Skip to main content

WCF(client) to Java(service) using WS-SecureConversation

53 replies [Last post]
mulepic
Offline
Joined: 2007-02-05

Hi,
Has anyone successfully created a WCF client accessing a Java service using WS-SecureConversation. The service is throwing policy exceptions after validation of the username token request. I have to believe it's a configuration detail on the WCF side:

SymmetricSecurityBindingElement secureconversation =
(SymmetricSecurityBindingElement)SymmetricSecurityBindingElement.CreateSecureConversationBindingElement(
securityBinding, false);
secureconversation.RequireSignatureConfirmation = false;
secureconversation.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
secureconversation.SetKeyDerivation(false);

Any help would be appreciated. Then we'll move onto the next question of using Fast Infoset and SecureConversation.

I'm using Glassfish and NB 5.5.1

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
venu
Offline
Joined: 2003-10-22

Thanks to yourself and Harsha. This was due to a bug in EXC14n canonicalizer. It is fixed now. It will be integrated into WSIT sometime today.

armandj
Offline
Joined: 2006-07-13

Here is the fault message I get:

ns2:Serverjavax.xml.crypto.dsig.XMLSignatureException: WSS1717: Error occurred while doing digest verification of body/payloadjavax.xml.crypto.dsig.XMLSignatureException: WSS1717: Error occurred while doing digest verification of body/payloadWSS1717: Error occurred while doing digest verification of body/payload

raharsha
Offline
Joined: 2004-11-07

Hi armandj,

This seems to be a bug. You can make it work by modifying your method to something like this

@WebService()
public class NewWebService {
/**
* Web service operation
*/
@WebMethod(action="myaction")
public String operation(@WebParam(name = "myparameter",targetNamespace="http://mynamespace") String myparameter) {
// TODO implement operation
return myparameter;
}

}

i.e. specify the targetNamespace for your parameter.

After doing this deploy the service and regenerate the client. It should pass. I have tested this in my setup. We are investigating why it failed originally.

raharsha
Offline
Joined: 2004-11-07

I want to investigate the issue you are having with secure conversation. Can you post the wsdl and the wcf binding file? The wsit wsdl you have attached does not have secure conversation, but the corresponding wcf binding has an empty secureConversationBootstrap. I am not sure whether that could cause some problems.

mulepic
Offline
Joined: 2007-02-05

Hi, Thanks for responding. You are correct the above wsit was for ws-security. I attached the wsit for sercure conversation. Here's the wcf custom binding for the client:


requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="true" requireSignatureConfirmation="false">
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
authenticationMode="UserNameForCertificate" requireDerivedKeys="false"
securityHeaderLayout="Lax" includeTimestamp="true" keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncrypt" messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false">
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />


messageVersion="Soap11WSAddressing10" writeEncoding="utf-8">
maxBytesPerRead="4096" maxNameTableCharCount="16384" />

maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />

mulepic
Offline
Joined: 2007-02-05

Hi raharsha,

Have you had any luck reproducing this issue and/or finding a solution?

Thanks!

raharsha
Offline
Joined: 2004-11-07

yes, I was able to make it work. Here is the netbeans project for the server and the visual studio solution zip files. Please examine it and let me know if it helped.

Some things to note are,

SecureConversationToken should have IncludeToken specified. Otherwise, svcutil will fail.

I tried this on glassfish-installer-v2-b38-nightly-07_mar_2007.jar with the latest wsit jars.

Let me know the details of the problems faced if any.

Thanks
Harsha

armandj
Offline
Joined: 2006-07-13

I have tried Raharsha's code example and it seems to work, but when slightly modified it does not work properly. I have changed this example to send and receive a string in "echo" style.

public class NewWebService {
/**
* Web service operation
*/
@WebMethod(action="myaction")
public String operation(String message)
{
return message;
}
}

This code stopped working as soon as I regenerated the .NET client stub, at which point the service started sending faults "@WSS1717: Error occurred while doing digest verification of body/payload@".

Later I found out that your stub is different from the stub that svcutil of WCF generates.

Original stub: [System.Runtime.Serialization.DataContractAttribute(Namespace="")]
public partial class operationRequestBody

Raharsha stub: [System.Runtime.Serialization.DataContractAttribute()]
public partial class operationRequestBody

When I changed my stub in the same way, the message was able to pass security checks but its data was not getting serialized properly and the [b]message[/b] parameter was getting deserialized as null. When I changed my stub back into the original state the message again failed to pass security validation.

When I switched off security I found out that the original stub is proper and works properly without security, while the modified stub results in the incorrect serialization of the request message.

So in my case the message either passes security validation but does not get serialized/deserialized properly, or gets serialized properly but doesn't pass security validation.

WBR,
Arman

oleksiys
Offline
Joined: 2006-01-25

I just tested secured WS in configuration you did, but Java <-> Java using FI - it works.
So, afraid, without additional error information from you, it will be difficult to find the problem.
Any logs + stacktraces + wsdl.... could help.

mulepic
Offline
Joined: 2007-02-05

The wsit is attached. Here is my wcf binding:


requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false">
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />


messageVersion="Soap11WSAddressing10" writeEncoding="utf-8">
maxBytesPerRead="4096" maxNameTableCharCount="16384" />

maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />

In code I enable Fi in the following way:

CustomBinding cb = new CustomBinding("v37SecurityCustomNewWebServicePortBinding");
//create fi binding element
FiMessageEncodingBindingElement element = new FiMessageEncodingBindingElement();
//fi-ize the binding
CustomBinding customBinding = element.PlugIn(cb);
//use binding to create client proxy
v2b37.NewWebServiceClient client = new v2b37.NewWebServiceClient(customBinding, eea);

I can only get at the binary FI response from the service for the error messages b/c v2b37 no longer outputs to the debug window. this is the top of the stack trace I can make out until I can decode the FI msg.

stackTrace. frame..>com.sun.xml.ws.security.opt.impl.incoming.processor.CipherDataProcessorx.fileH.CipherDataProcessor.javax.lineA83x.methodF process.M...com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.H.EncryptedData.java.B120...M...com.sun.xml.ws.security.opt.impl.incoming.EncryptedData...A82.E.M..2com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.H.SecurityRecipient.java.B316.H.handleSecurityHeader.M..2com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient..

oleksiys
Offline
Joined: 2006-01-25

Ok, may be guys from security can take a look to wsdl you posted.
Meanwhile, can you pls. make one more thing - publish FastInfoset message dump, which is sent from client to server - I'll check whether it has any problem?

regards.

oleksiys
Offline
Joined: 2006-01-25

Seems guys have some issue in the FI + SecureConversation case for java client/service. I'll try to reproduce it and see if there is a problem.

mulepic
Offline
Joined: 2007-02-05

Hi,

Yes, it has become known that FI w/ ws-security and ws-secureconversation is not functioning. It was verified that the soap message from the wcf service was correctly FI encoded but the Java service has issues decoding it.

I have no proof, but I have doubts that even a java client <-> java service using ws-security or ws-secureconversation and FI isn't functioning/implemented.

Anyway, a new thread will be started regarding FI.

mulepic
Offline
Joined: 2007-02-05

I actually just got word that the Java service can decode the FI message correctly but must be the combination w/ security that is causing the problem.

venu
Offline
Joined: 2003-10-22

FI /Security problem has been fixed, please verify with latest wsit sources.

mulepic
Offline
Joined: 2007-02-05

Thanks Venu,

I got the latest wsit from here:

https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5472&e...

I got the nb plugin from here:

http://websvc.netbeans.org/servlets/ProjectDocumentList?folderID=123&exp...

I'm using GFv2b22 and I get this error when I try to start the server:

WSSERVLET11: failed to parse runtime descriptor: java.lang.NoSuchMethodError: com.sun.xml.ws.policy.privateutil.PolicyLogger.entering(Ljava/lang/String;[Ljava/lang/Object;)V
java.lang.NoSuchMethodError: com.sun.xml.ws.policy.privateutil.PolicyLogger.entering(Ljava/lang/String;[Ljava/lang/Object;)V
at com.sun.xml.ws.policy.jaxws.addressing.AddressingModelConfiguratorProvider.configure(AddressingModelConfiguratorProvider.java:67)
at com.sun.xml.ws.policy.jaxws.WSDLPolicyMapWrapper.configureModel(WSDLPolicyMapWrapper.java:153)

Am I getting the right components?

ritzmann
Offline
Joined: 2003-06-19

> I'm using GFv2b22 and I get this error when I try to start the server:

The latest WSIT is being tested with GF v2 b37. I'm not so sure it would still work with b22.

Note that NetBeans 5.5 does not work properly with newer builds of GlassFish v2. You would need a daily build of NetBeans 5.5.1.

> WSSERVLET11: failed to parse runtime descriptor:
> java.lang.NoSuchMethodError:

Looks like the classpath is seriously deranged. If you must use GF b22, please attach the file %AS_HOME%\domains\domain1\config\domain.xml and the output of the command "dir %AS_HOME%\lib".

Fabian

mulepic
Offline
Joined: 2007-02-05

Hi Fabian, Thanks for the response.

I installed GFv2b37 with the lates wsit: https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5472&e...

I'm using NB 5.5.1. I created a simple service with one operation (string operation()) that works great until I use FI on the wcf client. I'm using ws-security (not ws-secureconversation yet) and I get an error on the service "SS1922: Error occurred while decoding CipherValue: com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException: Error while decoding"

Using wsmonitor, it appears fi is being sent across from both ends.

I'm assuming I have the wsit build with the security/fi fix ? Also the fix was made for ws-security as well as ws-secureconversation, right?

edit:
I just discovered that ws-secureconversation (no fi) is no longer working. I get this error on the wcf client:

{"The SecurityContextSecurityToken with context-id=urn:uuid:3427509e-7bc0-486e-bacc-bd47c13e5102 (key generation-id=) is not registered."}

This didn't happen w/ v2b22. I inspect the soap msgs and the SCT w/ that id is being exchanged from both ends. Is there something new on the wcf side that needs to be updated to work w/ the lates GF and/or wsit?

Message was edited by: mulepic

oleksiys
Offline
Joined: 2006-01-25

WSIT build you specified has previous FI issue fixed. We will investigate this one.
Do you have any additional information on error? Stacktrace etc...?
Regards.

venu
Offline
Joined: 2003-10-22

did the suggestion provided by oleksiys work for you.

mulepic
Offline
Joined: 2007-02-05

Hi,
Yes the suggestion provided did work for me, thank you. But did this uncover an interop issue? I'm refering to this change that was needed to the wsit.xml

'2. Insert the SignedParts and EncryptedParts for bootstrap policy. THis is required by WCF."

My understanding of the wsit.xml is that it contains service level policy as well as operation level policy. Thus policy can be dictated at the service and/or operation level. Is this true? If yes, does the policy at the service level override the policy at the operation level?

Now to my question. Does adding the SignedParts and EncryptedParts elements at the service level override the same elements at the operation level? Or does WCF just ignore the policy at the operation level?

I'm asking because it doesn't seem to make any difference in the message structure/content when I manipulate operation level policies.

Thank you for you reply.

Also, I'll answer the username callback in the other thread after I look into 109 services.

jdg6688
Offline
Joined: 2005-11-02

There are two types of messages: secure conversation protocol messages and application messages. The SignParts and EncryptParts in the Bootstrap policy only cover the protocol messages. This is the standard way for doing this. So no interop issues here.

mulepic
Offline
Joined: 2007-02-05

When I remove the Signed/EncryptedParts from the operation input and output policy the body portion of the message containing the operation result is still encrypted.

I would expect these messages to not be encrypted. Do I understand this correctly?

Thanks for your reply.

venu
Offline
Joined: 2003-10-22

When no SignParts /Encrypt Parts are provided in bootstrap policy , SUN client would apply a default policy. The default policy would sign headers , sign and encrypt Body.

mulepic
Offline
Joined: 2007-02-05

Hello,

You missed a detail to my post: 'When I remove the Signed/EncryptedParts from the operation input and output policy ..'

I removed the elements from the operation policy (not bootstrap policy) and the parts are still encrypted.

Why is this?

venu
Offline
Joined: 2003-10-22

yes this is a issue . we will check .
Venu

venu
Offline
Joined: 2003-10-22

are u talking about this one

















mulepic
Offline
Joined: 2007-02-05

Hi,

Yes, I am referring to that policy as well as the NewWebServicePortBinding_EchoString_Output_Policy. Do these policies dictate whether the body is encrypted to and from the service? So in the case of the operation:

string echoString(sting input);

if there are no encyrptedParts in the policy shouldn't I see the text in the soap message being transmitted in plain text?

Thanks

venu
Offline
Joined: 2003-10-22

The spec mandates that if SignedParts has no child elements then we sign all headers and body. If encryptParts has no elements than we encrypt the body.

To achieve the behavior you are looking for you need to remove signed and encryp parts assertions.

snajper
Offline
Joined: 2004-10-01

Would you please refer to the section of the spec?

Shouldn't empty SignedParts/Encry... be our default in generated policies for different security mechanisms in NB?

venu
Offline
Joined: 2003-10-22

Just look for the section which describes SignParts and EncryptParts.

oleksiys
Offline
Joined: 2006-01-25

Hi,

how did you configure wcf client to support FI?
Because if you didn't do that, I'm afraid, even if server supports FI, but client does not - then FI will not be used for communication.
In this aspect it's interesting, why WS-Security(wcf<->java) with FI doesn't work. Can you pls. make sure, that FI is really used for encoding in that scenario?

Thank you.

mulepic
Offline
Joined: 2007-02-05

See the post above. I am using the Noemax FI binding for WCF and it works remarkably well. I have seen a 5x improvement in performance as a result of using it. But that's off the topic. I will post my FI findings and configuration in the near future once I solve the ws-secureconversation issue.

raharsha
Offline
Joined: 2004-11-07

Were you able to try with the latest milestone build of GlassFish v2? Attached are the WCF binding for one particular scenario and the corresponding wsdl. Hope you find this useful.

mulepic
Offline
Joined: 2007-02-05

Thank you for the app.config and wsdl. They seem to have helped. I am now getting a RSTR from the java service that includes a securityContextToken with an Identifier.

The client then submits the final request which includes the targeted action of the service. The request contains the identifier of the sct.

But the Java service throws a "PolicyViolationException: Expected one of EncryptedKey,EncryptedData,ReferenceList as per receiverrequirements, found Signature" And sure enough the request doesn't have the EncryptedKey element.

What do I need to do to the WCF client to include the EncryptedKey element?

Thanks again,
Matt

raharsha
Offline
Joined: 2004-11-07

Can you attach your latest wsdl and app.config? There seems to be some mismatch in the server and client configs.

Thanks
Harsha

mulepic
Offline
Joined: 2007-02-05

Here you go, thanks for looking at this.

raharsha
Offline
Joined: 2004-11-07

I got the scenario working from WCF(client) to Java (service) by making the following changes.
1. Change the algorithm suite to be the same for bootstrap policy and the outer policy. This is a limitation in the current WSIT implementation.
2. Insert the SignedParts and EncryptedParts for bootstrap policy. THis is required by WCF.
3. Change MessageId to MessageID
4. Some change in App.config.

Attached are the working files. Please check them. I have removed one operation, as I was not able to deploy the java service with 2 operations, probably due some configuration error on my setup.

mulepic
Offline
Joined: 2007-02-05

Thank you for your help. Without this forum and your help no one would know about these subtle changes that are needed to get ws-secureconversation to work w/ java and wcf. BTW, I could only get this to work w/ GFv2b22. GFv2b33 throws invalid signature exceptions.

mulepic
Offline
Joined: 2007-02-05

Actually I had another question but maybe this should be asked in another thread. My usernameValidator does not get called when using secure conversation. I was expecting the first message to validate the username token and my validator to be called. Then subsequent messages would not include the username token only the session token. Is my understanding correct?

raharsha
Offline
Joined: 2004-11-07

> Actually I had another question but maybe this should
> be asked in another thread. My usernameValidator
> does not get called when using secure conversation.

If you are using tomcat, your validator will be called. If you are using GlassFish, then the GlassFish container's authentication mechanism is used to validate username and password through JSR 109 mechanism. You can create a user under security realms of GlassFish and use that for the validation.

> I was expecting the first message to validate the
> username token and my validator to be called. Then
> subsequent messages would not include the username
> token only the session token. Is my understanding
> correct?
Your understanding is correct.

raharsha
Offline
Joined: 2004-11-07

Yes, we have many examples of WCF client calling Java service using WS-SecureConversation. Which version of glassfish are you using ? Can you give the complete policy exception stack trace? Please try with glassfish v2 (latest milestone build).

mulepic
Offline
Joined: 2007-02-05

Hi,
Thanks for the response. If you have examples of doing this can you share your wcf binding as well as your service wsit xml? I am using version V2b22 of glassfish; AFAIK this version is quite supportive of ws-security and ws-secureconversation. I have successfuly had just ws-security working but the exception below is what I get when I enable secure conversation. Not that my username toke validator is getting called

validateUserToken validator being called
Usernameasd: user
Passowrdasd: user
end token validator
WSS1205: Unable to initialize XML Cipher
java.security.InvalidKeyException: Illegal key size or default parameters
at javax.crypto.Cipher.a(DashoA12275)
at javax.crypto.Cipher.a(DashoA12275)
at javax.crypto.Cipher.a(DashoA12275)
at javax.crypto.Cipher.init(DashoA12275)
at javax.crypto.Cipher.init(DashoA12275)
at com.sun.xml.wss.impl.apachecrypto.EncryptionProcessor.encrypt(EncryptionProcessor.java:1039)

here is my wsit xml


xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="NewWebServiceService" targetNamespace="http://wsx/" xmlns:tns="http://wsx/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:sc="http://schemas.sun.com/2006/03/wss/server" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" xmlns:fi="http://java.sun.com/xml/ns/wsit/2006/09/policy/optimizedfastinfosetserialization" xmlns:wsat="http://schemas.xmlsoap.org/ws/2004/10/wsat"
>






















































































































































































































raharsha
Offline
Joined: 2004-11-07

This exception is due to the fact that your JDK does not have unlimited strength JCE policy files. You can either install the unlimited strength policy files or reduce the key size . You can download the policy files from

http://java.sun.com/javase/downloads/index.jsp

or
http://java.sun.com/javase/downloads/index_jdk5.jsp

I will share the the wcf binding and wsit xml files if you are still unable to solve by the above mentioned steps.

mulepic
Offline
Joined: 2007-02-05

Well I got over the aforementioned exception by adjusting the algorithm on the client to match that of the service, Basic128. Now there is an exception on the service:

System.ServiceModel.Security.MessageSecurityException was unhandled
Message="No signature message parts were specified for messages with the 'http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT' action."

I think this is were I can use a hand in configuring my SymmetricSecurityBindingElement

Any help would be appreciated.

mulepic
Offline
Joined: 2007-02-05

I guess there's not much help yet in terms of providing the service wsit.xml or the wcf binding.

Currently I'm getting an exception on the java service:

java.lang.IndexOutOfBoundsException: Index: 0
at java.util.Collections$EmptyList.get(Collections.java:2975)
at com.sun.xml.wss.jaxws.impl.SecurityServerPipe.invokeSecureConversationContract(SecurityServerPipe.java:499)
at com.sun.xml.wss.jaxws.impl.SecurityServerPipe.process(SecurityServerPipe.java:214)
at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:79)

From what I can tell the getOutBoundSCP(Message message) is returning an empty list. Does SCP stand for SecureConversation Policies? Is there anyone with experience with this?

mulepic
Offline
Joined: 2007-02-05

I just discovered in addition to the IndexOutofBoundsException above the SOAP messages transmitted to establish the secure conversation are suspicious:

The WCF client sends a SOAP msg to the Java service with action:

http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT

The Java Service responds with a SOAP msg to the WCF client with action:

http://jax-ws.dev.java.net/addressing/output-action-not-set

and
ns2:Server
Index: 0

I would have expected the Service to respond with an action SCT response. Is this a bug w/ Glassfish?

I know the 'output-action-not-set' is generated when a service method does not specify the action="methodName" declaration. But why is the being generated for setting up the secure session?

jdg6688
Offline
Joined: 2005-11-02

Hi,

I suspect that the service and the client use the addressing of different versions.
Could you send us the request message?

Thanks!

Jiandong

mulepic
Offline
Joined: 2007-02-05

From the WCF Message Trace Log:

-
-
-
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
urn:uuid:7e77885f-ea17-4932-865a-d1832a22776a
9da5c549-802e-4719-b569-0933d88cf3aa
-
http://www.w3.org/2005/08/addressing/anonymous

http://localhost:8080/ServiceCustomerTwo/NewWebService
-
-
2007-02-20T19:10:19.378Z
2007-02-20T19:15:19.378Z

-
-

.....

ashutoshshahi
Offline
Joined: 2006-01-27

Hello,
I tried with the wsdl posted here and could not reproduce the issue. I tested Sun to Sun though as did not have setup for Wcf -> Sun.
Will look further into this issue now, in the meantime can you test FI + plain security - avoiding secure conversation and see if that works for you?