.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Register
 
Win Surprise Gifts!!!
Congratulations!!!


Top 5 Contributors of the Month
Easy Web
Imran Ghani
Post New Web Links

WCF Security Interoperability with Java web service

Posted By:      Posted Date: September 07, 2010    Points: 0   Category :WCF
 
Hi everybody, I'm implementing a WCF client which talks to a Java web service secured with x509 certificates and username token. The service requires both signing and encryption as message protection. Thanks to Yaron Naveh and some other guys on this forum I've managed to solve the signing stuff, but the encryption seems to be much more difficult. The problem I'm facing now is the server cannot decrypt my messages - I'm getting HTTP 500 errors. I've got a request example from the service vendor and compared with the messages my client generates, there is only one difference: in the example provided by service vendor I can see an extra tag KeyInfo under the EncryptedData, which seems to me reasonable to be there, but I don't know why WCF doesn't put that item. These are the two SOAP request sections I'm talking about: My WCF client: <s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <e:CipherData> <e:CipherValue> <!-- Removed--> </e:CipherValue> </e:Cipher


View Complete Post


More Related Resource Links

.NET Client and Java Web Service Interoperability

  
I have a .net client that consumes an operation on a java based web service that appears to work accept for an issue with passing Boolean values back to the service in the soap message. Any member of the complex type that are defined as Boolean in the service contract will not be present in the soap message generated from the client even though they are set in the code. Sample Client Code: UpdateChecklistItemStatusPortTypeClient     proxy = new UpdateChecklistItemStatusPortTypeClient();     updateChecklistItemStatusReq request = new updateChecklistItemStatusReq(); request.ouid =   "P000122112"; request.applicationId =   "00000032"; request.adminFunction =   "ADMA"; request.checklistItemTypeCode =   "UHSTRN"; request.ceebCode =   "052046"; request.transcriptTerm =   "FINAL"; request.transcriptScores =   true;     updateChecklistItemStatusRsp response = new updateChecklistItemStatusRsp(); response = proxy.UpdateChecklistItemStatusOp(request); Client Soap Message Generated: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">   <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">   

WCF interoperability with Java SOAP service - sign elements order, force wsu id value

  

Hi,

I need to consume a SOAP web service created in Java from a WCF client. By intensively searching this on the web in general and on this forum in particular, I've seen that quite a lot of people have problems in this area, however I never found the answer to the questions I will post on this thread.

The service I have to consume has the following constraints:

  • needs transport level security by communicating over HTTPS 
  • needs signatures on the body (soap:body element) and a custom header of each request. The signature is done using a client certificate and complies with http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf. The signature is required only on requests. Service responses are not signed.

After an intensive amount of work I managed  to make my request messages look like (intercepted with fiddler):

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u<

Security Briefs: Regular Expression Denial of Service Attacks and Defenses

  

Microsoft security expert Bryan Sullivan believes denial-of-service blackmail attacks will become more common as privilege escalation attacks become more difficult to execute. He demonstrates how to protect your apps against regular expression DoS threats.

Bryan Sullivan

MSDN Magazine May 2010


Security Briefs: XML Denial of Service Attacks and Defenses

  

This article reviews what makes XML vulnerable to denial of service attacks and how to mitigate these attacks.

Bryan Sullivan

MSDN Magazine November 2009


Geneva Framework: Building A Custom Security Token Service

  

A Security Token Service, or STS, acts as a security gateway to authenticate callers and issue security tokens carrying claims that describe the caller. See how you can build a custom STS with the "Geneva" Framework.

Michele Leroux Bustamante

MSDN Magazine January 2009


Service Station: Improving Web Service Interoperability

  

If interoperability is the main promise of Web services, why is it that so many developers and organizations have a difficult time achieving it in practice? With all due respect to our hard-working standards bodies, the primary culprits are the imperfect specifications guiding today's implementations.

Aaron Skonnard

MSDN Magazine November 2004


Design: Place XML Message Design Ahead of Schema Planning to Improve Web Service Interoperability

  

Web Services are all about exchanging data in the form of XML messages. If you were about to design a database schema, you probably wouldn't let your tool do it for you. You'd hand-tool it yourself to ensure maximum efficiency. In this article, the author maintains that designing a Web Service should be no different. You should know what kind of data will be returned by Web Service requests and use the structure of that data to design the most efficient message format. Here you'll learn how to make that determination and how to build your Web Service around the message structure.

Yasser Shohoud

MSDN Magazine December 2002


Windows Identity Foundation Security Token Service can't stay logged in

  
I'm using the Windows Identity Foundation **(WIF)** Security Token Service **(STS)** to handle authentication for my application which is working all well and good. However I can't seem to get any long running login with the STS. From my understanding I shouldn't care about the client tokens at the application level since they can expire all they want to and it should redirect me to the STS and as long as they're still logged in on the STS it should refresh their application token. Yet it doesn't seem to want to keep them signed in. Here's what occurs in my login.aspx on the STS var cookie = FormsAuthentication.GetAuthCookie(userName, persistTicket); if (persistTicket) cookie.Expires = DateTime.Now.AddDays(14); Response.Cookies.Add(cookie); var returnUrl = Request.QueryString["ReturnUrl"]; Response.Redirect(returnUrl ?? "default.aspx"); Which was taken almost directly from existing application using normal Forms Auth. From my web.config <authentication mode="Forms"> <forms loginUrl="Login.aspx" protection="All" timeout="2880" name=".STS" path="/" requireSSL="false" slidingExpiration="true" defaultUrl="default.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" /> </auth

WCF and Java Web Service Interop -- WS-Securtity 1.0 with MutualCertificate

  
I am trying to use WCF to call a Java Web Service.  The Web Service has several security requirements based on the Basic Security Profile 1.0:- The client and service should both use certificates  - The certificates will be used to sign and encrypt the message.- In addition, a supporting UsernameToken should be included.Based on those requirements, it seems like I should be using the MutualCertificate (or MutualCertificateDuplex) authentication mode:<customBinding> <binding name="Custom11">  <textMessageEncoding messageVersion="Soap11" />  <security defaultAlgorithmSuite="TripleDesRsa15" allowSerializedSigningTokenOnReply="true"    authenticationMode="MutualCertificate" requireDerivedKeys="false"    includeTimestamp="true" messageProtectionOrder="EncryptBeforeSign"    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"    requireSecurityContextCancellation="false">  </security>  <httpTransport /> </binding></customBinding>And then I need to add a supporting token for the user name.  Something like:BindingElementCollection elements = binding.CreateBindingElements();SecurityBindingElement security = elements.Find<SecurityBindingElement>();UserNameSecuri

Security settings for this service require Windows Authentication but it is not enabled for the IIS

  
Hosting service in IIS 5.1   Config is set to transport layer security. SSL is installed and configured on the virtual folder and BasicHTTP bidings are being used for connection. Authentication in web.config is set to Windows Authorization in web.config is set to Deny Users="?" and Allow Users="*"   When trying to connect to the service using IE, it throws exception that "Security settings for this service require Windows Authentication but it is not enabled for the IIS application that hosts this service. "   Can some one tell me what is missing?   Do I have to set anything in Web.Config?   I need to achieve following using Basic HTTP binding   Transport Layer security (SSL), Windows Domain Authentication, Use  user's Domain identity to impersonate the user in service   Please suggest the settings if any   Thanks

Silverlight enabled web service security error

  
I tried to create a SL enabled Web Service by following the example from the Microsoft link: http://msdn.microsoft.com/en-us/library/cc197940(VS.95).aspx When I got to step 6 to test the web service that I created (View in Browser), I got the following error:  Security settings for this service require 'Anonymous' Authentication but it is not enabled for the IIS application that hosts this service. My IIS is located on my local machine with Windows Integrated Authentication and Anonymous access unchecked. After checking the Anonoymous access checkbo, I still got the above error. I have read other post on the Internet that Silverlight uses BasicHttpbinding but the settings in the web.config file was created by Visual Studio 2010 (running .NET 4.0), so I didn't think I need to mess with it. The following is the section from the web.config: <system.serviceModel>   <behaviors>    <serviceBehaviors>     <behavior name="">      <serviceMetadata httpGetEnabled="true" />      <serviceDebug includeExceptionDetailInFaults="false" />     </behavior>    </serviceBehaviors>   </behaviors>   <bindings>    <customBinding>     <binding name=

PDF Rendering from RS2005 web service affected by recent security patching.

  
p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;font-family:'Calibri','sans-serif';} span.EmailStyle15 {font-family:'Calibri','sans-serif';color:windowtext;} .MsoChpDefault {;} @page Section1 {size:612.0pt 792.0pt;margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.Section1 {page:Section1;} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:11.0pt;font-family:'Calibri','sans-serif';} span.EmailStyle15 {font-family:'Calibri','sans-serif';color:windowtext;} .MsoChpDefault {;} @page Section1 {size:612.0pt 792.0pt;margin:72.0pt 72.0pt 72.0pt 72.0pt;} div.Section1 {page:Section1;} One of our web services makes a call to the RS2005 ReportingServiceSoapClient Render method in order to generate reports as PDFs. This PDF is then copied to a fileshare where it is picked up by a third party document delivery product and distributed to our clients. The third party process uses ghostscript in order to convert the PDF to TIFF format to allow further processing. This has been working successfully for months (and in a legacy project using an older version of SQL RS2003 for a few years now).Recently one of our report servers was patched with the SP2 / Hotfix for the ActiveX printing issue. Since this has happened we have a problem where the PDFs being generated (while still readable in Adobe reader) now cont

Creating service application w/ Requirement for MySite security profile to be maintained

  
Good Day; In Sharepoint 2010 Microsoft has given the developer the ability to create a service application that can have its own database and scale independantly from the rest of the Sharepoint farm.   I wish to create a Service Application that will store data much like a list, but I need to have the ability to use the same security trimming that the profiles offer via MySites.  We need to have the granularity at a user level that we can get in MySites but I do not wish to store this data in the Mysite collections.  Can the security granularity found in Mysites and Profiles be extended into a Service Application?  Any examples of others doing this or case studies around security that I can be pointed to would be most helpful. Cheers C

Creating service application w/ Requirement for MySite security profile to be maintained

  
Good Day; In Sharepoint 2010 Microsoft has given the developer the ability to create a service application that can have its own database and scale independantly from the rest of the Sharepoint farm.   I wish to create a Service Application that will store data much like a list, but I need to have the ability to use the same security trimming that the profiles offer via MySites.  We need to have the granularity at a user level that we can get in MySites but I do not wish to store this data in the Mysite collections.  Can the security granularity found in Mysites and Profiles be extended into a Service Application?  Any examples of others doing this or case studies around security that I can be pointed to would be most helpful. Cheers C

Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)

  
I have been trying to install   Security Update for Microsoft .NET Framework, Version 1.1 Service Pack 1 (KB928366)   since it was released but downloads ok but it will not install. Everytime installation of this update fails!   Help...

security for WCF service

  
Hello Am having a WCF service and a web application client trying to access this service. I need to implement a security at message level. I need to provide security for service using X.509 and authorizing the client using the standard username and password.  Are there any good security implementation models to provide end-end message security. Please specify and good material Thank you
Categories: 
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend