cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Can't generate CXF client for .NET service
Date Mon, 18 Feb 2013 16:27:32 GMT
There are WS-SecurityPolicy expressions. CXF can handle parsing these
policies + applying the appropriate security requirements to the
outbound/inbound messages. However, it also contains some non-standard
policies specific to Microsoft, e.g.:

<mssp:SslContextToken xmlns:mssp="
http://schemas.microsoft.com/ws/2005/07/securitypolicy" sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">

As I haven't worked with this policy I can't give any advice on how to
handle it, perhaps someone else with more WCF interop experience could help
you.

Colm.

On Wed, Feb 13, 2013 at 10:15 AM, alan mcsherry <
alan.mcsherry@oddsfutures.com> wrote:

> Hi Colm,
>
> It is exporting a policy at the top (and a policy for every method in and
> every method out...)
>
> I've attached the policy... it doesn't say much to me I confess....
>
> <wsp:Policy wsu:Id="WSHttpBinding_IRedmanAPI_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:SecureConversationToken sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing
> "/>
> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing
> "/>
> <sp:Header Name="MessageID" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing
> "/>
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <mssp:SslContextToken xmlns:mssp="
> http://schemas.microsoft.com/ws/2005/07/securitypolicy" sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> </wsp:Policy>
> </mssp:SslContextToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:SignedSupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssUsernameToken10/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <sp:Wss11>
> <wsp:Policy/>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy/>
> </sp:Wss11>
> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> ">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing/>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> And for every method (input and output) - something like this ...
>
> <wsp:Policy wsu:Id="WSHttpBinding_IRedmanAPI_RegisterNewUser_Input_policy"
> >
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"
> />
> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"
> />
> <sp:Header Name="MessageID" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo" Namespace="
> http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"
> />
> </sp:SignedParts>
> <sp:EncryptedParts xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> On Wed, Feb 13, 2013 at 10:01 AM, Colm O hEigeartaigh <coheigea@apache.org
> > wrote:
>
>> Hi,
>>
>> The CXF client will need a WSDL with a WS-SecurityPolicy fragment in it
>> describing the security requirements of the service. Take a look at the
>> WSDL your .NET service is exporting. I've never tried doing interop work
>> with a WCF service using the WCF wsHttpBinding, but I believe it can be
>> done.
>>
>> Colm.
>>
>> On Wed, Feb 13, 2013 at 9:26 AM, alan mcsherry <
>> alan.mcsherry@oddsfutures.com> wrote:
>>
>> > Hi,
>> >
>> > I've been involved in developing web services for 2 months now using
>> Apache
>> > CXF and all has gone well.
>> >
>> > Until I needed to interact with an external service generated with
>> .NET. In
>> > this case my client was configured thus:
>> >
>> > <jaxws:client id="redmanApi"
>> > username="test"
>> > password="password"
>> >  serviceName="cc:RedmanAPIService"
>> > endpointName="cc:RedmanAPIServiceEndpoint"
>> >  address="http://redman.software.com:6580/redmanAPI"
>> > serviceClass="uk.co.redmanapi.IRedmanAPI">
>> >  <jaxws:binding>
>> > <soap:soapBinding version="1.2" style="document"/>
>> >  </jaxws:binding>
>> > <jaxws:properties>
>> >                </jaxws:properties>
>> > </jaxws:client>
>> >
>> > And I get a 'Connection Reset' error. The client cannot send the
>> message. I
>> > cannot seem to configure my client to connect!
>> > I can connect using a .NET client provided to me, it has the following
>> > configuration....
>> >
>> >   <system.serviceModel>
>> >     <client>
>> >       <endpoint
>> >         name="WSHttpBinding_IRedmanAPI"
>> >         address="http://redman.software.com:6580/RedmanAPI"
>> >         binding="wsHttpBinding"
>> >         bindingConfiguration="WSHttpBinding_IRedmanAPI"
>> >         contract="IRedmanAPI">
>> >         <identity>
>> >           <dns value="redman.software.com"/>
>> >         </identity>
>> >       </endpoint>
>> >     </client>
>> >
>> >     <bindings>
>> >       <wsHttpBinding>
>> >         <binding name="WSHttpBinding_IRedmanAPI"
>> >             bypassProxyOnLocal="false" transactionFlow="false"
>> > hostNameComparisonMode="StrongWildcard"
>> >             messageEncoding="Text" textEncoding="utf-8"
>> > useDefaultWebProxy="true"
>> >             allowCookies="false">
>> >           <security mode="Message">
>> >                  <message clientCredentialType="UserName"/>
>> >           </security>
>> >         </binding>
>> >       </wsHttpBinding>
>> >     </bindings>
>> >   </system.serviceModel>
>> >
>> > The successful .NET client interaction looks like this ....(with some
>> > values changed)
>> >
>> > 2013-02-12 10:05:23,230 [14] as service in context of the reseller
>> 'test':
>> > after receiving request: [urn:
>> co.uk/RedmanAPI/IRedmanAPI/RegisterNewUser],
>> > GUID:[56f9b3e2-3b4d-4332-8c20-064a06314a24], Request:
>> >  <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
>> xmlns:a="
>> > http://www.w3.org/2005/08/addressing" xmlns:u="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>> > ">
>> >   <s:Header>
>> >     <a:Action s:mustUnderstand="1" u:Id="_2">urn:
>> > co.uk/RedmanAPI/IRedmanAPI/RegisterNewUser</a:Action>
>> >     <a:MessageID
>> > u:Id="_3">urn:uuid:e15ff563-01f2-4063-822a-387ad7088ff6</a:MessageID>
>> >     <a:ReplyTo u:Id="_4">
>> >       <a:Address>http://www.w3.org/2005/08/addressing/anonymous
>> > </a:Address>
>> >     </a:ReplyTo>
>> >     <a:To s:mustUnderstand="1" u:Id="_5">
>> > http://redman.software.com:6580/RedmanAPI</a:To>
>> >     <o:Security s:mustUnderstand="1" xmlns:o="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> > ">
>> >       <u:Timestamp u:Id="uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-11">
>> >         <u:Created>2013-02-12T09:06:20.457Z</u:Created>
>> >         <u:Expires>2013-02-12T09:11:20.457Z</u:Expires>
>> >       </u:Timestamp>
>> >       <c:SecurityContextToken
>> > u:Id="uuid-b82539dc-ca7e-41d4-b68a-1e7bfb9fe6ba-5" xmlns:c="
>> > http://schemas.xmlsoap.org/ws/2005/02/sc">
>> >
>> >
>> <c:Identifier>urn:uuid:b19e1dc9-d1b5-440c-8cae-20cca6c7d6fa</c:Identifier>
>> >       </c:SecurityContextToken>
>> >       <c:DerivedKeyToken
>> u:Id="uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-9"
>> > xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
>> >         <o:SecurityTokenReference>
>> >           <o:Reference ValueType="
>> > http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
>> > URI="#uuid-b82539dc-ca7e-41d4-b68a-1e7bfb9fe6ba-5" />
>> >         </o:SecurityTokenReference>
>> >         <c:Offset>0</c:Offset>
>> >         <c:Length>24</c:Length>
>> >         <c:Nonce>R6PHj4NfkvjXt+b6QMNhKw==</c:Nonce>
>> >       </c:DerivedKeyToken>
>> >       <c:DerivedKeyToken
>> > u:Id="uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-10" xmlns:c="
>> > http://schemas.xmlsoap.org/ws/2005/02/sc">
>> >         <o:SecurityTokenReference>
>> >           <o:Reference ValueType="
>> > http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
>> > URI="#uuid-b82539dc-ca7e-41d4-b68a-1e7bfb9fe6ba-5" />
>> >         </o:SecurityTokenReference>
>> >         <c:Nonce>NMwqy0hhD24EEPBjG/fXDQ==</c:Nonce>
>> >       </c:DerivedKeyToken>
>> >       <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>> >         <e:DataReference URI="#_1" />
>> >         <e:DataReference URI="#_6" />
>> >       </e:ReferenceList>
>> >       <e:EncryptedData Id="_6" Type="
>> > http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="
>> > http://www.w3.org/2001/04/xmlenc#">
>> >         <e:EncryptionMethod Algorithm="
>> > http://www.w3.org/2001/04/xmlenc#aes256-cbc" />
>> >         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>> >           <o:SecurityTokenReference>
>> >             <o:Reference ValueType="
>> > http://schemas.xmlsoap.org/ws/2005/02/sc/dk"
>> > URI="#uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-10" />
>> >           </o:SecurityTokenReference>
>> >         </KeyInfo>
>> >         <e:CipherData>
>> >
>> >
>> >
>> <e:CipherValue>IrgFpb3X7NqcaNDIYLU2SMGpkSV02Ij8Pas3aKr3mG27GvgIMb4IpgSxBR+Cu3kEnVVvUKe9E53sHE8IeVxB72abal+GAmQBgMRST7glWTbfTuTs+8KvlnjnEuspDA/PvZ9+VBifhTAMOBRsKmEOS3CGsKfV1OvkrU/0UsCxwS51C+YwUFNCSarVuo5+u7T+7PJ2IQe8hGcDHKQ97VIM6X+gU//hW3/KaaIH7QceWYnXtj0MbekritXKn0RtBDrM3gNJWVevAstr1n8WbqY0CdsvRXYq3yK/I0ELDDUQQ8ruPmFhb0VxyrO6HYOf3r7K3SRijfr0hXujTDpWLanIVNKCJshpbopqRTTmvcJZzN9UBhWLJxKD/VlkYLzPMEpZ6CQL3b7RJ8x1azGj+D+zHfxa/GLJRng2AqJLJRv8dbp/l5R20vdZBGWxo9K2MQrPWlG+TTkQ1LpnjVTfUzAmxgDXf8UbrYm0YW/ochAMGuuU3RruwsX8nblvBhC3FHa6Hs1hI34q6pK+I1C635rizqbBds7m95bg53DpBlv9X9gcw0/5S5sfnnEMcnFVBIErxqg9uV+4oKRTq7iGeLqnR3Y4RL/pwcoU7/dB9bqm+MVSxG36F+MOGwZGor4ZF7oLfuHezQ663RUCurFhUZoRNtpCE1yHSjivxPEklkwBP8hjAXMT8KNYJR9FwspwNCkqe59JrVQDg31hoaLnQAUWF0CeMWKmyGZmemVxIVgrX8Fv5nIC9SjUAEiEbbFBJQTDYGd/nkVmoTlmniq8NEYJsa9R8vTflqkJUkSi/cNusRoZG43Nen1Z2Vln5/F+wGrG4NjRX/dPMl26K2e4FipYkn8IcoCS/DWECekJNzB6LjYzxJDm2p0eDfQm63dc2HJp3c54rLxeb2nKIt6UbchxtckkggTsKO3MXnlAHobjDVpfKYiwkWJdG9sxyJWpTtx0F4BYNonf/Mi5zLztRplpSq0phmLTDvjnRBubwGPNxl/icurbCSqFzre7bjAhRXDtKisxgtDdoAYgoozvIcIdwxlPQQLbuKb2jvjCYu1mfgjqiEAF4vWtlBoC7rlhDz9lAnbEovPkBb7Bjm/uTuylWeMJ+gKpKxrkdzL1dy3SFU16F0Rvs32v3XE+KdK9c8WWMDGe/FufxMHduLig8QadnFaDxbliJjchovx67AwvKacxkDQT/NrbpXx6YeV0cCH5kynqY4a7uHbivkEZCDZUTYSnkTUcWdTLRN5Z8//rKpF3VSOjk4U5Z5TBji+vcTDcwkyzRYAnBJHS3ssEagd38amSFdgLhfougI0nE7h52SedPvKSOiFtK/nqXEPWtL0iG34upJhmIcw5zpGaF6pKskuTTPZ6X6+qbVYouqqlBrCCpEiDGAA0eNq6UVUjHm5Z064/WLxSt5iEauxwXmbPWasm25aC1rQ6eskZeJDEI0Cg7PUNrYB0Ck/ilnZSwEGzYRNNCPBB5MtCRO1KbjDq5u94YD+gh3OwgYJNxeXkCQdqOxjF6L/yu6ZynQH2txnJe+6THOJHVPbhh0855nwuG0tc449CMxLC9JQvxQzZPdP72g525SWyh+1hPmWSrjkC8svoiItVVQm2JDUdwgekvHV1iDBLxFoYtroSzrawnPx5pvFc+TygIRxxf8GM/t3ufFTd8bj9LWXPxa9ACvTpJjyBoZhJi7wIbJfJNtjKQrfJnGBDE1Ti4YEaSOvuKlDjtGKFpzStcXZWtziUupHb1ofnEsyqwzxjQoZfu3p7/qAGTqSaqmm8QWHNu59tNeONVkbBiYT4Vn/6ro03IH/wdiPGtP3zQPe+pkZRsf0sYMiJxAq21GsbRxbFgOyZ4NIixtIWEkuP1VZ3fDnSCA+jhqsHmP8RTY4LEQxN1MNh6vJdmjpg4zMhF2SrpoM/aaxPu1QEWHcmiEsMcsFn54iJvLMNxrHGLRE8q1SEP6JAIvmZktDs/XFmEYDxifg2vvi470KbFRMU0uJDYu2DRbEUbXtS+tVFB7V/PLihye0QyivvAM3QycYZbAmqQOLSLD8J53/+P66lDU6vDAl8wtN9CJm9J/muKUXexnafrn5X8neA/1Sc9Y061fgQhPt/MNMg6sSluD8Ms/tpTnCecXsZh+OPWYCNzgjtVLE3WGvyJ8k3EI1XLrO1J1yitoZDpSsgdmsF5F5HEgtD9GqrKgYwN9T6b8/tqmSQnFXHHTQqNkKaGvqloZdEXWPVeUqpUs0lRHqQIUMf1omDShucAnfc6qbS0gWctMgr/3L7kholWOpA7rjX4Aoc6qcF7gjRv1ilDBqkAr5l04oKOi0f7adYDkA6fxomFFfoxU1vzUBj1+EqH6IdnA/uE1l51obF51+040tfXmDWmpMU9n1dUQCb2DPCykv33ACv5xCN/lTu/X1hFZjdbSfl8EwPRo9AwCcsFoankr+xgkQqS5MoHcX8dawj6J+gRgjmawQwflD2qINbx5VEUzyWFqZxLu/</e:CipherValue>
>> >         </e:CipherData>
>> >       </e:EncryptedData>
>> >     </o:Security>
>> >   </s:Header>
>> >   <s:Body u:Id="_0">
>> >     <RegisterNewUser xmlns="urn:co.uk/RedmanAPI">
>> >       <inputData xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
>> >         <Address>
>> >           <AbodeNumber>1</AbodeNumber>
>> >         ...
>> >       </inputData>
>> >     </RegisterNewUser>
>> >   </s:Body>
>> > </s:Envelope>
>> > 2013-02-12 10:05:25,118 [14] as service in context of the reseller
>> 'test':
>> > before sending reply: [urn:
>> > co.uk/RedmanAPI/IRedmanAPI/RegisterNewUserResponse],
>> > GUID:[56f9b3e2-3b4d-4332-8c20-064a06314a24], Reply:
>> >  <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="
>> > http://www.w3.org/2003/05/soap-envelope">
>> >   <s:Header>
>> >     <a:Action s:mustUnderstand="1">urn:
>> > co.uk/RedmanAPI/IRedmanAPI/RegisterNewUserResponse</a:Action>
>> >     <ActivityId CorrelationId="7255d356-4e94-a4c7-9e63127760a0" xmlns="
>> > http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics
>> > ">d860721b-0c14-44e6-bf52-c2355e</ActivityId>
>> >
>> > <a:RelatesTo>urn:uuid:e15ff563-01f2-4063-822a-387ad7088ff6</a:RelatesTo>
>> >   </s:Header>
>> >   <s:Body>
>> >     <RegisterNewUserResponse xmlns="urn:co.uk/RedmanAPI">
>> >       <RegisterNewUserResult xmlns:i="
>> > http://www.w3.org/2001/XMLSchema-instance">
>> >         <FailureReason i:nil="true" />
>> >         <Status>true</Status>
>> >         <UserId>5d925d02</UserId>
>> >       </RegisterNewUserResult>
>> >     </RegisterNewUserResponse>
>> >   </s:Body>
>> > </s:Envelope>
>> >
>> > I've read *a lot* of internet posts over the last few days trying to
>> get a
>> > handle on this, but with no luck. It seems to be some kind of security
>> > issue but how to get around it?
>> > Any help appreciated.
>> >
>> > Alan.
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message