Jiandong Guo
Mon, 02 Nov 2009 11:04:52 -0800
Pablo, See inline ... Pablo Cibraro wrote:
There was some ambiguity for the namespace to be used with ActAs. The WS-Trust 1.4 spec and schema specified differently. This issue has been clarified recently in the ws-sx TC. So that we have updated Metro to use "http://docs.oasis-open.org/ws-sx/ws-trust/200802";.I finally could make some progress in the interop tests with the Active STS. I used the following configuration, 1. Trader client application (Metro) 2. Passive STS (Metro) 3. Active STS (.NET) 4. Business Service (Metro) Unfortunately, I found a blocking issue that I think it is hard to fix (at least in WCF). The namespace used by metro for the ActAs element is different from the namespace used by WCF. Metro, <wst:ActAs xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> .NET (WCF) <tr:ActAs xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802";>
Can you try with latest Metro nightly? https://metro.dev.java.net/servlets/ProjectDocumentList?expandFolder=7638&folderID=10314 It is more close to the one to be released. I will get back to the other issues below shortly. Thanks! Jiandong
Besides that issue with the WS-Trust message, these are my findings for this
scenario,
1. The active STS in metro is using an username token for authenticating
the client application (trader web client). .NET is using a client certificate
for that purpose (BSL.Com), and I think it is the correct mechanism. I
basically changed the .NET Active STS and trader client implementation to use
username tokens.
2. The wsit-client.xml for the trader client application in metro looks
as follow,
<tc:PreconfiguredSTS
xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client";
endpoint=http://localhost:9001/tradeactivests (.NET)
wsdlLocation=http://apps.stonehenge.com:1316/active_sts/ActiveSTS?wsdl (WSDL in
METRO)
serviceName="SecurityTokenService"
portName="ISecurityTokenService_Port"
namespace="http://tempuri.org/";
shareToken="true">
</tc:PreconfiguredSTS>
I could not make it work against the .NET Active STS Wsdl. For
some reasons, all the requests with that WSDL are not protected with
WS-Security. I updated all the bindings and ports in the .NET to use
ISecurityTokenService and http://tempuri.org as namespace, but that does not
work.
3. Metro was using derived keys and basic 128 as algorithm suite. WCF was
throwing a weird parsing error exceptions for the derived keys (this option was
enabled in the WCF bindings too), so I disable that feature in metro and .NET.
"Cannot read the token from the 'DerivedKeyToken' element with the
'http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512' namespace for
BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid,
ensure that security is configured to consume tokens with the name, namespace and value
type specified."
Regards,
Pablo.