Yaron Naveh's Web Services 2.0 Blog

Friday, July 1, 2011

I'm an MVP (again!)

I guess I can skip the traditional email quote by now. I just got the 2011 MVP award in Connected System Developer. Becoming an MVP last year was the beginning of a very interesting year. I'm super exited to get this award for the second time. I'll do my best to justify this recognition.

What's next? get this blog rss updates or register for mail updates!

Saturday, June 18, 2011

Binding Box now supprots the Wcf Interop Bindings

Earlier this week Microsoft had released the Wcf Interop Bindings and VS extension. You can download and try it from here.

Today I am proud to announce that the Wcf Binding Box supports these interoperability bindings.

What is the Wcf Binding Box?
It is an online bindings converter. You give it a binding configuration (e.g. WSHttpBinding) and it returns an equivalent custom binding.

Full explanation is here.

Why do we need it?
Because it's fun :) And also allows to take a working WSHttpBinding and further customize it with settings which it does not directly expose, for example MaxClockSkew.

How the interop bindings relate to this?
Suppose you use the interop bindings to author a Wcf service which WebLogic consumes. You may want to further configure your Wcf service with settings that the WebLogicBinding does not expose. Since the WebLogicBinding internally inherits from WSHttpBinding this is a similar use case to the original purpose of the binding box.

Example

Put this WebSphere binding as the input in the binding box:

and this is the custom binding output:

Check out the binding box here.

What's next? get this blog rss updates or register for mail updates!

Tuesday, June 14, 2011

Test drive the shiny new Wcf interop bindings

wcf.codeplex.com is the place where most of the wcf action happens at these days. If you have been following it recently you have seen a lot of activity around Rest and Http. As of yesterday Soap officially joins the codepex party. Microsoft has just released the WCF Express Interop Bindings - a new Visual Studio extension for Soap web services interoperability. If you use Wcf this matters to you!

What did Microsoft release yesterday?

Web services interoperability is always a pain. When security is involved it is usualy more then a casual 'oouch'. Yes, WsHttpBinding has a specific permutation of settings which can interoperate with Oracle web logic. And I know a lot of people who have tried to find that permutation in a brute force manner. Mostly doing this is a waste of time which we prefer to invest in more productive areas.

So here's the idea behind yesterday's shipping: We now have a new binding, WebLogicBinding, which only allow us to configure settings which are interoperable with web logic. So all settings are interoperable! We also have bindings for web sphere, axis2 (wso2) and metro (wsit / glassfigh / tango).
In addition we got a nice wizard on top of Visual Studio's new project dialog which allows us to easily author interoperable services using these bindings.

But don't we already have WS-Policy for interoperability?

WS-Policy helps clients to generate proxies which complies with the service requirements as expressed by the Wsdl. The express bindings solves a prior problem: How to write from the first place a service which a specific client platform can support? Once we write such a service its Wsdl will contain the WS-Policy pixy dust so that the client can auto-configure itself.

Nice... I'll take two!
You can take four: MetroBinding, WebSphereBinding, WebLogicBinding and Wso2InteropBinding.
Take them from here.

Tutorial - WCF and Metro interop

Let's see why web services interoperability just got a whole lot easier.
We'll create a WCF service with mutual x.509 certificates in the message level and consume it with a Metro client.

1. Prepare the environment
You need VS 2010 and the express bindings. After you extract the bindings zip simply execute bin\Microsoft.ServiceModel.Interop.Extension.vsix which will install it on VS.

2. Create a new service

In VS create a new project. Note how the Wcf node now contains a new project type "Express Interop Wcf Service Application":

Choose that project type.

3. Configure the express binding wizard

A few moments after creating the project you will see the wizard.
First choose the platform our clients will use - Metro, this time.

Now we need to configure our security requirements. Choose "mutual certificate" which means both client and server will present an x.509 certificate in the message level. It also implies encryption and digital signature (in this case). To keep it simple we omit the secure conversation.

Next in the advanced settings use the Basic128 algorithm since it is the one Metro supports by default (for Basic256 a patch needs to be applied).

Finally configure the certificate.

I recommend to use this certificate (password: adminadmin):

Now run the service. This is a web site project so it will open the documentation page with the Wsdl link. Make sure to have the Wsdl url handy since we will use it in a moment.

Now we want to configure Metro.

1. Set up the environment

You should have NetBeans 7 (or higher), though NetBeans 6.7 also worked for me.

2. Create a new project of type Java Application:

Any of the default settings are fine:

3. Right click the package in the project view and add a new "web service client":

Now is a good time to paste that Wsdl url:

4. The service reference is now in the project view so right click it and edit the Web Service Attributes (similar to the Wcf configuration... just very different :):

5. This step is a workaround if your NetBeans version ships with Metro 2.0 (which is the case for NetBeans 7). See below how to know if you need it.

We can see that Metro had automatically identified that client and server certificates are required. This was due to the WS-Policy in the Wsdl.

Before we continue we need to do some trick. NetBeans 7 ships with Metro 2.0 which has a bug with certificates. In favor of those who reach this post via a search engine this is the error message:

java.lang.NullPointerException
...
at com.sun.xml.ws.security.impl.policy.CertificateRetriever.digestBST (CertificateRetriever.java:136)

To solve this you need to download Metro 2.1 (or higher). For now just extract it to some folder.

Now as part of this workaround check the "use development defaults" drop down in the quality attributes dialog you opened in step 4. Also approve any message you are prompt with.

Click Ok to close the dialog.

In the project pane expand the libraries node. It should look like this:

This workaround applies to version 2. If you see another version (even smaller) no need for this. What you need to do is delete all the references to Metro jar files (don't delete the jdk though). Instead of them right click the "libraries" node, choose "add jar/folder..." and choose the jar files in metro\bin folder from the metro 2.1 zip you just extracted. Add all jar files in that folder. The libraries node will now look like this:

6. We are now ready to do the actual configuration. Open again the web service quality attribute form as you did in step 4. Uncheck the "use development defaults" check box. Now configure the keystore and trust store. I recommend to use this java key store file:

Open "keystore..." and "Truststore.." each in its turn and do the below.
Set the path to the .jks file you extracted form the certificates file above, set the password to "adminadmin", and click "load alias". The alias for the key store is xws-security-client and for the trust store is xws-security-server.

7. Now we need to write the client code.

Since most of my readers are .Net developers let's see if we can pull this one out without any Java coding at all.

Drag the GetData node from the project pane to the main() method. It should now look like this (depending on the netbeans version):

public static void main(String[] args) {

try { // Call Web Service Operation
     org.tempuri.Service service = new org.tempuri.Service();
     org.tempuri.IService port = service.getMetroBindingIService();
     // TODO initialize WS operation arguments here
     java.lang.Integer value = Integer.valueOf(0);
     // TODO process result here
     java.lang.String result = port.getData(value);
     System.out.println("Result = "+result);
}
catch (Exception ex) {

}

}

if you use Netbeans 7 it will only generate a method so you would need to add code that calls it:

public static void main(String[] args) {
try
{
     String s = getData(2);
     System.out.println("result is" + s);
} catch (Exception ex) {
     System.out.println(ex.getMessage() + ex.getStackTrace().toString());
}
}

private static String getData(java.lang.Integer value) {
   org.tempuri.Service service = new org.tempuri.Service();
   org.tempuri.IService port = service.getMetroBindingIService();
   return port.getData(value);
}
}

7. Now run the application (F6).

Here is the output:

the result is: 2

Web services interoperability was never easier!

What's next? get this blog rss updates or register for mail updates!

Sunday, May 8, 2011

Cannot resolve KeyInfo for unwrapping key

With web services sometimes your client is able to receive a good response from the server but your client will still throw exception due to some policy violation. With wcf / mutual authentication the following error can appear:

Cannot resolve KeyInfo for unwrapping key: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=MyCert', Serial = '-903515464456238801534567116928')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)

This error usually means that the server had digitally signed its response using an unexpected certificate. The expected certificate is the one which the client has configured as the server certificate and have possibly used to encrypt the message with.

So as with many of the security interoperability problems, you should verify that you use the correct certificate on both sides of the wire.

What's next? get this blog rss updates or register for mail updates!

Anyone else having problems with Google Calendar?

Update (july 11): Fixed!

I'll start by saying that google calendar is a great product which I was happy to use for quite a while. Not any more, it seams. For some reason I intermittently don't get email notifications about scheduled events. I have first noticed that over a year ago and assumed it is a one off glitch. I have then noticed it in many more occasions and since last week I don't get notifications at all.

I mainly use gcal as a "send myself a future email reminder" application. While it does not contain any important appointments, I do have there information about birthdays, random arrangements, sites without rss which I periodically visit etc. And while managing to live without these unsent reminders makes me wonder if I had ever needed them anyway, it is still annoying.

This issue appears in several gcal forum threads, has a special troubleshooting page, and is actually a known issue. The last link says "We're currently investigating reports from users who indicate that they're not receiving email notifications for their events". How many users? What is the current status?

Just out of curiosity - does anyone else experience missing email notifications from google calendar?

What's next? get this blog rss updates or register for mail updates!

Friday, May 6, 2011

Wcf with WS-Addressing March 2004

Wcf supports two WS-Addressing versions – the August 2004 draft and the actual standard v 1.0. There is another wsa version which is used by some soap stacks (who said wse 2?) – the march 2004 draft. To turn this fact to a more practical problem, you might need to write a wcf client to a (non Wcf) service which expects a request like this:

<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">

<Header>

    <wsa:Action>http://myAction</wsa:Action>
    <wsa:MessageID>uuid:5024616c-d0r2-56h3-bjj7-ab10p89eee63</wsa:MessageID>
    <wsa:ReplyTo>
      <wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address>
    </wsa:ReplyTo>
    <wsa:To>http://server/Calc</wsa:To>
...

(note the bold wsa version – wcf cannot emit it).

One straight forward way to do this with wcf is to push these headers to the soap using a message inspector. But what if you also need to sign the wsa headers with a digital signature?

In this case you need to write a custom behavior which push the wsa headers to the IncomingSignatureParts property. The whole code looks like this:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.ServiceModel.Dispatcher;
using System.ServiceModel.Security;
using System.Text;
using System.Xml;
using System.Xml.Linq;
using MyApplication.ServiceReference1;

namespace MyApplication
{

    public class SignMessageHeaderBehavior : Attribute, IEndpointBehavior
    {

        string action;

        List<XmlQualifiedName> headers;

        public SignMessageHeaderBehavior(List<XmlQualifiedName> headers, string action)
        {

            this.headers = headers;

            this.action = action;

        }

        public void Validate(ServiceEndpoint endpoint)
        {

        }

        public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
        {
            var requirements = bindingParameters.Find<ChannelProtectionRequirements>();

            foreach (var h in headers)
            {
                var part = new MessagePartSpecification(h);
                requirements.IncomingSignatureParts.AddParts(part, action);
            }
        }

        public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher)
        {

        }

        public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)
        {

            clientRuntime.MessageInspectors.Add(new AddHeaderMessageInspector());

        }

    }

    [DataContract(Namespace="http://schemas.xmlsoap.org/ws/2004/03/addressing")]
    public class ReplyToHeader
    {
        [DataMember]
        public string Address { get; set; }
    }

    public class AddHeaderMessageInspector : IClientMessageInspector
    {

        public object BeforeSendRequest(ref Message request, IClientChannel channel)
        {

            request.Headers.Add(MessageHeader.CreateHeader("Action", "http://schemas.xmlsoap.org/ws/2004/03/addressing", "http://myAction"));
            request.Headers.Add(MessageHeader.CreateHeader("MessageID", "http://schemas.xmlsoap.org/ws/2004/03/addressing", "uuid:5024616c-d0r2-56h3-bjj7-ab10p89eee63"));
            request.Headers.Add(MessageHeader.CreateHeader("ReplyTo", "http://schemas.xmlsoap.org/ws/2004/03/addressing", new ReplyToHeader() { Address = "http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous" }));
            request.Headers.Add(MessageHeader.CreateHeader("To", "http://schemas.xmlsoap.org/ws/2004/03/addressing", "http://server/Calc"));


            return request;

        }

        public void AfterReceiveReply(ref Message reply, object correlationState)
        {

        }

    }

    class Program
    {

        static void Main(string[] args)
        {

            var c = new SimpleServiceSoapClient();

            var headers = new List<XmlQualifiedName>();
            headers.Add(new XmlQualifiedName("Action", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));
            headers.Add(new XmlQualifiedName("MessageID", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));
            headers.Add(new XmlQualifiedName("ReplyTo", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));
            headers.Add(new XmlQualifiedName("To", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));

           c.Endpoint.Behaviors.Add(
                new SignMessageHeaderBehavior(headers, "http://tempuri.org/EchoString"));

            c.EchoString("123");

        }
    }
}

What's next? get this blog rss updates or register for mail updates!

Saturday, April 23, 2011

svcutil.exe with a wsdl on the local disk

svcutil.exe is a command line to generate wcf proxies from wsdl files (and more).

for example the following command:

$> svcutil http://localhost/MyServices/Service.svc?WSDL

will generate Service.cs which is the proxy you can add to your project.

Sometimes the wsdl file is not on a url but on the local disk. In theory this should work:

$> svcutil c:\services\calc.wsdl

In practice this would work only if the wsdl does not reference other wsdl or xsd files (even if their relative reference is correct). The same would work with "add service reference" in VS so not sure why it fails here. One solution is to explicitly specify all the referenced schema files in the command:

$> svcutil" c:\services\calc.wsdl" "c:\person.xsd c:\units.xsd"

This usually works but requires manual work and is not always desired when a large number of references is used.

An alternative would be to upload the wsdl and the references to a web server and svcutil from there. If you have iis on your dev machine this is actually pretty simple:

1. copy the wsdl root folder to a subfolder under c:\inetpub\wwwroot
2. run

$> svcutil http://localhost/root/calc.wsdl

That's all, no need to specify all files. svcutil works well from url locations. Do not forget to remove the wsdl folder after so your iis folder would stay clean.

What's next? get this blog rss updates or register for mail updates!

Yaron Naveh's Web Services 2.0 Blog

Pages

Friday, July 1, 2011

I'm an MVP (again!)

Saturday, June 18, 2011

Binding Box now supprots the Wcf Interop Bindings

Tuesday, June 14, 2011

Test drive the shiny new Wcf interop bindings

Sunday, May 8, 2011

Cannot resolve KeyInfo for unwrapping key

Anyone else having problems with Google Calendar?

Friday, May 6, 2011

Wcf with WS-Addressing March 2004

Saturday, April 23, 2011

svcutil.exe with a wsdl on the local disk

Blog Archive

Labels