Calling WCF secured service from Java

2010/03/09

tags: ,
2 comments

Calling WCF secured service from Java

 1267819196_competitors

recently I was working on exposing secured WCF service

to Java consumers.

I was responsible for the .NET side and a java expert named Tsvika

responsible for the Java side.

 

enabling secured conversation between Java and .NET using WCF is not a trivial task,

and it does needed some additional steps.

you should have certificate install, and having the binding and behaviors configured

in a way that the Java proxy can manage.

 

Certificates

the first step needed is having a valid certificate.

the certificate should be installed into the service’s hosting machine.

you can learn more on how to handle the certificates in here.

 

Service configuration
Binding

the secure binding should look as follow

Code Snippet
  1. <wsHttpBinding>
  2.   <binding name="UsernameAndPassword">
  3.     <security mode="Message">
  4.       <message clientCredentialType="UserName"
  5.                negotiateServiceCredential="false"
  6.                establishSecurityContext="false"
  7.                algorithmSuite="Basic128"/>
  8.     </security>
  9.   </binding>
  10. </wsHttpBinding>

line 3, the binding mode should be Message

line 4, the client certificate type should be UserName.

line 5, the negotiation service credentials must switch off.

line 6, the establish security context should also turn off.

 

Behaviors

use the following behaviors

Code Snippet
  1. <serviceBehaviors>
  2.   <behavior name="Bnaya.Samples.UsernameAndPassword">
  3.     <serviceMetadata httpGetEnabled="true" policyVersion="Default" />
  4.     <serviceCredentials>
  5.       <serviceCertificate findValue="RPKey" storeLocation="LocalMachine"
  6.         storeName="TrustedPeople" x509FindType="FindBySubjectName" />
  7.       <userNameAuthentication userNamePasswordValidationMode="Custom"
  8.         customUserNamePasswordValidatorType="Bnaya.Samples.MyUserNameValidator, WcfSecureed" />
  9.     </serviceCredentials>
  10.   </behavior>
  11. </serviceBehaviors>

lines 5-6, define which certificate should use for the service (RPKey is the name of the certificate).

in case of service hosting it is more reasonable to install the certificate on the machine level (instead of the user level) .

lines 7-8, define the authentication handler (as you can see in the following snippet).

Code Snippet
  1. public sealed class MyUserNameValidator : UserNamePasswordValidator
  2. {
  3.     public override void Validate(string userName, string password)
  4.     {
  5.         if (userName != "admin" || password !="admin")
  6.             throw new SecurityException("Access denied.");
  7.     }
  8. }

the validate method is where your authentication code goes.

 

End point

nothing is special about the definition of the service section

Code Snippet
  1.    <service name="Bnaya.Samples.Service1" behaviorConfiguration="Bnaya.Samples.UsernameAndPassword">
  2.      <host>
  3.        <baseAddresses>
  4.             <add baseAddress="http://localhost:8731/Service1/"/>
  5.        </baseAddresses>
  6.      </host>
  7.      <endpoint address="" binding="wsHttpBinding" contract="Bnaya.Samples.IService1"
  8.                bindingConfiguration="UsernameAndPassword">
  9.        <identity>
  10.          <dns value="localhost"/>
  11.        </identity>
  12.      </endpoint>
  13.    </service>

small tip: replace the localhost with the correct IP so when the Java proxy is generated,

the endpoint will be correct.

 

Java

java has several libraries that can invoke WCF, unfortunately not all of them

has good implementation for the WCF secured conversation.

the library that do working fine with secured conversation is Sun: Metro Web Services

and more precisely you should use WSIT.

 

do not waste your time on Axis2 / Rampart it is only half backed in compare to the Sun library.

 

Summary

this task is not travel, but with the right library and java expert like Yaakov,

it is certainly feasible.

 

תגים של Technorati:‏ ,


Add comment
facebook linkedin twitter email

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

2 comments

  1. zvika2010/03/10 ב 19:30

    מה המשמעות של

    <dns value=”localhost”/>

    כלומר מאיפה בה הערך :

    localhost

    Reply
  2. bnaya2010/03/11 ב 09:50

    you can ignore it in this case because we using certificate.

    find more on the following link:
    http://msdn.microsoft.com/en-us/library/ms733130.aspx

    Reply