Sunday, April 26, 2009

Java, WCF & Web Services Interoperability (part 2 of N): Know your X.509

@YaronNaveh


So, you want to write an Axis2 web service and have .Net WCF clients too? Or maybe you already have a .Net 2.0 endpoint and want it to be consumed by WSIT? Yes, that’s possible, but there is some important stuff you should know about. Whether you are a .Net WCF, AXIS2, Metro or any other framework developer/tester – you want to stay tuned for this series.

When a Java client sends a request to a secured WCF service sometimes this soap fault can come back:

An error occurred when verifying security for the message


Insdie the WCF trace log these errors appear:

Message security verification failed.


And the inner exception is:

Cannot read the token from the 'BinarySecurityToken' element with the 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' namespace for BinarySecretSecurityToken, with a 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v1' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified.


The problem is with the X.509 certificate/key that the client is using: It is of version 1 of X.509. WCF only supports version 3 certificates. We can see that the request strictly stated it was using v1:

<o:BinarySecurityToken u:Id="uuid-856599a5-7c38-465c-9ae8-69b59af419b7-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v1" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">MIIBxDCCAW6gA…


Interestingly enough, Wcf can work with the certificate content itself so if we could change the SOAP to have “v3” instead of “v1” everything would have worked. However the straight forward way to solve this is to use X.509V3 at the client side.
BTW We can see the certificate version by double clicking its file in windows:


@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

36 comments:

Unknown said...

Hi, I'm having the response:
org.apache.axis2.AxisFault: An error occurred when verifying security for the message.

You mentioned that the stright forward solution is the client to use the X.509V3, how could I get this in Axis2?

Yaron Naveh (MVP) said...

Carlos

If I understood correctly you are using a .Net client and an Axis2 service. In this case the V3 should not cause an exception in the Axis side (only .Net does not know how to handle this). So it looks like the wrong binding is used.

I would suggest to use Axis2 WS-Policy flavored services. Also you can create an Axis2 client and compare the soap it sends to the one your client sends.

Yaron Naveh (MVP) said...

On the other hand and you are using an Axis2 client and a .Net service then it is just a matter of using the correct certificate. You should go the the one that provided you the certificate and ask to get a V3 one. You can also create a testing certificate with openssl.

In order to verify that this is the error you should turn on your WCF tracing or search the event log for WSE errors.

Unknown said...

Hi I have configured my WCF Service with the UserNameAuthentication. When i tried to call the service method using Axis2 Stub by setting the Options.setUserName("ddd") and Options.setPassword("sss") also i am getting the same error.

here is the java client code
Please help me to solve this..

So much thanks to u if u really help me...
ServiceClient sc = stub._getServiceClient();
Options options=sc.getOptions();
options.setUserName("sss");
options.setPassword("444ds");
stub._getServiceClient().setOptions(options);

stub._callMyServMethod();


I am getting the same error in eclipse IDE "An error occurred when verifying security for the message"

Yaron Naveh (MVP) said...

Hi Murali

You need to use a tool like tcpmon or Fiddler or WCF logging to see how the soap your client generates look like and compare it to the SOAP of a working WCF client. If you find differences you can ask in the Axis2 JIRA how to configure it.

Also you should turn on WCF tracing and get a more detailed error on the WCF side. Remember that not all WCF configurations are interoperable, for example negotiateServiceCredentials must be false.

Anonymous said...

Hi,

I am trying to call .NET service from AXIS 1.4. The SOAPAction is not being sent to .NET service and so is failing. Is there some this that needs to be done on client or service to get it to work?

Thanks
Kiran

Yaron Naveh (MVP) said...

Hi Kiran

Some WCF services do require an HTTP SOAPAction being sent. Axis 1.4 should be able to automatically get the action from the WSDL and send it. It should be able to manually instruct axis to send the header if it does not do so. I suggest you will ask in axis forums on this - I don't recall the exact syntax.

Note that there is a similar concept of WS-Addressing action header which many WCF services require and if this is the case then you would need one of Axis extensions that support this.

Anonymous said...

I'm running a wsf/php service and have someone trying to write a wcf client against it. Their client is sending an "Action" custom header w/ mustUnderstand="1" and my service is replying that the header is not understood. I haven't yet found the way to specify custom header handlers on my side, but in the meantime is it possible to disable sending the header on the wcf side? There seems to be a line in his (generated) code that's setting an OperationContractAttribute corresponding to the Action header -- can that line just be commented out, perhaps?

Yaron Naveh (MVP) said...

Anonymous

WCF can handle some Action headers - it depends in the namespace. Generally it is controlled by the WS-Addressing version which can be set in the textMessageEncoding channel of a custom binding.
This same channel controls if WCF sends this header.
wsHttpBinding uses WS-Addressing 1.0, basicHttpBinding doesnot use it at all (so no Action is sent by WCF) and in a custom binding you can control the exact version.

Anonymous said...

Strange...it looks like basicHttpBinding is what's being set in the App.config, yet it's still sending the Action.

Yaron Naveh (MVP) said...

Then try a custom binding where you can explicitly set the message version to "Soap11" (which means no addressing)

Unknown said...

hi,

how do i call a java webservice from wcf. i.e by adding it as service reference.

The java webservice expects authentication via username and password for every call i make.

how do i handle authentication issue using this approach.

Yaron Naveh (MVP) said...

hot ice

If your java client uses ws-policy then when you add the service reference wcf is already configured with the right settings.

Otherwise you need to know the exact details of authentication: Is it user/pass in the message level or transport? Is X.509 also used?

For simple cases basicHttpBinding might work.

Unknown said...

Hi Yaron,

I have specified the user name and password in my .net 3.5 app.
but still i get the following exception:

MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood

The other blogs which i've read tell me that:

"The .NET client (this also applies to WCF) is designed to expect a “Unauthorized” HTTP error (401) from the server to respond to, without that the credentials are not sent. Also setting the PreAuthenticate property to true will only force the client to send the credentials with every message after this has first been required by the server. The problem with the Java web service was that is sent a “Internal Server Error” HTTP error (501) and a valid SOAP error when the authentication failed. So the credentials where never sent."

Now how do i get this working??

Yaron Naveh (MVP) said...

hot ice

We need to know how a good request looks like in terms of HTTP headers and Body (which is SOAP).

You can get this from a working Java client by a tool like Fiddler or tcpMon.

Then compare this to what the WCF client sends (using the same means) and we can see the gap.

Unknown said...

Hi Yaron,
I have developed and java service with ws security and my client .net ,my problem is i am able to decrypt the request message comming form .net client but unable to process the message , i am getting as actions mismatch. pleas find the below error details:
org.apache.axis2.AxisFault: WSDoAllReceiver: security processing failed (actions mismatch)at org.apache.rampart.handler.WSDoAllReceiver.processBasic(WSDoAllReceiver.java:215)

my app.config is as below



































Thanks in Advance
---------
Siva

Unknown said...

Hi yaron,

I am following Timestamp Encrypt and Signature actions in java and my java configuration is as below



Timestamp Encrypt Signature
com.test.ws.PasswordCallBackHandler
service.properties
service.properties
false





Timestamp Encrypt Signature
kiwiservice
kiwiclient
service.properties
com.test.ws.PasswordCallBackHandler
service.properties
DirectReference




Thanks in Advance
----------
Siva

Yaron Naveh (MVP) said...

Siva

Can you post a sample working Soap message from a Java client?

Shameer said...

In my case it is a WCF client, and a Java service. The request is sent successfully and the response is reached the client machine, but WCF throws the above said error (Cannot read the token..)

I can see the #X509v3 is mentioned in the SOAP request from the client(WCF), but couldn't find any version mentioned in the response(Spring Webservices).

Can you suggest what is the solution here ? How can make the WCF client work in this scenario ?

Yaron Naveh (MVP) said...

Sameerean

Try to set the security version to WSSecurity11... and requireSignatureConfirmation="true"

Shameer said...

I tried this. It still complains - The security header element 'SignatureConfirmation' with the 'SigConf-25' id must be signed.

Does it sign a signatureConfirmation ?

If yes, how can we do it ?

I have checked it with WSS4J code, which is at the server side. I couldn't find a way.

Is there a way to disable this validation at the client side ?

Shameer said...

I tried this. It still complains - The security header element 'SignatureConfirmation' with the 'SigConf-25' id must be signed.

Does it sign a signatureConfirmation ?

If yes, how can we do it ?

I have checked it with WSS4J code, which is at the server side. I couldn't find a way.

Is there a way to disable this validation at the client side ?

Yaron Naveh (MVP) said...

sameerean

I answered you on this now in a different forum.

Unknown said...

Yaron,

I'm trying to call an Axis 1.4 WS from .Net. A working request is as follows:

POST /FTMaster HTTP/1.0
Content-Type: text/xml; charset=utf-8
Accept: application/soap+xml, application/dime, multipart/related, text/*
User-Agent: Axis/1.4
Host: localhost:2000
Cache-Control: no-cache
Pragma: no-cache
SOAPAction: ""
Content-Length: 1176
Authorization: Basic YWJjODc2NDg2Njp7e0V9fTMwMzAwMDAwNjE3ODczMzA=

<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><ns1:gzip soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:ns1="Content-Encoding"/></soapenv:Header><soapenv:Body><ns2:getHitsByDate soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns2="http://localhost:2000/FTMaster"><ns2:arg0 xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">20010101</ns2:arg0><ns2:arg1 xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">20020101</ns2:arg1><ns2:arg2 xsi:type="soapenc:string" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">test</ns2:arg2><ns2:arg3 xsi:nil="true"/><ns2:arg4 href="#id0"/><ns2:arg5 xsi:nil="true"/></ns2:getHitsByDate><multiRef id="id0" soapenc:root="0" soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xsi:type="soapenc:int" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">1000</multiRef></soapenv:Body></soapenv:Envelope>

The request I'm currently producing is:

POST /FTMaster HTTP/1.1
Content-Type: text/xml; charset=utf-8
VsDebuggerCausalityData: uIDPo35q+idJWctAuGtFH1pEO4MAAAAA6iJ49SN23ECXPnILKy3w9KFiLJeLN/RNnS84mjmib+IACQAA
SOAPAction: ""
Host: localhost:2000
Content-Length: 540
Expect: 100-continue
Connection: Keep-Alive

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<q1:getHitsByDate xmlns:q1="urn:axsone.com:FTMaster">
<fromDate xsi:type="xsd:string">19600101</fromDate>
<toDate xsi:type="xsd:string">19600101</toDate>
<query xsi:type="xsd:string">hello</query>
<numHits xsi:type="xsd:int">100</numHits>
<extParams xsi:type="xsd:string"/>
</q1:getHitsByDate>
</s:Body></s:Envelope>

My app.config has:

<security mode="None">
<transport clientCredentialType="None" proxyCredentialType="None"
realm="">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>

and my code is:

FTMasterClient ftm = new FTMasterClient();
ftm.ClientCredentials.UserName.UserName = "";
ftm.ClientCredentials.UserName.Password = "{{E}}3030000061787330";

How should I set app.config to pass the userName and password correctly?

Thanks.

Aris

Yaron Naveh (MVP) said...

Aris

Use this binding, if necessary set the realm property. Note that witth basic authentication the client first sends a message without credentials, gets back an error and then sends a second message with credentials.

Yaron Naveh (MVP) said...

ok so xml does nto work well in comments...
What you need is to set mode="Transport" and clientCredentialType to "Basic"

Jordi Ruiz said...

Hello Yaron,

I'm developing a wcf client for consuming a axis2 service.

I have to add security in transport layer using certificate and sign the message using also a certificate and add a timestamp.

This is my app.config:


































When I execute my wcf client I get the following error:

Unbound prefix used in qualified name 'IPWEBSERVICE:org.apache.axis2.AxisFault: WSDoAllReceiver: security processing failed (actions mismatch)'.

My service provider told me that is important respect the order of timestamp. Can I change this order?

Thanks in advance.

Jordi Ruiz said...

This is my soap message:


This is my soap message:


http://www.openuri.org/procesa
urn:uuid:f20e0dfa-270f-453c-b099-f09443419055
3b2b1d93-479d-472f-992c-10e5da2974af

http://www.w3.org/2005/08/addressing/anonymous

https://serveis-pre.iop.aoc.cat/siri-proxy/services/Sincron


2011-06-08T06:51:07.234Z
2011-06-08T06:56:07.234Z


MIIIUTCCBzmgAwIBAgIQHNQfeN6ZPohNT6+u8MxIpTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ2VuY2lhIENhdGFsYW5hIGRlIENlcnRpZmljYWNpbyAoTklGIFEtMDgwMTE3Ni1JKTE0MDIGA1UEBxMrUGFzc2F0Z2UgZGUgbGEgQ29uY2VwY2lvIDExIDA4MDA4IEJhcmNlbG9uYTEuMCwGA1UECxMlU2VydmVpcyBQdWJsaWNzIGRlIENlcnRpZmljYWNpbyBFQ1YtMjE3MDUGA1UECxMuVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyQ0lDLTIgICAoYykwMzE0MDIGA1UECxMrU2VjcmV0YXJpYSBkJ0FkbWluaXN0cmFjaW8gaSBGdW5jaW8gUHVibGljYTEdMBsGA1UEAxMUUFJFUFJPRFVDQ0lPIEVDLVNBRlAwHhcNMTEwMjA3MDgzOTA1WhcNMTUwMjA3MDgzODQzWjCB1zELMAkGA1UEBhMCRVMxLTArBgNVBAoUJENvbnNvcmNpIGQnQWNjafMgU29jaWFsIGRlIENhdGFsdW55YTEuMCwGA1UECxQlU2VydmVpcyBQ+mJsaWNzIGRlIENlcnRpZmljYWNp8yBDREEtMTE1MDMGA1UECxMsVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5jYXQvdmVyQ0RBLTEgKGMpMDMxMjAwBgNVBAMUKVNlcnZlaSBkZSB0cmFtaXRhY2nzIGVsZWN0cm9uaWNhIGRlbCBDQVNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwItF+6hPxumy7yLjfzEhDs81CRl7twiBi7u0D0tLZhOJ8Bl3msU3Y2qrBKdrEqZWOIkImJuCj484UfxOjmgOBlBIMfWDlDtYrdqFCkuFLjsYQ49RyJzm1b1JWVdjXzMU/CzaabVFCYJzDNB5kCee77ReC5nVugAFLao3VX7+CH+/AWqCHeASryWbTPlChbBAj3hcvylzb1bVM1wTX2W9CPKbSSUey5ETR+YVyeYlNa10W/h3cpsY/rfbVFA1okeEVIKuZ1F0E9Tp+5I0ivAE98znHk/3JHk80qkBtU1I93i43V0BYxdLkIErjn2Gm5uA6BBCw1bi5YYvTb3AGg34twIDAQABo4IDrTCCA6kwOAYDVR0RBDEwL4EVaWduYXNpLnRlYmVAc3BlbnRhLmVzpBYwFDESMBAGA1UEBRMJUTE3MDA1ODBCMA4GA1UdDwEB/wQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBQLFCluImkHk9j+38cAPngD5fhtaDCCAT0GA1UdIwSCATQwggEwgBRhDpeFuX3b2AVBt43iMBNerldw3qGCAQSkggEAMIH9MQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8gKE5JRiBRLTA4MDExNzYtSSkxLjAsBgNVBAsTJVNlcnZlaXMgUHVibGljcyBkZSBDZXJ0aWZpY2FjaW8gRUNWLTExPTA7BgNVBAsTNFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3ZlcnByZXByb2R1Y2NpbyAgKGMpMDMxITAfBgNVBAsTGEdlbmVyYWxpdGF0IGRlIENhdGFsdW55YTEfMB0GA1UEAxMWUFJFUFJPRFVDQ0lPIEVDLUdFTkNBVIIQA2iZHTwEzGdFPdJ6cIcKjTCBzAYDVR0gBIHEMIHBMIG+BgsrBgEEAfV4AQMBWzCBrjAsBggrBgEFBQcCARYgaHR0cHM6Ly93d3cuY2F0Y2VydC5jYXQvdmVyQ0RBLTEwfgYIKwYBBQUHAgIwchpwQXF1ZXN0IOlzIHVuIGNlcnRpZmljYXQgZGUgZGlzcG9zaXRpdSBkJ2FwbGljYWNp8yBhc3NlZ3VyYWRhIGRlIGNsYXNzZSAxLiBWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0LmNhdC92ZXJDREEtMTCBhQYIKwYBBQUHAQEEeTB3MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wcmVwcm9kdWNjaW8uY2F0Y2VydC5jYXQwQwYIKwYBBQUHMAKGN2h0dHA6Ly93d3cuY2F0Y2VydC5jYXQvZGVzY2FycmVnYS9wcmVwcm9kdWNjaW9fc2FmcC5jcnQwdAYDVR0fBG0wazBpoGegZYYwaHR0cDovL2Vwc2NkLmNhdGNlcnQubmV0L2NybC9wcmVwcm9kX2VjLXNhZnAuY3JshjFodHRwOi8vZXBzY2QyLmNhdGNlcnQubmV0L2NybC9wcmVwcm9kX2VjLXNhZnAuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCgWYT1CEt3kWs0aPnrz9jj9gZCNL1YywWE9xXCYk9Tk8SVvQU693ZgSeAFDJJS80YbyZGoWHjvbSIAgLgyGccRiq83ZA+t135ktwkYi2GhzZKJO1XX4JshTUY7H3K64D4+FLMUkY+34rub3gibjJMQiEB+9HV3umerDuSqGm9P9EsoDvsJZZRsG/QADjR9lbiIOSnNPnulICPc+XNSRnnTOhMSMDynv5ZxpbsuJtgxFnfauL73e10tl1W4y/isB3OuZnQfPE+yaab4n3Pehl0XqgZAVWX+9IstmCf63weBGXntjh7VCN0+X6t5S6+R1KVL/0n/KbjTGxbOwP4yTmEg










5uXA33wj3iw5bhuzRMTPq6clAMU=






YLwffGBw3SZFSKL907Vp5QMbQmo=



Wg1C3Px+1roIiJNAdWX39gEHnUoSxarB0P0jesIh4l86pFK5Jz2j6kM05BbtoZdnIUoT/bG4rnCLEdifA4ySFFdOCpFnyuQQoGgd/Smp6DhFGpiMwTRnX3RLVnzk8k5IOfhUlnhC2t6VMjiu0zuPDmtYn3H/ZZOWRW2lsawa3NMMDWhg5DNrMbanLDf88KPtebcYMMTwiLdlx/8JCYVN5viuuURV5VITVMK6jqKrFhyWzs2nY3kaGeq299i/r0eWwN6l031Dv60D6oM0hQBJ+rannMWy9ot+impBJZhzXrKbCfKKs3gTAVwDvUa86lJ70Dyad0n4g3bK2q5KpF+dxg==

Jordi Ruiz said...

This is my soap message:


This is my soap message:


http://www.openuri.org/procesa
urn:uuid:f20e0dfa-270f-453c-b099-f09443419055
3b2b1d93-479d-472f-992c-10e5da2974af

http://www.w3.org/2005/08/addressing/anonymous

https://serveis-pre.iop.aoc.cat/siri-proxy/services/Sincron


2011-06-08T06:51:07.234Z
2011-06-08T06:56:07.234Z


MIIIUTCCBzmgAwIBAgIQHNQfeN6ZPohNT6+u8MxIpTANBgkqhkiG9w0BAQUFADCCAT4xCzAJBgNVBAYTAkVTMTswOQYDVQQKEzJBZ2VuY2lhIENhdGFsYW5hIGRlIENlcnRpZmljYWNpbyAoTklGIFEtMDgwMTE3Ni1JKTE0MDIGA1UEBxMrUGFzc2F0Z2UgZGUgbGEgQ29uY2VwY2lvIDExIDA4MDA4IEJhcmNlbG9uYTEuMCwGA1UECxMlU2VydmVpcyBQdWJsaWNzIGRlIENlcnRpZmljYWNpbyBFQ1YtMjE3MDUGA1UECxMuVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5uZXQvdmVyQ0lDLTIgICAoYykwMzE0MDIGA1UECxMrU2VjcmV0YXJpYSBkJ0FkbWluaXN0cmFjaW8gaSBGdW5jaW8gUHVibGljYTEdMBsGA1UEAxMUUFJFUFJPRFVDQ0lPIEVDLVNBRlAwHhcNMTEwMjA3MDgzOTA1WhcNMTUwMjA3MDgzODQzWjCB1zELMAkGA1UEBhMCRVMxLTArBgNVBAoUJENvbnNvcmNpIGQnQWNjafMgU29jaWFsIGRlIENhdGFsdW55YTEuMCwGA1UECxQlU2VydmVpcyBQ+mJsaWNzIGRlIENlcnRpZmljYWNp8yBDREEtMTE1MDMGA1UECxMsVmVnZXUgaHR0cHM6Ly93d3cuY2F0Y2VydC5jYXQvdmVyQ0RBLTEgKGMpMDMxMjAwBgNVBAMUKVNlcnZlaSBkZSB0cmFtaXRhY2nzIGVsZWN0cm9uaWNhIGRlbCBDQVNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwItF+6hPxumy7yLjfzEhDs81CRl7twiBi7u0D0tLZhOJ8Bl3msU3Y2qrBKdrEqZWOIkImJuCj484UfxOjmgOBlBIMfWDlDtYrdqFCkuFLjsYQ49RyJzm1b1JWVdjXzMU/CzaabVFCYJzDNB5kCee77ReC5nVugAFLao3VX7+CH+/AWqCHeASryWbTPlChbBAj3hcvylzb1bVM1wTX2W9CPKbSSUey5ETR+YVyeYlNa10W/h3cpsY/rfbVFA1okeEVIKuZ1F0E9Tp+5I0ivAE98znHk/3JHk80qkBtU1I93i43V0BYxdLkIErjn2Gm5uA6BBCw1bi5YYvTb3AGg34twIDAQABo4IDrTCCA6kwOAYDVR0RBDEwL4EVaWduYXNpLnRlYmVAc3BlbnRhLmVzpBYwFDESMBAGA1UEBRMJUTE3MDA1ODBCMA4GA1UdDwEB/wQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBQLFCluImkHk9j+38cAPngD5fhtaDCCAT0GA1UdIwSCATQwggEwgBRhDpeFuX3b2AVBt43iMBNerldw3qGCAQSkggEAMIH9MQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8gKE5JRiBRLTA4MDExNzYtSSkxLjAsBgNVBAsTJVNlcnZlaXMgUHVibGljcyBkZSBDZXJ0aWZpY2FjaW8gRUNWLTExPTA7BgNVBAsTNFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3ZlcnByZXByb2R1Y2NpbyAgKGMpMDMxITAfBgNVBAsTGEdlbmVyYWxpdGF0IGRlIENhdGFsdW55YTEfMB0GA1UEAxMWUFJFUFJPRFVDQ0lPIEVDLUdFTkNBVIIQA2iZHTwEzGdFPdJ6cIcKjTCBzAYDVR0gBIHEMIHBMIG+BgsrBgEEAfV4AQMBWzCBrjAsBggrBgEFBQcCARYgaHR0cHM6Ly93d3cuY2F0Y2VydC5jYXQvdmVyQ0RBLTEwfgYIKwYBBQUHAgIwchpwQXF1ZXN0IOlzIHVuIGNlcnRpZmljYXQgZGUgZGlzcG9zaXRpdSBkJ2FwbGljYWNp8yBhc3NlZ3VyYWRhIGRlIGNsYXNzZSAxLiBWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0LmNhdC92ZXJDREEtMTCBhQYIKwYBBQUHAQEEeTB3MDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5wcmVwcm9kdWNjaW8uY2F0Y2VydC5jYXQwQwYIKwYBBQUHMAKGN2h0dHA6Ly93d3cuY2F0Y2VydC5jYXQvZGVzY2FycmVnYS9wcmVwcm9kdWNjaW9fc2FmcC5jcnQwdAYDVR0fBG0wazBpoGegZYYwaHR0cDovL2Vwc2NkLmNhdGNlcnQubmV0L2NybC9wcmVwcm9kX2VjLXNhZnAuY3JshjFodHRwOi8vZXBzY2QyLmNhdGNlcnQubmV0L2NybC9wcmVwcm9kX2VjLXNhZnAuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQCgWYT1CEt3kWs0aPnrz9jj9gZCNL1YywWE9xXCYk9Tk8SVvQU693ZgSeAFDJJS80YbyZGoWHjvbSIAgLgyGccRiq83ZA+t135ktwkYi2GhzZKJO1XX4JshTUY7H3K64D4+FLMUkY+34rub3gibjJMQiEB+9HV3umerDuSqGm9P9EsoDvsJZZRsG/QADjR9lbiIOSnNPnulICPc+XNSRnnTOhMSMDynv5ZxpbsuJtgxFnfauL73e10tl1W4y/isB3OuZnQfPE+yaab4n3Pehl0XqgZAVWX+9IstmCf63weBGXntjh7VCN0+X6t5S6+R1KVL/0n/KbjTGxbOwP4yTmEg










5uXA33wj3iw5bhuzRMTPq6clAMU=






YLwffGBw3SZFSKL907Vp5QMbQmo=



Wg1C3Px+1roIiJNAdWX39gEHnUoSxarB0P0jesIh4l86pFK5Jz2j6kM05BbtoZdnIUoT/bG4rnCLEdifA4ySFFdOCpFnyuQQoGgd/Smp6DhFGpiMwTRnX3RLVnzk8k5IOfhUlnhC2t6VMjiu0zuPDmtYn3H/ZZOWRW2lsawa3NMMDWhg5DNrMbanLDf88KPtebcYMMTwiLdlx/8JCYVN5viuuURV5VITVMK6jqKrFhyWzs2nY3kaGeq299i/r0eWwN6l031Dv60D6oM0hQBJ+rannMWy9ot+impBJZhzXrKbCfKKs3gTAVwDvUa86lJ70Dyad0n4g3bK2q5KpF+dxg==

Yaron Naveh (MVP) said...

hi jordi

use a custom binding. possibly the binding box can help you:

http://webservices20.cloudapp.net/

then use the securityHeaderLayout attribute:

Anonymous said...

HI Yaron,

We are trying to get a Axis2 client to call a .NET WCF service with Username Token binding.

When we look at the WSDL from ?wsdl we don't see any https endpoint exposed when we would have expected to see one.

Our web.config contains the following






















When we call the service using the http endpoint we get the following: org.apache.axis2.AxisFault: An error occurred when verifying security for the message.

When we call the server with https we get a timeout.

Any ideas what we are missing here ?

thanks,

Brian

Yaron Naveh (MVP) said...

Hi Brian

send me an email with the config

Cp2013 said...

Yaron,

I'm trying to develop C# client code to consume a Java service. And I see your replies to related questions and tried multiple things, but I couldn't get it working yet.

I've added the service reference in my VS using wsdl received. Then I used the configuration given below and setting ProtectionLevel = ProtectionLevel.Sign in the reference.cs and it signs everything in header & body. What I need to do is sign only the BODY, and still include timestamp and other standard headers without sign.

current configuration:








Is it possible to sign only Body in WFC using configurations ?


--Cp

Yaron Naveh (MVP) said...

Hi CP

The xml does not appear good here, please send me a mail.

MF said...

Some years after the original post does this symptom indicate the same issue? The ValueType is blank.

"Cannot read the token from the 'Timestamp' element with the 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified."

I am indeed using the V1 client certificate but WCF is able to encrypt and send the data to the server and have the server decrypt it. Does it not support V1 still?

Background.. CXF was returning 2 binary security tokens and .net was giving the error...

“The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected.”

Then I changed CXF to return thumbprint for the signing and encryption key references so I now get the missing Timestamp error. P.S. I could not use the IssuerSerial option to for the key reference on the server because Java was not putting a space after the commas in the DN and .Net was expecting it. If fixing that is a better road to go down let me know....

MF said...

I have an encrypted timestamp coming back from the Java server and .Net is trying to parse it as if it was a Security Token by the WSSecurityTokenSerializer class I have override.

"Cannot read the token from the 'Timestamp' element with the 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' namespace for BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified."

It is giving a similar error but has anyone seen this one?