Difference in request format between CXF and .NET

Fri, 20 Feb 2015 07:57:08 -0800 

Hi there

I’m having a hard time calling this service (let’s call it MyService) that is 
provided by a 3rd party. I’m using CXF 3.0.4. The service is a .NET WCF service 
that is secured by a separate STS. I’m able to authenticate with the STS and 
get the SAML token. I’m including the SAML token in my request to MyService but 
it is rejecting the request with the classic 
“javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying 
security for the message.” message. The original XML of the response is:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; 
xmlns:a="http://www.w3.org/2005/08/addressing";>
  <s:Header>
    <a:Action 
s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
    <a:RelatesTo>urn:uuid:3a857e83-c9c1-4893-b439-86f3179b46d4</a:RelatesTo>
  </s:Header>
  <s:Body>
    <s:Fault>
      <s:Code>
        <s:Value>s:Sender</s:Value>
        <s:Subcode>
          <s:Value 
xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>a:InvalidSecurity</s:Value>
        </s:Subcode>
      </s:Code>
      <s:Reason>
        <s:Text xml:lang="en-US">An error occurred when verifying security for 
the message.</s:Text>
      </s:Reason>
    </s:Fault>
  </s:Body>
</s:Envelope>

So my request must be wrongly formed in some way.

The service provider sent me an sample XML request which is produced by a .NET 
application they have that calls the MyService. We compared the 2 and found 
that there were some discrepancies in my request. I’m missing a whole 
EncryptedData section. The service provider believes that it’s to do with the 
MessageProtectionOrder on the server being SignBeforeEncryptAndEncryptSignature 
and my client is not honouring that. If this is the case, how do I convince my 
client of that? I don’t see any method calls in the API that would relate to 
that.

Here’s the sample from the .NET application: http://pastebin.com/PJrgAdY6 
<http://pastebin.com/PJrgAdY6> and here’s the sample from my CXF client 
application: http://pastebin.com/rYiLdK5m <http://pastebin.com/rYiLdK5m>

I snipped out the SAML token to save space in both, and also snipped all the 
CipherValue sections for the same reason.

Thanks!

—
Will

Reply via email to