There are WS-SecurityPolicy expressions. CXF can handle parsing these policies + applying the appropriate security requirements to the outbound/inbound messages. However, it also contains some non-standard policies specific to Microsoft, e.g.:
<mssp:SslContextToken xmlns:mssp=" http://schemas.microsoft.com/ws/2005/07/securitypolicy"; sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient "> As I haven't worked with this policy I can't give any advice on how to handle it, perhaps someone else with more WCF interop experience could help you. Colm. On Wed, Feb 13, 2013 at 10:15 AM, alan mcsherry < [email protected]> wrote: > Hi Colm, > > It is exporting a policy at the top (and a policy for every method in and > every method out...) > > I've attached the policy... it doesn't say much to me I confess.... > > <wsp:Policy wsu:Id="WSHttpBinding_IRedmanAPI_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SymmetricBinding xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:SecureConversationToken sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:RequireDerivedKeys/> > <sp:BootstrapPolicy> > <wsp:Policy> > <sp:SignedParts> > <sp:Body/> > <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing > "/> > <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing > "/> > <sp:Header Name="MessageID" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="RelatesTo" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing > "/> > </sp:SignedParts> > <sp:EncryptedParts> > <sp:Body/> > </sp:EncryptedParts> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <mssp:SslContextToken xmlns:mssp=" > http://schemas.microsoft.com/ws/2005/07/securitypolicy"; sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:RequireDerivedKeys/> > </wsp:Policy> > </mssp:SslContextToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:EncryptSignature/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:SignedSupportingTokens> > <wsp:Policy> > <sp:UsernameToken sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssUsernameToken10/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > <sp:Wss11> > <wsp:Policy/> > </sp:Wss11> > <sp:Trust10> > <wsp:Policy> > <sp:MustSupportIssuedTokens/> > <sp:RequireClientEntropy/> > <sp:RequireServerEntropy/> > </wsp:Policy> > </sp:Trust10> > </wsp:Policy> > </sp:BootstrapPolicy> > </wsp:Policy> > </sp:SecureConversationToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:EncryptSignature/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy/> > </sp:Wss11> > <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy > "> > <wsp:Policy> > <sp:MustSupportIssuedTokens/> > <sp:RequireClientEntropy/> > <sp:RequireServerEntropy/> > </wsp:Policy> > </sp:Trust10> > <wsaw:UsingAddressing/> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > And for every method (input and output) - something like this ... > > <wsp:Policy wsu:Id="WSHttpBinding_IRedmanAPI_RegisterNewUser_Input_policy" > > > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; > /> > <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; > /> > <sp:Header Name="MessageID" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="RelatesTo" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; > /> > </sp:SignedParts> > <sp:EncryptedParts xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > On Wed, Feb 13, 2013 at 10:01 AM, Colm O hEigeartaigh <[email protected] > > wrote: > >> Hi, >> >> The CXF client will need a WSDL with a WS-SecurityPolicy fragment in it >> describing the security requirements of the service. Take a look at the >> WSDL your .NET service is exporting. I've never tried doing interop work >> with a WCF service using the WCF wsHttpBinding, but I believe it can be >> done. >> >> Colm. >> >> On Wed, Feb 13, 2013 at 9:26 AM, alan mcsherry < >> [email protected]> wrote: >> >> > Hi, >> > >> > I've been involved in developing web services for 2 months now using >> Apache >> > CXF and all has gone well. >> > >> > Until I needed to interact with an external service generated with >> .NET. In >> > this case my client was configured thus: >> > >> > <jaxws:client id="redmanApi" >> > username="test" >> > password="password" >> > serviceName="cc:RedmanAPIService" >> > endpointName="cc:RedmanAPIServiceEndpoint" >> > address="http://redman.software.com:6580/redmanAPI"; >> > serviceClass="uk.co.redmanapi.IRedmanAPI"> >> > <jaxws:binding> >> > <soap:soapBinding version="1.2" style="document"/> >> > </jaxws:binding> >> > <jaxws:properties> >> > </jaxws:properties> >> > </jaxws:client> >> > >> > And I get a 'Connection Reset' error. The client cannot send the >> message. I >> > cannot seem to configure my client to connect! >> > I can connect using a .NET client provided to me, it has the following >> > configuration.... >> > >> > <system.serviceModel> >> > <client> >> > <endpoint >> > name="WSHttpBinding_IRedmanAPI" >> > address="http://redman.software.com:6580/RedmanAPI"; >> > binding="wsHttpBinding" >> > bindingConfiguration="WSHttpBinding_IRedmanAPI" >> > contract="IRedmanAPI"> >> > <identity> >> > <dns value="redman.software.com"/> >> > </identity> >> > </endpoint> >> > </client> >> > >> > <bindings> >> > <wsHttpBinding> >> > <binding name="WSHttpBinding_IRedmanAPI" >> > bypassProxyOnLocal="false" transactionFlow="false" >> > hostNameComparisonMode="StrongWildcard" >> > messageEncoding="Text" textEncoding="utf-8" >> > useDefaultWebProxy="true" >> > allowCookies="false"> >> > <security mode="Message"> >> > <message clientCredentialType="UserName"/> >> > </security> >> > </binding> >> > </wsHttpBinding> >> > </bindings> >> > </system.serviceModel> >> > >> > The successful .NET client interaction looks like this ....(with some >> > values changed) >> > >> > 2013-02-12 10:05:23,230 [14] as service in context of the reseller >> 'test': >> > after receiving request: [urn: >> co.uk/RedmanAPI/IRedmanAPI/RegisterNewUser], >> > GUID:[56f9b3e2-3b4d-4332-8c20-064a06314a24], Request: >> > <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; >> xmlns:a=" >> > http://www.w3.org/2005/08/addressing"; xmlns:u=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> > "> >> > <s:Header> >> > <a:Action s:mustUnderstand="1" u:Id="_2">urn: >> > co.uk/RedmanAPI/IRedmanAPI/RegisterNewUser</a:Action> >> > <a:MessageID >> > u:Id="_3">urn:uuid:e15ff563-01f2-4063-822a-387ad7088ff6</a:MessageID> >> > <a:ReplyTo u:Id="_4"> >> > <a:Address>http://www.w3.org/2005/08/addressing/anonymous >> > </a:Address> >> > </a:ReplyTo> >> > <a:To s:mustUnderstand="1" u:Id="_5"> >> > http://redman.software.com:6580/RedmanAPI</a:To> >> > <o:Security s:mustUnderstand="1" xmlns:o=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> > "> >> > <u:Timestamp u:Id="uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-11"> >> > <u:Created>2013-02-12T09:06:20.457Z</u:Created> >> > <u:Expires>2013-02-12T09:11:20.457Z</u:Expires> >> > </u:Timestamp> >> > <c:SecurityContextToken >> > u:Id="uuid-b82539dc-ca7e-41d4-b68a-1e7bfb9fe6ba-5" xmlns:c=" >> > http://schemas.xmlsoap.org/ws/2005/02/sc";> >> > >> > >> <c:Identifier>urn:uuid:b19e1dc9-d1b5-440c-8cae-20cca6c7d6fa</c:Identifier> >> > </c:SecurityContextToken> >> > <c:DerivedKeyToken >> u:Id="uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-9" >> > xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";> >> > <o:SecurityTokenReference> >> > <o:Reference ValueType=" >> > http://schemas.xmlsoap.org/ws/2005/02/sc/sct"; >> > URI="#uuid-b82539dc-ca7e-41d4-b68a-1e7bfb9fe6ba-5" /> >> > </o:SecurityTokenReference> >> > <c:Offset>0</c:Offset> >> > <c:Length>24</c:Length> >> > <c:Nonce>R6PHj4NfkvjXt+b6QMNhKw==</c:Nonce> >> > </c:DerivedKeyToken> >> > <c:DerivedKeyToken >> > u:Id="uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-10" xmlns:c=" >> > http://schemas.xmlsoap.org/ws/2005/02/sc";> >> > <o:SecurityTokenReference> >> > <o:Reference ValueType=" >> > http://schemas.xmlsoap.org/ws/2005/02/sc/sct"; >> > URI="#uuid-b82539dc-ca7e-41d4-b68a-1e7bfb9fe6ba-5" /> >> > </o:SecurityTokenReference> >> > <c:Nonce>NMwqy0hhD24EEPBjG/fXDQ==</c:Nonce> >> > </c:DerivedKeyToken> >> > <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#";> >> > <e:DataReference URI="#_1" /> >> > <e:DataReference URI="#_6" /> >> > </e:ReferenceList> >> > <e:EncryptedData Id="_6" Type=" >> > http://www.w3.org/2001/04/xmlenc#Element"; xmlns:e=" >> > http://www.w3.org/2001/04/xmlenc#";> >> > <e:EncryptionMethod Algorithm=" >> > http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> >> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> >> > <o:SecurityTokenReference> >> > <o:Reference ValueType=" >> > http://schemas.xmlsoap.org/ws/2005/02/sc/dk"; >> > URI="#uuid-f7a690f2-a8f6-40ff-9f72-8c27cfa366fb-10" /> >> > </o:SecurityTokenReference> >> > </KeyInfo> >> > <e:CipherData> >> > >> > >> > >> <e:CipherValue>IrgFpb3X7NqcaNDIYLU2SMGpkSV02Ij8Pas3aKr3mG27GvgIMb4IpgSxBR+Cu3kEnVVvUKe9E53sHE8IeVxB72abal+GAmQBgMRST7glWTbfTuTs+8KvlnjnEuspDA/PvZ9+VBifhTAMOBRsKmEOS3CGsKfV1OvkrU/0UsCxwS51C+YwUFNCSarVuo5+u7T+7PJ2IQe8hGcDHKQ97VIM6X+gU//hW3/KaaIH7QceWYnXtj0MbekritXKn0RtBDrM3gNJWVevAstr1n8WbqY0CdsvRXYq3yK/I0ELDDUQQ8ruPmFhb0VxyrO6HYOf3r7K3SRijfr0hXujTDpWLanIVNKCJshpbopqRTTmvcJZzN9UBhWLJxKD/VlkYLzPMEpZ6CQL3b7RJ8x1azGj+D+zHfxa/GLJRng2AqJLJRv8dbp/l5R20vdZBGWxo9K2MQrPWlG+TTkQ1LpnjVTfUzAmxgDXf8UbrYm0YW/ochAMGuuU3RruwsX8nblvBhC3FHa6Hs1hI34q6pK+I1C635rizqbBds7m95bg53DpBlv9X9gcw0/5S5sfnnEMcnFVBIErxqg9uV+4oKRTq7iGeLqnR3Y4RL/pwcoU7/dB9bqm+MVSxG36F+MOGwZGor4ZF7oLfuHezQ663RUCurFhUZoRNtpCE1yHSjivxPEklkwBP8hjAXMT8KNYJR9FwspwNCkqe59JrVQDg31hoaLnQAUWF0CeMWKmyGZmemVxIVgrX8Fv5nIC9SjUAEiEbbFBJQTDYGd/nkVmoTlmniq8NEYJsa9R8vTflqkJUkSi/cNusRoZG43Nen1Z2Vln5/F+wGrG4NjRX/dPMl26K2e4FipYkn8IcoCS/DWECekJNzB6LjYzxJDm2p0eDfQm63dc2HJp3c54rLxeb2nKIt6UbchxtckkggTsKO3MXnlAHobjDVpfKYiwkWJdG9sxyJWpTtx0F4BYNonf/Mi5zLztRplpSq0phmLTDvjnRBubwGPNxl/icurbCSqFzre7bjAhRXDtKisxgtDdoAYgoozvIcIdwxlPQQLbuKb2jvjCYu1mfgjqiEAF4vWtlBoC7rlhDz9lAnbEovPkBb7Bjm/uTuylWeMJ+gKpKxrkdzL1dy3SFU16F0Rvs32v3XE+KdK9c8WWMDGe/FufxMHduLig8QadnFaDxbliJjchovx67AwvKacxkDQT/NrbpXx6YeV0cCH5kynqY4a7uHbivkEZCDZUTYSnkTUcWdTLRN5Z8//rKpF3VSOjk4U5Z5TBji+vcTDcwkyzRYAnBJHS3ssEagd38amSFdgLhfougI0nE7h52SedPvKSOiFtK/nqXEPWtL0iG34upJhmIcw5zpGaF6pKskuTTPZ6X6+qbVYouqqlBrCCpEiDGAA0eNq6UVUjHm5Z064/WLxSt5iEauxwXmbPWasm25aC1rQ6eskZeJDEI0Cg7PUNrYB0Ck/ilnZSwEGzYRNNCPBB5MtCRO1KbjDq5u94YD+gh3OwgYJNxeXkCQdqOxjF6L/yu6ZynQH2txnJe+6THOJHVPbhh0855nwuG0tc449CMxLC9JQvxQzZPdP72g525SWyh+1hPmWSrjkC8svoiItVVQm2JDUdwgekvHV1iDBLxFoYtroSzrawnPx5pvFc+TygIRxxf8GM/t3ufFTd8bj9LWXPxa9ACvTpJjyBoZhJi7wIbJfJNtjKQrfJnGBDE1Ti4YEaSOvuKlDjtGKFpzStcXZWtziUupHb1ofnEsyqwzxjQoZfu3p7/qAGTqSaqmm8QWHNu59tNeONVkbBiYT4Vn/6ro03IH/wdiPGtP3zQPe+pkZRsf0sYMiJxAq21GsbRxbFgOyZ4NIixtIWEkuP1VZ3fDnSCA+jhqsHmP8RTY4LEQxN1MNh6vJdmjpg4zMhF2SrpoM/aaxPu1QEWHcmiEsMcsFn54iJvLMNxrHGLRE8q1SEP6JAIvmZktDs/XFmEYDxifg2vvi470KbFRMU0uJDYu2DRbEUbXtS+tVFB7V/PLihye0QyivvAM3QycYZbAmqQOLSLD8J53/+P66lDU6vDAl8wtN9CJm9J/muKUXexnafrn5X8neA/1Sc9Y061fgQhPt/MNMg6sSluD8Ms/tpTnCecXsZh+OPWYCNzgjtVLE3WGvyJ8k3EI1XLrO1J1yitoZDpSsgdmsF5F5HEgtD9GqrKgYwN9T6b8/tqmSQnFXHHTQqNkKaGvqloZdEXWPVeUqpUs0lRHqQIUMf1omDShucAnfc6qbS0gWctMgr/3L7kholWOpA7rjX4Aoc6qcF7gjRv1ilDBqkAr5l04oKOi0f7adYDkA6fxomFFfoxU1vzUBj1+EqH6IdnA/uE1l51obF51+040tfXmDWmpMU9n1dUQCb2DPCykv33ACv5xCN/lTu/X1hFZjdbSfl8EwPRo9AwCcsFoankr+xgkQqS5MoHcX8dawj6J+gRgjmawQwflD2qINbx5VEUzyWFqZxLu/</e:CipherValue> >> > </e:CipherData> >> > </e:EncryptedData> >> > </o:Security> >> > </s:Header> >> > <s:Body u:Id="_0"> >> > <RegisterNewUser xmlns="urn:co.uk/RedmanAPI"> >> > <inputData xmlns:i="http://www.w3.org/2001/XMLSchema-instance";> >> > <Address> >> > <AbodeNumber>1</AbodeNumber> >> > ... >> > </inputData> >> > </RegisterNewUser> >> > </s:Body> >> > </s:Envelope> >> > 2013-02-12 10:05:25,118 [14] as service in context of the reseller >> 'test': >> > before sending reply: [urn: >> > co.uk/RedmanAPI/IRedmanAPI/RegisterNewUserResponse], >> > GUID:[56f9b3e2-3b4d-4332-8c20-064a06314a24], Reply: >> > <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:s=" >> > http://www.w3.org/2003/05/soap-envelope";> >> > <s:Header> >> > <a:Action s:mustUnderstand="1">urn: >> > co.uk/RedmanAPI/IRedmanAPI/RegisterNewUserResponse</a:Action> >> > <ActivityId CorrelationId="7255d356-4e94-a4c7-9e63127760a0" xmlns=" >> > http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics >> > ">d860721b-0c14-44e6-bf52-c2355e</ActivityId> >> > >> > <a:RelatesTo>urn:uuid:e15ff563-01f2-4063-822a-387ad7088ff6</a:RelatesTo> >> > </s:Header> >> > <s:Body> >> > <RegisterNewUserResponse xmlns="urn:co.uk/RedmanAPI"> >> > <RegisterNewUserResult xmlns:i=" >> > http://www.w3.org/2001/XMLSchema-instance";> >> > <FailureReason i:nil="true" /> >> > <Status>true</Status> >> > <UserId>5d925d02</UserId> >> > </RegisterNewUserResult> >> > </RegisterNewUserResponse> >> > </s:Body> >> > </s:Envelope> >> > >> > I've read *a lot* of internet posts over the last few days trying to >> get a >> > handle on this, but with no luck. It seems to be some kind of security >> > issue but how to get around it? >> > Any help appreciated. >> > >> > Alan. >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
