Categories

Main
Database
Java
Microsoft.NET
Adabas
DB2
Informix
Microsoft SQL Server
MySQL
Oracle
Pervasive.SQL
PostgreSQL
Sybase
Other
ASP
ColdFusion
Crystal Reports
Delphi, C etc
JAVA
Microsoft.NET
Perl and the DBI
PHP
ANSI SQL
Unix Shell Scripts
Visual Basic
XML & XSLT
Corel Paradox
FileMaker
Microsoft Access
Microsoft Excel
Other PC Databases
Applications & Tools
Database Concepts & Design
EJB programming & troubleshooting
EJB design
General J2EE
XML & Web services
Web tier: servlets, JSP, Web frameworks
Performance and scalability
Industry news
TSS feedback
Mobicents Contributors
Mobicents Users
JSLEE Resource Adaptor Types
Planning JavaOne 2008
Sun Tech Days
Other Java conferences
Binary Web Services and XML
Metro and JAXB
GlassFish
GlassFish Plugins
Project jMaki
GlassFish WebTier
Mural
Java Development Tools
Java WS & XML Community News
JAXP
Java SE
6uN Early Access
Java Quick Starter
Java SE Snapshots: Project Feedback
JCK Forum
Feedback and Suggestions
JDK Distros
JDK Open Source
General JSR Discussion
JCP 2.6
JXTA Community Forum
ME Interest
ME Cool Apps
ME General Help
ME Feedback & Suggestions
ME Application Developer Interest
Blu-ray Disc Java
ME Developer Days
Squawk
Mobile Developer Alliance
OpenCable
LWUIT
JavaFX Script Language Discussion
OpenJFX General Discussion
Scene Graph
General Performance Discussion
Your Java Career
NetBeans 6.0
Servlets
JSP
JSF
Portals and Portlets
EJB and Other Java EE Technologies
Distributed Java
Object Relational Mapping
JDBC
Web Services
Swing / AWT / SWT / JFace
JNLP and Web Start
Java Micro Edition
Sockets and Internet Protocols
Threads and Synchronization
Performance
Applets
I/O and Streams
Other Java APIs
Game Development
Java in General (beginner)
Java in General (intermediate)
Java in General (advanced)
Programmer Certification (SCJP)
Developer Certification (SCJD)
Associate Certification (SCJA)
Web Component Certification (SCWCD)
EJB Certification (SCBCD)
Mobile Application Certification (SCMAD)
Architect Certification (SCEA)
Web Services Certification (SCDJWS)
XML Certification
Product and Other Certifications
Mock Exam Errata
Sun Certification Results
Authors' Corral
Book Reviews
Events
Bunkhouse Porch
Teachers' Lounge
Testing
OO, Patterns, UML and Refactoring
IDEs, Version Control and other tools
Ant, Maven and Other Build Tools
Linux / UNIX
Mac OS
HTML and JavaScript
XML and Related Technologies
Agile and Other Processes
General Computing
Security
Groovy
Scala
Other Languages
Struts
Application Frameworks
Other Open Source Projects
BEA/Weblogic
IBM/Websphere
Oracle/OAS
Apache/Tomcat
JBoss
Other Java Products and Servers
JavaRanch
Cattle Drive (java college)
Moderators Only
Trash Can
Jobs Offered
Jobs Wanted
Jobs Discussion
Meaningless Drivel
Programming Diversions
Blatant Advertising
Java Announcements
New To Java
Advanced Java
Java Applets
Networking
Threads and Synchronization
Java 2D
AWT / Swing
SWT / JFace
CLDC and MIDP
CDC and Personal Profile
Sun Java Wireless Toolkit
Enterprise JavaBeans
JavaServer Pages (JSP) and JSTL
Java Servlet
JavaServer Faces
Web Frameworks
Database
XML
Lucene
NetBeans
Eclipse
IntelliJ IDEA
JCreator
Other IDEs
Java Tutorials
Java Tips
Jobs Discussion
Jobs Offered
Jobs Wanted
Professional Certification
Forum Lobby
Java Blogs
Introductions
Reviews / Advertising
Suggestions & Feedback

Resources

Java Database
Linux
Coding
Mobile
Hardware
Software Development
Software Development
iOS,OS X
iOS,OS X
ORACLE
IBM DEVELOPER
IBM DEVELOPER
MSDN
MSDN


Tags

Metro and JAXB


WCF(client) to Java(service) using WS-SecureConversation


Hi,Has anyone successfully created a WCF client accessing a Java service using WS-SecureConversation.  The service is throwing policy exceptions after validation of the username token request.  I have to believe it's a configuration detail on the WCF side:            SymmetricSecurityBindingElement secureconversation =                (SymmetricSecurityBindingElement)SymmetricSecurityBindingElement.CreateSecureConversationBindingElement(                                            securityBinding, false);           secureconversation.RequireSignatureConfirmation = false;            secureconversation.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;            secureconversation.SetKeyDerivation(false);Any help would be appreciated.  Then we'll move onto the next question of using Fast Infoset and SecureConversation.I'm using Glassfish and NB 5.5.1

Yes, we have many examples of WCF client calling Java service using WS-SecureConversation. Which version of glassfish are you using ? Can you give the complete policy exception stack trace? Please try with glassfish v2 (latest milestone build).

Hi,Thanks for the response.  If you have examples of doing this can  you share your wcf binding as well as your service wsit xml?  I am using version V2b22 of glassfish; AFAIK this version is quite supportive of ws-security and ws-secureconversation.  I have successfuly had just ws-security working but the exception below is what I get when I enable secure conversation.  Not that my username toke validator is getting calledvalidateUserToken validator being calledUsernameasd: userPassowrdasd: userend token validatorWSS1205: Unable to initialize XML Cipherjava.security.InvalidKeyException: Illegal key size or default parameters        at javax.crypto.Cipher.a(DashoA12275)        at javax.crypto.Cipher.a(DashoA12275)        at javax.crypto.Cipher.a(DashoA12275)        at javax.crypto.Cipher.init(DashoA12275)        at javax.crypto.Cipher.init(DashoA12275)        at com.sun.xml.wss.impl.apachecrypto.EncryptionProcessor.encrypt(EncryptionProcessor.java:1039)here is my wsit xml<?xml version="1.0" encoding="UTF-8"?>  <definitions  xmlns="http://schemas.xmlsoap.org/wsdl/"  xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"  xmlns:xsd="http://www.w3.org/2001/XMLSchema"  xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="NewWebServiceService" targetNamespace="http://wsx/" xmlns:tns="http://wsx/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsaws="http://www.w3.org/2005/08/addressing" xmlns:sc="http://schemas.sun.com/2006/03/wss/server" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" xmlns:fi="http://java.sun.com/xml/ns/wsit/2006/09/policy/optimizedfastinfosetserialization" xmlns:wsat="http://schemas.xmlsoap.org/ws/2004/10/wsat"  >    <wsdl:message name="EchoString"/>    <wsdl:message name="EchoStringResponse"/>    <wsdl:message name="GetCustomers"/>    <wsdl:message name="GetCustomersResponse"/>    <wsdl:portType name="NewWebService">        <wsdl:operation name="EchoString">            <wsdl:input message="tns:EchoString"/>            <wsdl:output message="tns:EchoStringResponse"/>        </wsdl:operation>        <wsdl:operation name="GetCustomers">            <wsdl:input message="tns:GetCustomers"/>            <wsdl:output message="tns:GetCustomersResponse"/>        </wsdl:operation>    </wsdl:portType>    <wsdl:binding name="NewWebServicePortBinding" type="tns:NewWebService">        <wsp:PolicyReference URI="#NewWebServicePortBindingPolicy"/>        <wsdl:operation name="EchoString">            <wsp:PolicyReference URI="#NewWebServicePortBinding_EchoString_Policy"/>            <wsdl:input>                <wsp:PolicyReference URI="#NewWebServicePortBinding_EchoString_Input_Policy"/>            </wsdl:input>            <wsdl:output>                <wsp:PolicyReference URI="#NewWebServicePortBinding_EchoString_Output_Policy"/>            </wsdl:output>        </wsdl:operation>        <wsdl:operation name="GetCustomers">          <wsdl:input>              <wsp:PolicyReference URI="#NewWebServicePortBinding_GetCustomers_Input_Policy"/>          </wsdl:input>            <wsdl:output>                <wsp:PolicyReference URI="#NewWebServicePortBinding_GetCustomers_Output_Policy"/>            </wsdl:output>        </wsdl:operation>    </wsdl:binding>    <wsdl:service name="NewWebServiceService">        <wsdl:port name="NewWebServicePort" binding="tns:NewWebServicePortBinding"/>    </wsdl:service>    <wsp:Policy wsu:Id="NewWebServicePortBindingPolicy">        <wsp:ExactlyOne>            <wsp:All>                <wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>                <sc:ValidatorConfiguration wspp:visibility="private">                    <sc:Validator name="usernameValidator" classname="wsx.ServiceCustomerTwoValidateUserToken"/>                </sc:ValidatorConfiguration>                <fi:OptimizedFastInfosetSerialization enabled="true"/>                <sc:KeyStore wspp:visibility="private" storepass="changeit" type="PKCS12" location="C:\dev\Java\netbeans-5.5.1dev\certs\myKey.p12"/>                <sc:TrustStore wspp:visibility="private" type="PKCS12" location="C:\dev\Java\netbeans-5.5.1dev\certs\myKey.p12" storepass="changeit"/>                <sp:SymmetricBinding>                    <wsp:Policy>                        <sp:ProtectionToken>                            <wsp:Policy>                                <sp:SecureConversationToken>                                    <wsp:Policy>                                        <sp:BootstrapPolicy>                    <wsp:Policy>                        <sp:SymmetricBinding>                    <wsp:Policy>                        <sp:ProtectionToken>                            <wsp:Policy>                                <sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">                                    <wsp:Policy>                                        <sp:WssX509V3Token10/>                                    </wsp:Policy>                                </sp:X509Token>                            </wsp:Policy>                        </sp:ProtectionToken>                        <sp:Layout>                            <wsp:Policy>                                <sp:Strict/>                            </wsp:Policy>                        </sp:Layout>                        <sp:IncludeTimestamp/>                        <sp:OnlySignEntireHeadersAndBody/>                        <sp:AlgorithmSuite>                            <wsp:Policy>                                <sp:Basic128/>                            </wsp:Policy>                        </sp:AlgorithmSuite>                    </wsp:Policy>                </sp:SymmetricBinding>                        <sp:Wss11>                    <wsp:Policy>                        <sp:MustSupportRefKeyIdentifier/>                        <sp:MustSupportRefIssuerSerial/>                        <sp:MustSupportRefThumbprint/>                        <sp:MustSupportRefEncryptedKey/>                    </wsp:Policy>                </sp:Wss11>                    </wsp:Policy>                </sp:BootstrapPolicy>                                    </wsp:Policy>                                </sp:SecureConversationToken>                            </wsp:Policy>                        </sp:ProtectionToken>                        <sp:Layout>                            <wsp:Policy>                                <sp:Strict/>                            </wsp:Policy>                        </sp:Layout>                        <sp:AlgorithmSuite>                            <wsp:Policy>                                <sp:Basic128/>                            </wsp:Policy>                        </sp:AlgorithmSuite>                        <sp:IncludeTimestamp/>                        <sp:OnlySignEntireHeadersAndBody/>                    </wsp:Policy>                </sp:SymmetricBinding>                <sp:Wss11>                    <wsp:Policy>                        <sp:MustSupportRefKeyIdentifier/>                        <sp:MustSupportRefIssuerSerial/>                        <sp:MustSupportRefThumbprint/>                        <sp:MustSupportRefEncryptedKey/>                    </wsp:Policy>                </sp:Wss11>                <sp:Trust10>                    <wsp:Policy>                        <sp:RequireClientEntropy/>                        <sp:RequireServerEntropy/>                        <sp:MustSupportIssuedTokens/>                    </wsp:Policy>                </sp:Trust10>            </wsp:All>        </wsp:ExactlyOne>    </wsp:Policy>    <wsp:Policy wsu:Id="NewWebServicePortBinding_EchoString_Input_Policy">        <wsp:ExactlyOne>            <wsp:All>                <sp:SupportingTokens>                    <wsp:Policy>                        <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">                            <wsp:Policy>                                <sp:WssUsernameToken10/>                            </wsp:Policy>                        </sp:UsernameToken>                    </wsp:Policy>                </sp:SupportingTokens>                <sp:EncryptedParts/>                <sp:SignedParts/>            </wsp:All>        </wsp:ExactlyOne>    </wsp:Policy>    <wsp:Policy wsu:Id="NewWebServicePortBinding_EchoString_Output_Policy">        <wsp:ExactlyOne>            <wsp:All>                <sp:EncryptedParts>                    <sp:Body/>                </sp:EncryptedParts>                <sp:SignedParts>                    <sp:Body/>                    <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="MessageId" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>                </sp:SignedParts>            </wsp:All>        </wsp:ExactlyOne>    </wsp:Policy>    <wsp:Policy wsu:Id="NewWebServicePortBinding_GetCustomers_Input_Policy">        <wsp:ExactlyOne>            <wsp:All>                <sp:SignedSupportingTokens>                    <wsp:Policy>                        <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">                            <wsp:Policy>                                <sp:WssUsernameToken10/>                            </wsp:Policy>                        </sp:UsernameToken>                    </wsp:Policy>                </sp:SignedSupportingTokens>                <sp:EncryptedParts>                    <sp:Body/>                </sp:EncryptedParts>                <sp:SignedParts>                    <sp:Body/>                    <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="MessageId" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>                </sp:SignedParts>            </wsp:All>        </wsp:ExactlyOne>    </wsp:Policy>    <wsp:Policy wsu:Id="NewWebServicePortBinding_GetCustomers_Output_Policy">        <wsp:ExactlyOne>            <wsp:All>                <sp:EncryptedParts>                    <sp:Body/>                </sp:EncryptedParts>                <sp:SignedParts>                    <sp:Body/>                    <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="MessageId" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>                    <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>                </sp:SignedParts>            </wsp:All>        </wsp:ExactlyOne>    </wsp:Policy>    <wsp:Policy wsu:Id="NewWebServicePortBinding_EchoString_Policy">        <wsp:ExactlyOne>            <wsp:All></wsp:All>        </wsp:ExactlyOne>    </wsp:Policy></definitions>

This exception is due to the fact that your JDK does not have unlimited strength JCE policy files. You can either install the unlimited strength policy files or reduce the key size . You can download the policy files from http://java.sun.com/javase/downloads/index.jspor http://java.sun.com/javase/downloads/index_jdk5.jspI will share the the wcf binding and wsit xml files if you are still  unable to solve by the above mentioned steps.

Well I got over the aforementioned exception by adjusting the algorithm on the client  to match that of the service, Basic128.  Now there is an exception on the service:System.ServiceModel.Security.MessageSecurityException was unhandled  Message="No signature message parts were specified for messages with the 'http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT' action."I think this is were I can use a hand in configuring my SymmetricSecurityBindingElement  Any help would be appreciated.

I guess there's not much help yet in terms of providing the service wsit.xml or the wcf binding.  Currently I'm getting an exception on the java service:java.lang.IndexOutOfBoundsException: Index: 0        at java.util.Collections$EmptyList.get(Collections.java:2975)        at com.sun.xml.wss.jaxws.impl.SecurityServerPipe.invokeSecureConversationContract(SecurityServerPipe.java:499)        at com.sun.xml.wss.jaxws.impl.SecurityServerPipe.process(SecurityServerPipe.java:214)        at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:79)From what I can tell the getOutBoundSCP(Message message)  is returning an empty list.  Does SCP stand for SecureConversation Policies?  Is there anyone with experience with this?

I just discovered in addition to the IndexOutofBoundsException above the SOAP messages transmitted to establish the secure conversation are suspicious:The WCF client sends a SOAP msg to the Java service with action:http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCTThe Java Service responds with a SOAP msg to the WCF client with action:http://jax-ws.dev.java.net/addressing/output-action-not-setand <faultcode xmlns="">ns2:Server</faultcode>   <faultstring xmlns="">Index: 0</faultstring> I would have expected the Service to respond with an action SCT response.  Is this a bug w/ Glassfish?I know the 'output-action-not-set' is generated when a service method does not specify the action="methodName" declaration.  But why is the being generated for setting up the secure session?

Hi, I suspect that the service and the client use the addressing of different versions.Could you send us the request message?Thanks!Jiandong

From the WCF Message Trace Log:- <MessageLogTraceRecord Time="2007-02-20T12:10:19.3943373-07:00" Source="TransportSend" Type="System.ServiceModel.Security.SecurityAppliedMessage" xmlns="http://schemas.microsoft.com/2004/06/ServiceModel/Management/MessageTrace">- <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">- <s:Header>  <a:Action s:mustUnderstand="1" u:Id="_2">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>   <a:MessageID u:Id="_3">urn:uuid:7e77885f-ea17-4932-865a-d1832a22776a</a:MessageID>   <ActivityId CorrelationId="26787c9e-e026-49f0-959e-ba62220b87b9" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">9da5c549-802e-4719-b569-0933d88cf3aa</ActivityId> - <a:ReplyTo u:Id="_4">  <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>   </a:ReplyTo>  <a:To s:mustUnderstand="1" u:Id="_5">http://localhost:8080/ServiceCustomerTwo/NewWebService</a:To> - - <u:Timestamp u:Id="uuid-03170daa-0afd-4726-82ef-b334daedfbb9-3">  <u:Created>2007-02-20T19:10:19.378Z</u:Created>   <u:Expires>2007-02-20T19:15:19.378Z</u:Expires>   </u:Timestamp>- <e:EncryptedKey Id="uuid-03170daa-0afd-4726-82ef-b334daedfbb9-2" xmlns:e="http://www.w3.org/2001/04/xmlenc#">- <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">.....

Hello,I tried with the wsdl posted here and could not reproduce the issue. I tested Sun to Sun though as did not have setup for Wcf -> Sun.Will look further into this issue now, in the meantime can you test FI + plain security - avoiding secure conversation and see if that works for you?

Hi,Yes I can also get Java <-> Java to work w/ ws-security and ws-secureconversation.WS-Security (wcf <->java) does work. WS-Security (wcf <->java) with FI does not work.    My goal is to now get wcf<->java ws-secureconversation to work.  Once I have that completed I will add FI.I have tried java<->java ws-secureconversation with FI and it seems to work but upon further inspection of the SOAP messages I found they are not FI encoded.I am currently installing different versions of Glassfish to see if that helps.  But it seems to be making matters worse as I'm getting different exceptions per version for the same simple test services.

> WS-Security (wcf <->java) does work. WS-Security (wcf> <->java) with FI does not work.    My goal is to now> get wcf<->java ws-secureconversation to work.  Once I> have that completed I will add FI.WCF does not support Fast Infoset.

There is a Fast Infoset binding for WCF by Noemax. It's in beta now, formal release is expected next week.

Hi,how did you configure wcf client to support FI?Because if you didn't do that, I'm afraid, even if server supports FI, but client does not - then FI will not be used for communication.In this aspect it's interesting, why WS-Security(wcf<->java) with FI doesn't work. Can you pls. make sure, that FI is really used for encoding in that scenario?Thank you.

See the post above.  I am using the Noemax FI binding for WCF and it works remarkably well.  I have seen a 5x improvement in performance as a result of using it.  But that's off the topic.  I will post my FI findings and configuration in the near future once I solve the ws-secureconversation issue.

Were you able to try with the latest milestone build of GlassFish v2? Attached are  the WCF binding for one particular scenario and the corresponding wsdl. Hope you find this useful.

Thank you for the app.config and wsdl.  They seem to have helped.  I am now getting a RSTR from the java service that includes a securityContextToken with an Identifier.The client then submits the final request which includes the targeted action of the service.  The request contains the identifier of the sct.But the Java service throws a "PolicyViolationException: Expected one of EncryptedKey,EncryptedData,ReferenceList as per receiverrequirements, found Signature"  And sure enough the request doesn't have the EncryptedKey element.What do I need to do to the WCF client to include the EncryptedKey element?Thanks again,Matt

Can you attach your latest wsdl and app.config? There seems to be some mismatch in the server and client configs. ThanksHarsha

Here you go, thanks for looking at this.

I got the scenario working from WCF(client) to Java (service) by making the following changes.1. Change the algorithm suite to be the same for bootstrap policy and the outer policy. This is a limitation in the current WSIT implementation.2. Insert the SignedParts and EncryptedParts for bootstrap policy. THis is required by WCF.3. Change MessageId to MessageID4. Some change in App.config. Attached are the working files. Please check them. I have removed one operation, as I was not able to deploy the java service with 2 operations, probably due some configuration error on my setup.

Thank you for your help.  Without this forum and your help no one would know about these subtle changes that are needed to get ws-secureconversation to work w/ java and wcf.  BTW, I could only get this to work w/ GFv2b22.  GFv2b33 throws invalid signature exceptions.

Actually I had another question but maybe this should be asked in another thread.  My usernameValidator does not get called when using secure conversation.  I was expecting the first message to validate the username token and my validator to be called.  Then subsequent messages would not include the username token only the session token.  Is my understanding correct?

> Actually I had another question but maybe this should> be asked in another thread.  My usernameValidator> does not get called when using secure conversation.If you are using tomcat, your validator will be called. If you are using GlassFish, then the GlassFish container's authentication mechanism is used to validate username and password through JSR 109 mechanism. You can create a user under security realms of GlassFish  and use that for the validation.> I was expecting the first message to validate the> username token and my validator to be called.  Then> subsequent messages would not include the username> token only the session token.  Is my understanding>  correct?Your understanding is correct.

did the suggestion provided by  oleksiys work for you.

Hi,Yes the suggestion provided did work for me, thank you.  But did this uncover an interop issue?  I'm refering to this change that was needed to the wsit.xml'2. Insert the SignedParts and EncryptedParts for bootstrap policy. THis is required by WCF."My understanding of the wsit.xml is that it contains service level policy as well as operation level policy.  Thus policy can be dictated at the service and/or operation level.  Is this true?  If yes, does the policy at the service level override the policy at the operation level?Now to my question.  Does adding the SignedParts and EncryptedParts elements at the service level override the same elements at the operation level?  Or does WCF just ignore the policy at the operation level?I'm asking because it doesn't seem to make any difference in the message structure/content when I manipulate operation level policies.Thank you for you reply.Also, I'll answer the username callback in the other thread after I look into 109 services.

There are two types of messages: secure conversation protocol messages and application messages. The SignParts and EncryptParts in the Bootstrap policy only cover the protocol messages. This is the standard way for doing this. So no interop issues here.

When I remove the Signed/EncryptedParts from the operation input and output policy the body portion of the message containing the operation result is still encrypted.I would expect these messages to not be encrypted.  Do I understand this correctly?Thanks for your reply.

When no SignParts /Encrypt Parts are provided in bootstrap policy , SUN client would apply a default policy. The default policy would sign headers , sign and encrypt Body.

Hello,You missed a detail to my post: 'When I remove the Signed/EncryptedParts from the operation input and output policy ..'I removed the elements from the operation policy (not bootstrap policy) and the parts are still encrypted. Why is this?

yes this is a issue . we will check .Venu

are u talking about this one<wsp:Policy wsu:Id="NewWebServicePortBinding_EchoString_Input_Policy"><wsp:ExactlyOne><wsp:All><sp:SupportingTokens><wsp:Policy><sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"><wsp:Policy><sp:WssUsernameToken10/></wsp:Policy></sp:UsernameToken></wsp:Policy></sp:SupportingTokens><sp:EncryptedParts/><sp:SignedParts/></wsp:All></wsp:ExactlyOne></wsp:Policy>

Hi,Yes, I am referring to that policy as well as the NewWebServicePortBinding_EchoString_Output_Policy.  Do these policies dictate whether the body is encrypted to and from the service?  So in the case of the operation:string echoString(sting input);if there are no encyrptedParts in the policy shouldn't I see the text in the soap message being transmitted in plain text?Thanks

The spec mandates that if SignedParts has no child elements then we sign all headers and body. If encryptParts has no elements than we encrypt the body.To achieve the behavior you are looking for you need to remove signed and encryp parts assertions.

Would you please refer to the section of the spec? Shouldn't empty SignedParts/Encry... be our default in generated policies for different security mechanisms in NB?

Just look for the section which describes SignParts and EncryptParts.

Seems guys have some issue in the FI + SecureConversation case for java client/service. I'll try to reproduce it and see if there is a problem.

Hi,Yes, it has become known that FI w/ ws-security and ws-secureconversation is not functioning.  It was verified that the soap message from the wcf service was correctly FI encoded but the Java service has issues decoding it.  I have no proof, but I have doubts  that even a java client <-> java service using ws-security or ws-secureconversation and FI isn't functioning/implemented.  Anyway, a new thread will be started regarding FI.

I actually  just got word that the Java service can decode the FI message correctly but must be the combination w/ security that is causing the problem.

FI /Security problem has been fixed, please verify with latest wsit sources.

Thanks Venu,I got the latest wsit from here:https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5472&#38;expandFolder=5472&#38;folderID=6020I got the nb plugin from here:http://websvc.netbeans.org/servlets/ProjectDocumentList?folderID=123&#38;expandFolder=123&#38;folderID=115I'm using GFv2b22 and I get this error when I try to start the server:WSSERVLET11: failed to parse runtime descriptor: java.lang.NoSuchMethodError: com.sun.xml.ws.policy.privateutil.PolicyLogger.entering(Ljava/lang/String;[Ljava/lang/Object;)Vjava.lang.NoSuchMethodError: com.sun.xml.ws.policy.privateutil.PolicyLogger.entering(Ljava/lang/String;[Ljava/lang/Object;)V        at com.sun.xml.ws.policy.jaxws.addressing.AddressingModelConfiguratorProvider.configure(AddressingModelConfiguratorProvider.java:67)        at com.sun.xml.ws.policy.jaxws.WSDLPolicyMapWrapper.configureModel(WSDLPolicyMapWrapper.java:153)Am I getting the right components?

> I'm using GFv2b22 and I get this error when I try to start the server:The latest WSIT is being tested with GF v2 b37. I'm not so sure it would still work with b22.Note that NetBeans 5.5 does not work properly with newer builds of GlassFish v2. You would need a daily build of NetBeans 5.5.1.> WSSERVLET11: failed to parse runtime descriptor:> java.lang.NoSuchMethodError:Looks like the classpath is seriously deranged. If you must use GF b22, please attach the file %AS_HOME%\domains\domain1\config\domain.xml and the output of the command "dir %AS_HOME%\lib".Fabian

Hi Fabian, Thanks for the response.I installed GFv2b37 with the lates wsit: https://jax-ws.dev.java.net/servlets/ProjectDocumentList?folderID=5472&#38;expandFolder=5472&#38;folderID=6020I'm using NB 5.5.1.  I created a simple service with one operation (string operation()) that works great until I use FI on the wcf client.  I'm using ws-security (not ws-secureconversation yet) and I get an error on the service "SS1922: Error occurred while decoding CipherValue: com.sun.org.apache.xml.internal.security.exceptions.Base64DecodingException: Error while decoding"Using wsmonitor, it appears fi is being sent across from both ends. I'm assuming I have the wsit build with the security/fi fix ?  Also the fix was made for ws-security as well as ws-secureconversation, right?edit:I just discovered that ws-secureconversation (no fi) is no longer working.  I get this error on the wcf client:{"The SecurityContextSecurityToken with context-id=urn:uuid:3427509e-7bc0-486e-bacc-bd47c13e5102 (key generation-id=) is not registered."}This didn't happen w/ v2b22.  I inspect the soap msgs and the SCT w/ that id is being exchanged from both ends.  Is there something new on the wcf side that needs to be updated to work w/ the lates GF and/or wsit?Message was edited by: mulepic

WSIT build you specified has previous FI issue fixed. We will investigate this one.Do you have any additional information on error? Stacktrace etc...?Regards.

I just tested secured WS in configuration you did, but Java <-> Java using FI - it works.So, afraid, without additional error information from you, it will be difficult to find the problem.Any logs + stacktraces + wsdl.... could help.

The wsit is attached.  Here is my wcf binding:<binding name="v37SecurityCustomNewWebServicePortBinding">          <security defaultAlgorithmSuite="TripleDesRsa15" authenticationMode="UserNameForCertificate"              requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"              keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"              messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"              requireSignatureConfirmation="false">            <localClientSettings cacheCookies="true" detectReplays="true"                replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"                replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"                sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"                timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />            <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"                maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"                negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"                sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"                reconnectTransportOnFailure="true" maxPendingSessions="128"                maxCachedCookies="1000" timestampValidityDuration="00:05:00" />            <secureConversationBootstrap />          </security>          <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"              messageVersion="Soap11WSAddressing10" writeEncoding="utf-8">            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"                maxBytesPerRead="4096" maxNameTableCharCount="16384" />          </textMessageEncoding>          <httpTransport manualAddressing="false" maxBufferPoolSize="524288"              maxReceivedMessageSize="65536" allowCookies="false" authenticationSch


Related Links

Adding behavior to substitution head type
ObjectFactory problem (-> no ObjectFactory with an @XmlElementDecl...)
Name of choice collection
Namespacing problems with JAXB 2
Returning collection to DotNet in XML
Ability to set Namespace mapper in the JAXBContext instead of Marshaller.
Problems mapping namespaces to package names
how to mapping this in @XmlJavaTypeAdapter?
Should throw a MirroredTypeException
JAXB Binding Customizations: Creating a Parent Class for Group
JaxB 1.0.5 with Java 5
unmarshalling of previously marshalled object mysteriously fails
FACET XSD In SchemaGen
Argument names in generated WSDL (wsgen) not descriptive arg0, arg1..
JAXB2 backward compatiblity
Targetnamespace is missing in generated schema