service.
So review your client config, and check certificate section findValue attribute to match you certificate's one.
Like
<clientCertificate findValue="contoso.com"
storeLocation="CurrentUser"
storeName="My"
x509FindType="FindBySubjectName" />
See more about Transport Security with Certificate Authentication.
I have a web service and we're currently hosting it in a HTTPS site.
My binding is this.
<wsHttpBinding>
<binding maxReceivedMessageSize="2000000" >
<readerQuotas maxStringContentLength="2147483647" />
<security mode="Transport">
</security>
</binding>
</wsHttpBinding>
And it seems to work well. But my main aim is to make sure the web service requests and responses are encrypted. I don't know much about web services but is that all there is to it?
Just use HTTPS and put this line in your configuration?
<security mode="Transport">
</security>
Or is there more to it? How can I know if the message's sent are encrypted or not?
Yes that's all. The mode Transport demands transport level security which in your case means HTTPS. If you want to see that messages are encrypted you must use some network monitoring tool (Fiddler, WireShark, etc.)
I have a WCF service hosted in a Windows Service. Clients from various platforms will access the service. Now I would like to add a basic security mechanism. Ideally, the clients should use username/password for authentication.
Which binding settings do I have to use in this scenario and how can I authenticate the client? Interoperability is more important than a very secure solutions. If possible the client should not be forced to use a certificate or something the like. Additionally, authentication should not be strongly coupled with a SQL Server database. I would like to manually inspect the client credentials.
Thanks for your help
The best for your case can be BasicHttpBinding with security set to TransportWithMessageCredentials and credential type set to UserName. In this case your service will be secured with HTTPS (requires server certificate for SSL which has to be trusted on clients) and authentication will be provided on message level with UserName Token Profile (SOAP header). You can implement your own password validator.
BasicHttpBinding configuration skeleton:
<bindings>
<basicHttpBinding>
<binding name="Secured">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
</basicHttpBinding>
</bindings>
If you don't want to use HTTPS you can create custom binding with HttpTransport, TextMessageEncoding and with security mode set to UserNameOverTransport. But you have to set allowInsecureTransport to true (be aware that there is some bug with WSDL generation in this setting).
Custom binding configuration skeleton:
<bindings>
<customBinding>
<binding name="Secured">
<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true" />
<textMessageEncoding messageVersion="Soap11" />
<httpTransport />
</binding>
</cutomBinding>
</bindings>
See the Internet section of the Application Scenarios for guides on how to achieve this:CodePlex Application Scenarios
I have to connect to secured webservice, I am passing in the credentials while calling the service
But I am getting following error message while calling service
"An error was discovered processing
the < wsse:Security > header"
I am using basicHttpBinding with security mode set to "Transport"
The endpoint address points to secured site URL
I am not sure why I am getting this error message, Am i missing something?
You're using basicHttpBinding, and passing credentials, so I believe you must use something to the effect of:
<basicHttpBinding>
<binding name="myBinding">
<security mode="TransportWithMessageCredential">
<transport />
<message clientCredentialType="Username" />
</security>
</binding>
</basicHttpBinding>
This will allow messages to flow via SSL (secure transport) with plain credentials.