Reputation: 4101
Developing a .NET client that consumes a secure METRO 2.1 web service
I have a secured METRO 2.1 web service, and I want to develop a .NET (3.5) client that can use it. I already succeded if the WS was unsecured, but once I get
Security mechanism is Username Authentication with Symmetric Key and it's using the Development Defaults
How do I set up security in .NET? I've been reading the METRO guide, but I only found broken links to the examples and the guides didn't get me through. I successfully generated a proxy class with svcutil, but I don'T know how to use it.
svcutil warnings:
Warning 1 Custom tool warning: A security policy was imported for the endpoint. The security policy contains requirements that cannot be represented in a Windows Communication Foundation configuration. Look for a comment about the SecurityBindingElement parameters that are required in the configuration file that was generated. Create the correct binding element with code. The binding configuration that is in the configuration file is not secure.
Warning 2 Custom tool warning: The wsam:Addressing element requires a wsp:Policy child element but has no child elements.
EDIT
I've got really close to solving this (i think). I exported the default GlassFish certificate with keytool.exe:
keytool -exportcert -alias xws-security-server -storepass changeit -keystore keystore.jks -file server.cer
keytool -printcert -file server.cer //This line shows it's content
I use server.cer certificate on client side:
KDTreeWSClient wsClient = new KDTreeWSClient();
X509Certificate2 server_cert = new X509Certificate2("FullPathToCertificate/server.cer", "changeit");
wsClient.ClientCredentials.ServiceCertificate.DefaultCertificate = server_cert;
wsClient.ClientCredentials.UserName.UserName = "wsitUser"; //Default GF username
wsClient.ClientCredentials.UserName.Password = "changeit"; //Default GF password
Question This results in a MessageSecurityException, because the expected DNS-identity of the endpoint is localhost, however the endpoint has xwssecurityserver. Can I set it to localhost/xwssecurityserver manually?
Any help would be appreciated! Thanks in advance, Daniel
Upvotes: 1
Views: 1006
Answers (3)
Reputation: 40
try to set DNS identity in client application's config file as described bellow
<endpoint address="http://localhost:8080/SecureCalculatorApp/CalculatorWSService"
binding="customBinding" bindingConfiguration="CalculatorWSPortBinding1"
contract="ServiceReference3.CalculatorWS" name="CalculatorWSPort1">
<identity>
<dns value="{YOUR ALIAS}" />
</identity>
</endpoint>
As dns value set "xwssecurityserver". In my case it works (by the way I used your question as a base when solved this problem, so thank you for pointing the right way :) )
Upvotes: 1
Reputation: 4101
This is how I configured the client:
Uri uri = new Uri("http://localhost:8080/JavaWSJMX/KDTreeWSService");
X509Certificate2 server_cert = new X509Certificate2("C:/../server.cer", "changeit"); //Second param is the certificate's password
AddressHeader[] ah = new AddressHeader[0];
EndpointAddress ea = new EndpointAddress(uri, EndpointIdentity.CreateX509CertificateIdentity(server_cert), ah);
KDTreeWSClient wsClient = new KDTreeWSClient("KDTreeWSPort", ea);
Where KDTreeWSPort is the endpointConfigurationName, which you can get from your .config:
<client>
<endpoint address="http://localhost:8080/JavaWSJMX/KDTreeWSService"
binding="customBinding" bindingConfiguration="KDTreeWSPortBinding"
contract="KDTreeWS" name="KDTreeWSPort" />
</client>
After this you have to set ClientCredentials:
//The server uses this certificate
wsClient.ClientCredentials.ServiceCertificate.DefaultCertificate = server_cert;
//These are the default credentials on GlassFish v3.1
wsClient.ClientCredentials.UserName.UserName = "wsitUser";
wsClient.ClientCredentials.UserName.Password = "changeit";
And you should be able to call your METRO web service! I am using the Proxy-class which was generated with svcutil, so I didn't make a ServiceReference.
Upvotes: 0
Reputation: 3129
I don't actually think this is your problem, but it may help troubleshoot some of the tool warnings you're having. The second message looks vaguely familiar. We had a SOAP 1.1 client talking to a Java WS which exposed custom fault exception. When the Java Service faulted it added the stack trace to the fault and our .NET client blew up because it didn't support multiple child elements, only SOAP 1.2 services do. After speaking with our Java development team they found out that there is a debug setting in Tomcat (or in Java I can't remember which) which allowed you to turn it of so no stack trace was included. The faults were propagated correctly after that. Sorry can't be of more assistance but it may help.
Upvotes: 0
Related Questions
- Java WebService Security
- Webservice security
- JAX-WS Consuming web service with WS-Security and WS-Addressing
- Consuming WCF Service with Digest authentication from Java
- JAXWS Metro client for secured webservice with usernametoken profile
- Setting up authentication for SSL protected WSIT / Metro web service and client
- Transport security between Metro service and WCF client
- Can Metro make Java webservices interoperable with WCF even if Java lacks out parameter support?
- How do I deal with WS-Security when all I have is a wsdl?
- Calling a .NET web service (WSE 3.0, WS-Security) from JAXWS-RI