Saturday, January 30, 2010

Google & Xml – Not a love story :)

@YaronNaveh


I have just finished my Soap-less Google post and used Google calendar to remind me of my next post:

image

A moment later I enter that event to edit it and this is what I see:

image

I double checked and this issue is consistent. I’m not sure it it’s a long beta thing or just a protobuf Upselling but someone in Google really hates Xml…

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Google API’s are Soap-less

@YaronNaveh

 
A few months ago Google officially retired its Soap search Api and put an Ajax search Api instead. The official reason was that it’s moving to a “new generation” Api, however some comments claimed for a conspiracy where Google is trying to push ads into the results or trying to prevent consumers from reordering them. Since Google’s search engine main business is ads it makes sense for them to reduce the number of non-Html Api consumers.

Google Apps however do not rely solely on ads. When organizations pay to get their domains in apps they expect to get some Api for their calendar, documents and etc. With this Api Google chose to be Rest/Atom based.

And I haven’t mentioned yet Google Protocol Buffersa proprietary an open source serialization format developed by Google.

It seems Google likes to do stuff its own way. In some cases it’s a commercial trick to force its ads on Api users. This is a legitimate move but as long as they insist the real reason is a better “new generation” we can call it a trick. In other cases Google claim their new format is better than existing ones. protobuf is one example. However it’s a shame that every vendor comes up with its own formats. In this particular case, some of the other encodings in the market include Microsoft binary xml encoding  and xml fast infoset.

If you’re really into this Soap & Search thing try the Bing Wsdl

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Saturday, January 23, 2010

Schema repository on your machine

@YaronNaveh

Sometimes it is useful to look at some of the known xsd schemas. These schemas are the xsd schema itself, the soap schema, the schema of wsdl and much more.
If you have VS 2008 installed then check out this folder:


%Program Files%\Microsoft Visual Studio 9.0\Xml\Schemas


It contains all of these schemas and more.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Friday, January 22, 2010

ReSharper and NUnit - A word of warning

@YaronNaveh

A lot of people prefer the shiny ReSharper test runner over the NUnit GUI. The main reason is of course that it is embedded in the VS IDE.

In some cases this means trouble.

Let's look in this test:


[Test]
[ExpectedException(ExpectedMessage = "my error", MatchType=MessageMatch.Contains)]
public void myUnitTest()
{
  throw new Exception("my error");
}


Does this test pass or fail? It depends who you ask.

ReSharper says:



NUnit says:



The reason is that the ReSharper runner does not know the "ExpectedException" attribute of NUnit. Who knows, maybe it's just a version thing and some x.y.z version of ReSharper knows how to work with the u.v.w version of NUnit. The lesson is that when you have two clocks you never know what the real time is...

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Interoperability Gotcha: "These members may not be derived"

@YaronNaveh

The following gotcha applies when the server is written in a Java framework (e.g. Axis) and the client is in .Net. When we "add service reference" in VS to create the client proxy from the wsdl we may get this error:


Custom tool error: Unable to import WebService/Schema. Unable to import binding 'SomeBinding'
from namespace 'http://SomeNamespace'. Unable to import operation 'myOpereration'.
These members may not be derived.


In order to understand what this means we need to take a look at some other (valid wsdl):


<s:element name="EchoString">
 <s:complexType>
  <s:sequence>
   <s:element minOccurs="0" maxOccurs="1" name="s" type="s:string"    />
  </s:sequence>
 </s:complexType>
</s:element>
...
<wsdl:message name="EchoStringSoapIn">
 <wsdl:part name="parameters" element="tns:EchoString" />
</wsdl:message>
...
<wsdl:portType name="SimpleServiceSoap">
 <wsdl:operation name="EchoString">
  <wsdl:input message="tns:EchoStringSoapIn" />
  <wsdl:output message="tns:EchoStringSoapOut" />
 </wsdl:operation>
</wsdl:portType>


This means that the EchoString operation accepts a message that looks like that:


<EchoString xmlns="...">
 <s>some string</s>
</EchoString>


We might expect the proxy class to look something like that:


string EchoString(EchoStringRequest req) {...}

class EchoStringRequest
{
  string s;
}



However the real proxy looks like this:


string EchoString(string s) {...}


Why?
The reason is that most wsdls use the "document/literal/wrapped" pattern. This means that the first element of the message ("EchoString" here) is just some wrapper that the user does not really care about. What our user cares about is the "s" parameter. So the proxy generated the more useful proxy.

But let's take a look at this schema:


<s:element name="EchoString" type="tns:SomeBaseType" />

<xs:complexType name="SomeBaseType">
  <xs:sequence>
   <xs:element name="inParent" type="xs:integer"/>
  </xs:sequence>
</xs:complexType>

<xs:complexType name="SomeDerivedType">
  <xs:complexContent>
   <xs:extension base="tns:SomeBaseType">
    <xs:sequence>
     <xs:element name="inChild" type="xs:integer"/>
    </xs:sequence>
   </xs:extension>
  </xs:complexContent>
</xs:complexType>


Here the root element "EchoString" is not a dummy wrapper - it can take the form of a few types (since there is derivation). This means the proxy should not omit it.

So how does VS knows which proxy to create?

The answer is in the message definition in the wsdl:


<wsdl:message name="EchoStringSoapIn">
 <wsdl:part name="parameters" element="tns:EchoString" />
</wsdl:message>


Whenever the name of a part is "parameters" .Net assumed doc/lit/wrapped is used and generates the proxy accordingly. If even though the word "parameters" is used the wsdl is not doc/lit/wrapped (as in the last example) .Net may give us some error. Which error? You guessed correctly: "These members may not be derived". Now we can understand what the error means: .Net tries to omit the root element as it thinks doc/lit/wrapped is used. However this element cannot be removed since it is not dummy - it should be actively chosen by the user out of a few derived types.

Fix
The way to fix it is open the wsdl in a text editor and change the part name from "parameters" to "parameters1". Now .Net will know to generate a doc/lit/bare proxy. This means a new wrapper class will appear as the root parameter in the proxy. While this may be a little more tedious api, this will not have any affect on the wire format and the proxy is fully interoperable.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Saturday, January 9, 2010

Programmatically install an X.509 certificate with a private key

@YaronNaveh

This c# snippet will install an X.509 certificate with a private key into your windows certificates store:


public static void InstallCertificate(string path, string password)
{
   var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);
   store.Open(OpenFlags.ReadWrite);

  try
  {
     X509Certificate2 cert;

     cert = new X509Certificate2(
           path,
           password,
           X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);

     store.Add(cert);
  }
  finally
  {
     store.Close();
  }
}

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

Friday, January 8, 2010

Replay attacks in Wcf

@YaronNaveh

One important attack against web services is a "replay attack": a malicious man-in-the-middle captures a valid message from a client to a server and resends it. This can cause duplicate transactions or denial of service (DOS).

Typically the way to protect here is to have a timestamp on the message and some expiration policy on the server. This is a very simplified description though, here are all the details.

The sending party attaches this timestamp to the SOAP message:


<wsu:Timestamp>
   <wsu:Created>2006-02-22T09:56:27Z</wsu:Created>
   <wsu:Expires>2006-02-22T10:01:27Z</wsu:Expires>
</wsu:Timestamp>


The receiving party can then decide based on some policy how much after the message was created it is suspected as a replay.

But what is this service policy? We can see an "expires" element in the client message itself, then why does the service need an additional policy?

The answer is that there is a duplicate protection against replay attacks. The client can decide its own policy and express it inside the message. The server should respect this policy and also adds its own policy. For example:


  • Client sends a message in 15:00

  • Client expiration policy is set to 15:05

  • Service gets the message in 15:06

  • Service expiration policy is set to 15:07



  • In this case the message is considered valid by the service, but the service is expected to respect the client policy and reject the message. the situation gets more interesting when we add real network latency and clocks synchronization into the picture.

    In Wcf there are two somehow confusing settings to control the expiration:


  • LocalServiceSecuritySettings.ReplayWindow - The service expiration policy.

  • LocalclientSecuritySettings.TimestampValidityDuration - The client expiration policy as expressed in the message itself.


  • There are various other settings which relate to tolerance for clock differences and I will write a separate post on them some other time.

    @YaronNaveh

    What's next? get this blog rss updates or register for mail updates!

    Wednesday, January 6, 2010

    WCF Binary-encoded Message Inspector for Fiddler

    @YaronNaveh

    We all love our Fiddler. It is a great Http proxy to use when debugging web services (and html). Fiddler now has a WCF binary encoding message inspector. It allows us to see in clear xml binary messages. This is very usefull especially since binary encoding is the default setting for Silverlight 3 applications.

    @YaronNaveh

    What's next? get this blog rss updates or register for mail updates!

    Axis2 & Wcf Interoperability

    @YaronNaveh

    Recently I had to consume an Axis2 web service using a Wcf client. Axis2 used the rampart module for message security where a mutual X.509 certificate was required. Since I had control over both client and server I was able to fine tune them to reach perfect interoperability.

    On the Axis side, I have found the WS-Policy flavor configuration better to work with (interoperability-wise) .

    This is the Axis configuration:



    and this is the Wcf configuration:



    Here is the full Axis2 service (which is based on the rampart SDK sample):



    and the wcf client:



    You will also need certificates.

    Client certificate:



    Server Certificate:



    If prompt for a password use "adminamdin".

    This is the Java key store:



    and the password is "adminadmin".

    If you want to use your own certificate just make sure the certificates have an SKI.

    @YaronNaveh

    What's next? get this blog rss updates or register for mail updates!

    Saturday, January 2, 2010

    Anti-Spam: Deleting multipe comments in blogger

    @YaronNaveh

    I always love to see comments to my posts:




    However when the comments are nothing but SPAM...




    I have recently needed to delete 100+ comments from my blogger account. Unfortunately blogger only allows to delete one comment at a time. This is really not helping when I need to delete 100+ comments.

    The trick is to use a browser that supports tabs (almost all of them today) and to middle click the basket icon near each comment we want to delete. It will now open in a new tab:



    We still need to approve the deletion in that tab, but at least we do not need the extra clicks of returning to the original post and finding the next comment.

    @YaronNaveh

    What's next? get this blog rss updates or register for mail updates!

    Cryptic WCF error messages (part 7 of N)

    @YaronNaveh

    Yet another post in the ongoing series.

    This one happens when you use 2-way ssl (e.g. client authenticates with an X.509 certificate in the HTTP level). You may get this error message:


    The HTTP request was forbidden with client authentication scheme 'Anonymous'.


    This simply means the client certificate failed validation on the server. So check you use the correct certificate and that it is valid on the server.

    @YaronNaveh

    What's next? get this blog rss updates or register for mail updates!