Pablo,
See inline ...
Pablo Cibraro wrote:
I finally could make some progress in the interop tests with the Active STS. I
used the following configuration,
1. Trader client application (Metro)
2. Passive STS (Metro)
3. Active STS (.NET)
4. Business Service (Metro)
Unfortunately, I found a blocking issue that I think it is hard to fix (at
least in WCF). The namespace used by metro for the ActAs element is different
from the namespace used by WCF.
Metro,
<wst:ActAs xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
.NET (WCF)
<tr:ActAs xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802";>
There was some ambiguity for the namespace to be used with ActAs. The
WS-Trust 1.4 spec and schema specified differently.
This issue has been clarified recently in the ws-sx TC. So that we have
updated Metro to use "http://docs.oasis-open.org/ws-sx/ws-trust/200802";.
Can you try with latest Metro nightly?
https://metro.dev.java.net/servlets/ProjectDocumentList?expandFolder=7638&folderID=10314
It is more close to the one to be released.
I will get back to the other issues below shortly.
Thanks!
Jiandong
Besides that issue with the WS-Trust message, these are my findings for this
scenario,
1. The active STS in metro is using an username token for authenticating
the client application (trader web client). .NET is using a client certificate
for that purpose (BSL.Com), and I think it is the correct mechanism. I
basically changed the .NET Active STS and trader client implementation to use
username tokens.
2. The wsit-client.xml for the trader client application in metro looks
as follow,
<tc:PreconfiguredSTS
xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/client";
endpoint=http://localhost:9001/tradeactivests (.NET)
wsdlLocation=http://apps.stonehenge.com:1316/active_sts/ActiveSTS?wsdl (WSDL in
METRO)
serviceName="SecurityTokenService"
portName="ISecurityTokenService_Port"
namespace="http://tempuri.org/";
shareToken="true">
</tc:PreconfiguredSTS>
I could not make it work against the .NET Active STS Wsdl. For
some reasons, all the requests with that WSDL are not protected with
WS-Security. I updated all the bindings and ports in the .NET to use
ISecurityTokenService and http://tempuri.org as namespace, but that does not
work.
3. Metro was using derived keys and basic 128 as algorithm suite. WCF was
throwing a weird parsing error exceptions for the derived keys (this option was
enabled in the WCF bindings too), so I disable that feature in metro and .NET.
"Cannot read the token from the 'DerivedKeyToken' element with the
'http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512' namespace for
BinarySecretSecurityToken, with a '' ValueType. If this element is expected to be valid,
ensure that security is configured to consume tokens with the name, namespace and value
type specified."
Regards,
Pablo.
