WCF client consuming Java service - Token authenticator problem
Hi,
I am trying to connect to a third party service coded in Java and implementing WS-Security with public key certificates for CXF-based web services.
After some struggle, I finally manage to send a request properly formated and get a response 200 from the service.
The only way that I found to consume the service is to use either:
wsHttpBinding with security mode set to TransportWithMessageCredential
customBinding with authenticationMode set to CertificateOverTransport
I tried MutualCertificates, that seemed the most appropriate to me, but the request is then missing something in the security header.
Anyways, even though I recieve a reponse code 200 from the service, an error is raised by WCF when processing the response:
Unhandled Exception: System.ServiceModel.Security.MessageSecurityException: Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.
I seems that the service is including a BinarySecurityToken in the response that WCF cannot process.
Does anyone has a clue on this ? It's beens days I am struggeling on this problem...
Any help would be greatly appreciated !
Cheers,
issa
Please find bellow
1) the client configuration using wsHttpBinding
2) the client configuration using customHttpBinding
3) the trace of the response sent by the service
1) My client configuration using wsHttpBinding
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="Binding1" textEncoding="utf-8" messageEncoding="Text" >
<security mode="TransportWithMessageCredential" >
<transport clientCredentialType="None" proxyCredentialType="None" />
<message clientCredentialType="Certificate" negotiateServiceCredential="false"
establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://www.blabla.com"
binding="wsHttpBinding"
bindingConfiguration="Binding1"
contract="MyService"
name="WSHttpBinding_Binding1"
behaviorConfiguration="Binding1Behavior">
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="Binding1Behavior">
<clientCredentials>
<clientCertificate x509FindType="FindBySubjectName" findValue="blabla.blibli.com" />
<serviceCertificate>
<authentication certificateValidationMode="None" />
<defaultCertificate x509FindType="FindBySubjectName" findValue="www.blabla.com" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
2) the client configuration using customHttpBinding
<customBinding>
<binding name="Binding2">
<security authenticationMode="CertificateOverTransport"
allowSerializedSigningTokenOnReply="true"
requireDerivedKeys="false"
includeTimestamp="true"
requireSecurityContextCancellation="false">
</security>
<textMessageEncoding messageVersion="Soap11WSAddressing10" writeEncoding="utf-8"/>
<httpsTransport authenticationScheme="Anonymous" />
</binding>
</customBinding>
3) Trace of the response sent by the service: (http response code 200)
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"soap:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-25935000">
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-12-18T11:53:40.485Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2008-12-18T11:58:40.485Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken>
<!--Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-5637875">
<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:CanonicalizationMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference xmlns:ds="http://www.w3.org/2000/09/xmldsig#" URI="#id-19635988">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod xmlns:ds="http://www.w3.org/2000/09/xmldsig#"Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">7DadA8Ans4dfaoDFL2Fs35jafo=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
ksSDfhC2haGsdfas+dhfSa3ldfjCVBkvbs4jghsdfKga5jlXsdBfhaVCjghkl3jlfhBdfgsVdfgd
sdfsgl62kfpzxsH5WE0mnvlpXsQ12SdxhJKu834Kfsd/Shj3daSae9daDAcnX3KSnfc98SKccjsa
YWEhd7SKmcdovSKANXU=
</ds:SignatureValue>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="KeyId-3758767">
<wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-24164377">
<wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"URI="#CertId-7999666" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-19635988">
<!--Removed-->
</soap:Body>
</soap:Envelope>
Répondre avec citation
Partager