Re: WSE 3: SOAP faults not being returned correctly from service.
- From: J. Dudgeon <JDudgeon@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 10 Nov 2006 14:25:02 -0800
Here is another example that results in the same outcome. The scenario
occurs when the caller doesn't sign or encrypt the SOAP message, which can
definitely occur, especially when bringing a new client onboard. The SOAP
fault that the sender *should* receive is:
"Microsoft.Web.Services3.Security.SecurityFault: Security requirements are
not satisfied because the security header is not present in the incoming
message."
but instead WSE chokes when trying to retrieve the operation protection
requirements from the operation state. The client gets the following SOAP
fault instead because of this:
"An error occurred processing an outgoing fault response."
I've provided a link to a portion of the output trace file for the scenario
described above.
http://www.ourteacheronline.com/downloads/outputtrace.txt
Going by the trace it looks like the error is generated in the base class
SecureConversationServiceSendSecurityFilter.SecureMessage(SoapEnvelope,
Security) : Void.
Thank you again,
Joel
"Pablo Cibraro [MVP]" wrote:
Yes, you are completely right regarding the encryption issue, sorry about
that. The client token is not used to sign any message
WSE should only use the client token to encrypt the response message (Using
an encrypted key).
If the <fault> protection element is configured not to encrypt SOAP faults,
as you said, it should not fail. We both are missing something :), I think
I should take a look the assertion in order to find out what is really
happening behind doors.
Pablo.
"J. Dudgeon" <JDudgeon@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:862D117A-2835-46BE-A2B3-60DB6FF8D699@xxxxxxxxxxxxxxxx
Note: We are using WS-Security 1.0 / mutualCertificate10Security
My understanding is that the <EncryptedKey> element contains a symmetric
key
encrypted with the public key of the destination. This allows the
destination to use its private key so that it can decrypt the
<CipherValue>
block to get the symmetric key for decrypting the SOAP body. The signed
portions of the SOAP message are done using the sender's private key.
When
WSE receives a request, it stores the client token so that, when it sends
the
response, it can use that token's public key to encrypt the outgoing
message.
I didn't think WSE used the client token to *sign* the response message.
Therefore, with regards to (1) & (3), when sending a response, doesn't the
service *sign* the response message using the service's private key? The
service's private key should be available. Since I've configured the
<fault>
protection element to not encrypt the SOAP fault response, there should be
no
need for a client token.
If this was a SOAP response and not a SOAP fault, I would agree that WSE
would be confused as to which client token to use to *encrypt* the
response,
because it wouldn't know which of the client's public keys to use. But
the
service is failing to send a fault, not a "response".
This leads me back to my problem. If the <fault> protection element is
configured not to encrypt SOAP faults, why does WSE look for a client
token
to encrypt the response? To my understanding, the signature of the SOAP
fault should be generated using service's private key, which should always
be
available. Perhaps I am missing something...
Hopefully that makes sense. Thanks for the continuing the discussion.
Joel
.
- References:
- WSE 3: SOAP faults not being returned correctly from service.
- From: J. Dudgeon
- Re: WSE 3: SOAP faults not being returned correctly from service.
- From: Pablo Cibraro [MVP]
- Re: WSE 3: SOAP faults not being returned correctly from service.
- From: J. Dudgeon
- Re: WSE 3: SOAP faults not being returned correctly from service.
- From: Pablo Cibraro [MVP]
- Re: WSE 3: SOAP faults not being returned correctly from service.
- From: Pablo Cibraro [MVP]
- WSE 3: SOAP faults not being returned correctly from service.
- Prev by Date: Re: WSE 3: SOAP faults not being returned correctly from service.
- Next by Date: Re: consume wse 3.0 .net service from java wss4j
- Previous by thread: Re: WSE 3: SOAP faults not being returned correctly from service.
- Next by thread: WSE 2.0 with X509 Certs
- Index(es):
Relevant Pages
|
Loading
