tag:blogger.com,1999:blog-1482776199578137808.post1583602142054920247..comments2024-03-12T11:12:59.606+02:00Comments on Yaron Naveh's Web Services 2.0 Blog: Test drive the shiny new Wcf interop bindingsYaron Naveh (MVP)http://www.blogger.com/profile/11793800386245798442noreply@blogger.comBlogger44125tag:blogger.com,1999:blog-1482776199578137808.post-116376913149457482013-04-22T16:04:46.993+03:002013-04-22T16:04:46.993+03:00Your tutorial really helped me. Thanks so much!!!Your tutorial really helped me. Thanks so much!!!worryworthttps://www.blogger.com/profile/07040193982776817384noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-45304386372910219542012-11-26T17:31:14.709+02:002012-11-26T17:31:14.709+02:00In .net 3.5 you could use custom bindingIn .net 3.5 you could use custom bindingYaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-79127013976181569282012-11-26T13:26:26.549+02:002012-11-26T13:26:26.549+02:00Can this WCF Interop be done with .Net framework 3...Can this WCF Interop be done with .Net framework 3.5/VS 2008?<br /><br />Thanks<br />BVBALAJI VEERARAGHAVANhttps://www.blogger.com/profile/06220254212823222644noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-73838125495114687772012-10-11T14:28:39.812+02:002012-10-11T14:28:39.812+02:00I've reported to problem to the owner of the w...I've reported to problem to the owner of the web service. The other clients for this service are all .Net so of course they don't have any problems. Shame there isn't some setting to ignore whether or not the digests match up on the client side.<br /><br />Thanks for your help.<br /><br />KeithKeithhttps://www.blogger.com/profile/18142863115166693555noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-66362517032823575412012-10-11T13:45:12.223+02:002012-10-11T13:45:12.223+02:00maybe you can replace the \r\n values in the body ...maybe you can replace the \r\n values in the body with some other char, and put them back in the server. Otherwise the only way I see is to turn off security in the wcf side all together and do the validaiton yourself or not do it.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-82468661893290372752012-10-11T13:39:45.305+02:002012-10-11T13:39:45.305+02:00Here is a couple of sites that explain the problem...Here is a couple of sites that explain the problem:<br /><br />http://www.java.net/node/689103<br /><br />http://javakenai-dev.cognisync.net/forum/topic/glassfish/metro-and-jaxb/wsit-and-wcf-interop-issue-different-digest-same-text-0<br /><br />Regards<br /> KeithKeithhttps://www.blogger.com/profile/18142863115166693555noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-52355106533571108392012-10-11T13:13:26.634+02:002012-10-11T13:13:26.634+02:00Keith
Do you have a link that says it is WCF faul...Keith<br /><br />Do you have a link that says it is WCF fault?<br /><br />You cannot customize the way Wcf handles signatures. Assuming the message is only signed and not encrypted, you coul tell Wcf to ignore the signature all together, and then either do the validation yourself or decide not to do it.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-2880316221707132092012-10-11T12:05:11.844+02:002012-10-11T12:05:11.844+02:00In regards to my earlier post regarding exceptions...In regards to my earlier post regarding exceptions thrown when a \r is in the message body (SEVERE: WSS1717: Error occurred while doing digest verification of body/payload)it looks to be a known Metro client WCF service issue. Unfortunitely from what I've been finding on the web its WCF's fault(or so the Java people claim). Is there any way to ignore the exception? ie. Ignore the digests not matching up? Keithhttps://www.blogger.com/profile/18142863115166693555noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-40720830622034364232012-10-04T23:40:50.384+02:002012-10-04T23:40:50.384+02:00Keith
This sounds like a bug in one of the framew...Keith<br /><br />This sounds like a bug in one of the frameworks. If you can deal with it on the client side (remove the line breaks) it is best.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-37844005298862465392012-10-04T11:14:24.743+02:002012-10-04T11:14:24.743+02:00Your example on how to use Netbeans/Metro was grea...Your example on how to use Netbeans/Metro was great. Its saved me a lot of headaches. I tried to use what I'd learned on a real world WCF webservice and I came across an issue that when calling a method and the body had a \r\n in it an exception was thrown. With the \r in the body Metro and .NET were computing different digests. Has anyone come across this? Can I deal with it on the Java Client side, or is it the .NET web services responsibility?<br /><br />Thanks.Keithhttps://www.blogger.com/profile/18142863115166693555noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-57970556572853992382012-09-28T08:12:47.131+02:002012-09-28T08:12:47.131+02:00hi thanks for your responce i have sent you a mail...hi thanks for your responce i have sent you a mail about all credentials and .jks certificate to consume service.JyotiBoxhttps://www.blogger.com/profile/03466601021618372420noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-22450027894214565192012-09-28T03:25:21.988+02:002012-09-28T03:25:21.988+02:00jyoti
please send me a sample working soap reques...jyoti<br /><br />please send me a sample working soap request for this service (with security)Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-43591164356991615012012-09-27T14:08:49.796+02:002012-09-27T14:08:49.796+02:00great it is working.
I need some technical support...great it is working.<br />I need some technical support to consume oracle web logic web service which is hosted at client side and our environment is Microsoft .net .<br />I have used WSE 3.0 or wcf to consume the service but the result is failure .<br />The weblogic service security is maintained with user token and x509 certificate<br />The webservice link is http://XXX.XXX.XXX.XX/MMS/MMSService?wsdl and the client provides me the client code how they are consuming their service in weblogic environment .<br /> <br />Please help me any type of compatibility or inter operability between .net and oracle weblogic service as per link.<br />http://docs.oracle.com/cd/E12839_01/web.1111/e13759/interop.htm#BABFCJCD[^]<br />and client code like http://stackoverflow.com/questions/11823849/consume-java-weblogic-web-service-having-usernametoken-and-client-certificate-in[^]JyotiBoxhttps://www.blogger.com/profile/03466601021618372420noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-29446554008871461982011-12-05T14:14:51.471+02:002011-12-05T14:14:51.471+02:00great news!great news!Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-4989992982160806992011-12-05T14:03:28.220+02:002011-12-05T14:03:28.220+02:00Finally ! This works.
To sum up :
- Switch to cus...Finally ! This works.<br /><br />To sum up :<br />- Switch to custom binding, using settings compatibles with BasicHttpBinding (your online converter is useful there)<br />- Set MutualCertificate authentication mode<br />- Set https transport <httpsTransport requireClientCertificate="false" /><br />- Set signature only <context protectionLevel="Sign" /><br />- Set the <identity> node of the endpoint to the identity used in message signature<br />- Disable globally the SSL server certificate name verification by modifying the ServicePointManager.ServerCertificateValidationCallback implementationjmdesphttps://www.blogger.com/profile/13110057262074119810noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-42625923099584757622011-12-05T12:59:56.790+02:002011-12-05T12:59:56.790+02:00jmdesp
you should set the dns to match the messga...jmdesp<br /><br />you should set the dns to match the messgae level certificate name. then implement ssl validation like this:<br /><br />http://webservices20.blogspot.com/2008/12/wcf-gotcha-disabling-ssl-validation.html<br /><br />another option is for you to decide that validating the response in the message level does not matter and then you can set enableUnsecuredResponse="true" and strip the security in a custom encoder.<br /><br />A third option is to implement a schem for separate message and transport certificates:<br /><br />http://blogesh.wordpress.com/2009/10/08/separate-certificates-for-transport-and-message-security-in-wcf/<br /><br />that article is server focused but you could easily migrate it to the clientYaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-66695945479389093762011-12-05T09:22:57.659+02:002011-12-05T09:22:57.659+02:00Thanks you for the answer that's encouraged me...Thanks you for the answer that's encouraged me to try some more, although it's not our top priority so I can't spend too much time on it.<br /><br />The exchange works in MutualCertificate mode, by adding a node <br /><br />to the binding and also<br /><br /><br />However I'm stuck again !<br />The value of the endpoint gets used to verify both the SSL certificate, and the one that signs the response, and it's not the same name. If I put a dns value to match the SSL cert, it fails when verifying the answer, and if I put the name of the signature cert in it, it fails when verifying the identity at the SSL level.<br />I could send you the settings, and request/response, but I'm not sure it brings much at this stage, I believe you already have the important info, WS Security with mutual certificates and signature only, and HTTPS with a different certificate.jmdesphttps://www.blogger.com/profile/13110057262074119810noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-60769983242531869902011-12-01T17:44:06.799+02:002011-12-01T17:44:06.799+02:00Hi jmdesp
First let's make it work by changin...Hi jmdesp<br /><br />First let's make it work by changing the generated code, then we'll optimize it :)<br /><br />the message protection should not affect the ssl setting, in particular you are always allowed to be more secured than the setting. make sure you have httpsTransport in your custom binding.<br /><br />In most cases "MutualCertificate" is the way to go.<br /><br />You can send me in a mail a sample request / response envelope and your current setting.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-45592649481713236702011-12-01T13:41:29.399+02:002011-12-01T13:41:29.399+02:00The words "brute forcing" the correct se...The words "brute forcing" the correct settings really hit a string. I'm currently trying hard to make WCF interop with some jboss based WS Service implementation, but no success until now.<br />It needs mutually signed (not encrypted) message on an SSL connexion.<br /><br />I'm stuck on the following :<br />- If I set Message protection, my message are encrypted which I don't want : ProtectionLevel.Sign seems to be set on the interface, but my interface is auto-generated from the WSDL and I don't want to change the generated code. So how do I change it on the custom binding instead ?<br />- What's more if I set Message protection, the binding refuses a https URL. Is there a way to override that ? I tried to use a local stunnel, but it's not a great solution<br />- If I set CertificateOverTransport, the returned message is signed and I get the error "Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.". <br />But allowSerializedSigningTokenOnReply changes nothing, I still have the error. Maybe I can just write a custom message encoder to remove that header, but I don't really like the option (and would like to find some code sample if I decide to do it).jmdesphttps://www.blogger.com/profile/13110057262074119810noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-10286782390255912572011-11-05T15:12:30.877+02:002011-11-05T15:12:30.877+02:00Raj
Why does the error mark matters? You can conf...Raj<br /><br />Why does the error mark matters? You can configure your application not to do validations while testing. in WCF this is certificateValidationMode="None", see here:<br /><br />http://stackoverflow.com/questions/338385/how-do-i-tell-wcf-to-skip-verification-of-the-certificateYaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-89281330924302486752011-11-04T11:35:45.492+02:002011-11-04T11:35:45.492+02:00Hi Yaron,
Thanks for your response.
I am currentl...Hi Yaron,<br />Thanks for your response. <br />I am currently testing at my DEV, so when it goes to UAT or PRD I can raise request to get it. between How to Generate it? <br />As you mentioned: <br />"create your own authority and put its cert in the trusted root store"<br /><br />Can you send me a link or any steps would be a gr8 help.Rajnoreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-33701909997119944462011-11-03T19:10:48.515+02:002011-11-03T19:10:48.515+02:00Also I forgot to mention that for it to work you w...Also I forgot to mention that for it to work you will have to modify the server config file and in tag after definition add followingVirendra Mishranoreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-10494001831247729172011-11-03T18:50:38.518+02:002011-11-03T18:50:38.518+02:00If you have followed the steps as described in the...If you have followed the steps as described in the bolg and used the same certificate and getting the following error - "At least one security token in the message could not be validated" <br /><br />Try importing the client pfx file in the Trusted People store of the CurrentUser<br /><br />It should work.Virendra Mishranoreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-36598132884457791572011-11-01T22:33:51.996+02:002011-11-01T22:33:51.996+02:00Raj
Self signed certificates are not trusted by d...Raj<br /><br />Self signed certificates are not trusted by default. You should get a certificate from a certificate authority that you trust, or create your own authority and put its cert in the trusted root store. You can also put the self signed cert there to make it trustedYaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-69737122763515487052011-11-01T17:00:48.143+02:002011-11-01T17:00:48.143+02:00how to generate the Client and server certificate...how to generate the Client and server certificates?<br />When I use SelfSigned Certificates and exported as .pfx and deployed in Localmachine - all fine but when I see details of certificates - it shows an Error mark.Rajnoreply@blogger.com