I am trying to access a secured Windows Common Foundation (WCF) web service written on a .NET platform by using a plain Java client and Metro Web service API (webservices-rt-2.2.0-1)
Using the WSDL of the WCF web service with ant targets, I was able to generate the web service artifacts.
In order to access the WCF web service, I need to insert a SAML2 token into the SOAP request. This SAML2 token is retrieved by accessing a REST service, whose response contains the SAML2 assertion. At the moment I have the token with me as a String object (the entire Assertion XML)
My client code looks something like this:
MyService service = new MyService(new URL(wsdlLocation), new QName("http://tempuri.org/",
"MyService"));
IMyService port = service.getCustomBindingIMyService();
port.callMyServiceApi();
This code was throwing the following error: WST0029:STS location could not be obtained from either IssuedToken or from client
Due to this I modified my code to the following:
MyService service = new MyService(new URL(wsdlLocation), new QName("http://tempuri.org/",
"MyService"));
DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration(stsEndpointAddress, wsdl, "MyService","CustomBinding_IMyService","http://tempuri.org/");
STSIssuedTokenFeature feature = new STSIssuedTokenFeature(config);
IMyService port = service.getCustomBindingIMyService(new WebServiceFeature[]{feature});
port.getApiVersion();
With the above, the STS location error went away, but the following error was seen. Exception in thread "main" javax.xml.ws.WebServiceException: java.lang.NullPointerException at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:250) at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961) at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910) at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873) at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775) at com.sun.xml.ws.client.Stub.process(Stub.java:429) at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119) at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102) at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151) at $Proxy44.getApiVersion(Unknown Source) at TnTActionsClient.callTnT(TnTActionsClient.java:426) at TnTActionsClient.main(TnTActionsClient.java:447) Caused by: java.lang.NullPointerException at com.sun.xml.ws.security.trust.impl.WSTrustClientContractImpl.setLifetime(WSTrustClientContractImpl.java:215) at com.sun.xml.ws.security.trust.impl.WSTrustClientContractImpl.handleRSTR(WSTrustClientContractImpl.java:145) at com.sun.xml.ws.security.trust.impl.TrustPluginImpl.process(TrustPluginImpl.java:177) at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.getIssuedTokenContext(STSIssuedTokenProviderImpl.java:144) at com.sun.xml.ws.security.trust.impl.client.STSIssuedTokenProviderImpl.issue(STSIssuedTokenProviderImpl.java:74) at com.sun.xml.ws.api.security.trust.client.IssuedTokenManager.getIssuedToken(IssuedTokenManager.java:83) at com.sun.xml.wss.jaxws.impl.SecurityClientTube.invokeTrustPlugin(SecurityClientTube.java:685) at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processClientRequestPacket(SecurityClientTube.java:281) at com.sun.xml.wss.jaxws.impl.SecurityClientTube.processRequest(SecurityClientTube.java:247) ... 12 more
I have turned on logging of the SOAP messages and on checking of the request I see that no security related info is going into the request. A Failure response is being returned from the Web service endpoint indicating that Invalid Security is present in the request.
I am wondering: 1. Am I on the right track with my client so far? 2. What is the best way to call my REST service and parse the response for the SAML2 token? 3. How do I set the SAML2 token from step 2 into my web service all?
As per the implementers of the WCF web service, they are using WS-Security and not Federated security. The SAML2 token received looks something like this:
<wsse:Security soap:mustUnderstand="true"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<Assertion ID="_909088b3-d972-4b6f-84b1-26301c1c3b69"
IssueInstant="2012-10-16T12:32:44.293Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>xyz:appl:identity</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_909088b3-d972-4b6f-84b1-26301c1c3b69">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>some_value_here</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>sig_here</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>certHere</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<NameID
Format="http://schemas.xyz.com/2009/09/Identity/Format/Idm/InsightUserName">user222</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" />
</Subject>
<Conditions NotBefore="2012-10-16T12:32:44.293Z"
NotOnOrAfter="2022-01-01T12:00:00.000Z">
<AudienceRestriction>
<Audience>uri:samlclient.xyzbadal.com</Audience>
</AudienceRestriction>
</Conditions>
<AttributeStatement>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>user222</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<AttributeValue>user222</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/CustomerId">
<AttributeValue>11209</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/InsightUserId">
<AttributeValue>1</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/NameIdFormat">
<AttributeValue>http://schemas.xyz.com/2009/09/Identity/Format/Idm/InsightUserName</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/HasProfile">
<AttributeValue>True</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/Password">
<AttributeValue>test1</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/HasPassword">
<AttributeValue>True</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/LocaleName">
<AttributeValue>en-US</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/HasCredential">
<AttributeValue>false</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/InternalReferenceId">
<AttributeValue>user222</AttributeValue>
</Attribute>
<Attribute
Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<AttributeValue>CustomiseUI</AttributeValue>
<AttributeValue>EditConfiguration</AttributeValue>
...
</Attribute>
<Attribute
Name="http://schemas.xyz.com/2009/09/Identity/Claims/ProfileUrl">
<AttributeValue>https://identity.com/able/</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2012-10-16T12:32:44.000Z"
SessionNotOnOrAfter="2022-01-01T12:00:00.000Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</wsse:Security>
I have been given a couple of WSDL files. Snippets are pasted below: WSDL 1:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions targetNamespace="http://schemas.xyz.com/TrackMe/2010/06/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://schemas.xyz.com/TrackMe/2010/06/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<wsdl:types>
<xsd:schema targetNamespace="http://schemas.xyz.com/TrackMe/2010/06/Imports">
<xsd:import schemaLocation="TrackMe.xsd" namespace="http://schemas.xyz.com/TrackMe/2010/06/"/>
<xsd:import schemaLocation="TrackMe_1_2_3_4.xsd" namespace="http://schemas.xyz.com/shs/api"/>
<xsd:import schemaLocation="TrackMe_1_2.xsd" namespace="http://schemas.microsoft.com/2003/10/Serialization/"/>
<xsd:import schemaLocation="TrackMe_1.xsd" namespace="http://schemas.xyz.com/TrackMe/2010/06/Data"/>
<xsd:import schemaLocation="TrackMe_1_2_3_4_5.xsd" namespace="http://schemas.datacontract.org/2004/07/xyz.Validation"/>
<xsd:import schemaLocation="TrackMe_1_2_3.xsd" namespace="http://schemas.datacontract.org/2004/07/xyz.TrackMe.PublicApiService.Contract"/>
</xsd:schema>
</wsdl:types>
<wsdl:message name="IMyService_GetApiVersion_InputMessage">
<wsdl:part name="parameters" element="tns:GetApiVersion"/>
</wsdl:message>
<wsdl:message name="IMyService_GetApiVersion_OutputMessage">
<wsdl:part name="parameters" element="tns:GetApiVersionResponse"/>
</wsdl:message>
<wsdl:message name="IMyService_GetApiVersion_FaultDetailFault_FaultMessage">
<wsdl:part name="detail" element="q2:Fault" xmlns:q2="http://schemas.xyz.com/shs/api"/>
</wsdl:message>
....
<wsdl:operation name="GetApiVersion">
<wsdl:input wsaw:Action="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersion" message="tns:IMyService_GetApiVersion_InputMessage"/>
<wsdl:output wsaw:Action="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersionResponse" message="tns:IMyService_GetApiVersion_OutputMessage"/>
<wsdl:fault wsaw:Action="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersionFaultDetailFault" name="FaultDetailFault" message="tns:IMyService_GetApiVersion_FaultDetailFault_FaultMessage"/>
</wsdl:operation>
...
</wsdl:portType>
</wsdl:definitions>
WSDL 2:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions name="MyService" targetNamespace="http://tempuri.org/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://tempuri.org/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:i0="http://schemas.xyz.com/TrackMe/2010/06/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<wsp:Policy wsu:Id="CustomBinding_IMyService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</trust:TokenType>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy/>
</sp:Wss11>
<sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:import namespace="http://schemas.xyz.com/TrackMe/2010/06/" location="TrackMe.wsdl"/>
<wsdl:types/>
<wsdl:binding name="CustomBinding_IMyService" type="i0:IMyService">
<wsp:PolicyReference URI="#CustomBinding_IMyService_policy"/>
<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
...
<wsdl:operation name="GetApiVersion">
<soap12:operation soapAction="http://schemas.xyz.com/TrackMe/2010/06/IMyService/GetApiVersion" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
<wsdl:fault name="FaultDetailFault">
<soap12:fault name="FaultDetailFault" use="literal"/>
</wsdl:fault>
</wsdl:operation>
....
</wsdl:binding>
<wsdl:service name="MyService">
<wsdl:port name="CustomBinding_IMyService" binding="tns:CustomBinding_IMyService">
<soap12:address location="https://apidev2.devel.abc.com/tnt/public_api/TrackMe.svc"/>
<wsa10:EndpointReference>
<wsa10:Address>https://apidev2.devel.abc.com/tnt/public_api/TrackMe.svc</wsa10:Address>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
If you require any more information, do let me know. Would appreciate any help on this. Thanks in Advance! Carl.