WCF Oracle Application Server WS-Security Interoperability Part 2: from Oracle to WCF
By Jesus Rodriguez
This article is part of a series intended to explore interesting Web services interoperability scenarios between Microsoft .NET technologies and Oracle Application Server. The first two articles of this series explored interoperability scenarios (WS-Security interoperability and WS-Addressing interoperability) between Oracle Business Process Execution Language (BPEL) Process Manager (PM) and Microsoft Web Services Enhancements (WSE) and Windows Communication Foundation (WCF) platforms.
The articles that compose this series are intended to illustrate techniques and architecture and design strategies that address some of the most common scenarios in Web services interoperability between Oracle App Server and Microsoft Web Services platforms. Particularly, this article is focused on how to implement the Anonymous over Certificate WS-Security scenario between Oracle App Server and Microsoft WCF.
In the fist part of this article we implemented the Anonymous over Certificate with an Oracle App Server Web Service and a WCF client. In this article we intend to complement the Anonymous over Certificate interoperability scenario implementing an Oracle App Server client that consumes a WCF Service. A complete description of the scenario can be found in my previous post.
The implementation: From Oracle App Server to WCF.
WCF Service
The WCF service for this example implements a simple mathematical operation as illustrated in the following code.
[ServiceContract()] [XmlSerializerFormat()] public interface IMyService { [OperationContract] int Add(int param1, int param2); }
public class MyService : IMyService { public int Add(int param1, int param2) { return param1 + param2; } } |
In order to implement Anonymous over Certificate in a WCF Service we need to create a binding configuration that implements message security and does not require any user credentials for authentication. Given that Oracle App Server does not implement WS-Trust, we need to configure the default WS-Trust behaviors (see first part of this article).
<configuration> <system.serviceModel> <services> <service name="MyService" behaviorConfiguration="MathServiceBehavior"> <endpoint contract="IMyService" binding="wsHttpBinding" bindingConfiguration="mybinding"/> </service> </services>
<bindings> <wsHttpBinding> <binding name="mybinding"> <security mode="Message"> <message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="false"/> </security> </binding> </wsHttpBinding> </bindings>
<behaviors> <serviceBehaviors> <behavior name="MathServiceBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceCredentials> <serviceCertificate findValue="mycert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /> </serviceCredentials> <serviceDebug includeExceptionDetailInFaults="False" /> </behavior> </serviceBehaviors> </behaviors> </system.serviceModel>
<system.web> <compilation debug="true"/> </system.web> </configuration> |
These are all the steps required to implement Anonymous over Certificate in a WCF service having a high degree of interoperability with a J2EE client. Let’s check now how to implement an Oracle application client that consumes this WCF service.
Oracle Client
In order to consume the WCF Service we need to generate a Web Service proxy. Typically, this can be done using the Standard Web Service Proxy project template in JDeveloper. Another required step is to import the required certificates into an Oracle compatible certificate store. To find out more information about managing Oracle certificate stores, read Administering Web Services Security in the Oracle App Server documentation.
After implementing the above preliminary steps, we can create a typical Oracle client application that looks like the following:
public class ClientApp {
public ClientApp() {
}
public void Test()
{
try
{
WSHttpBinding_IMyServiceClient proxy= new WSHttpBinding_IMyServiceClient();
int i= proxy.add(34, 57);
}
catch(Exception ex){}
}
public static void main(String[] args) {
ClientApp clientApp = new ClientApp();
clientApp.Test();
}
}
Next, you configure the WS-Security settings for the WCF service proxy. This can be done using the Secure Proxy option on the generated proxy.
Figure 1: JDeveloper Secure Proxy configuration wizard
After completing the wizard the configuration security settings file should look similar to the following:
<oracle-webservice-clients xsi:noNamespaceSchemaLocation="META-INF/oracle-webservices-client-10_0.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<webservice-client>
<service-qname namespaceURI="http://tempuri.org/" localpart="MyService"/>
<port-info>
<wsdl-port namespaceURI="http://tempuri.org/"
localpart="WSHttpBinding_IMyService"/>
<runtime enabled="security">
<security>
<key-store name="" store-pass="test123" path="C:\Oracle\companionCDHome_2\jre\1.4.2\bin\test2.jks"/>
<signature-key key-pass="test123" alias="myca"/>
<encryption-key key-pass="test123" alias="myencca"/>
<inbound>
<verify-signature>
<signature-methods>
<signature-method>DSA-SHA1</signature-method>
<signature-method>RSA-MD5</signature-method>
<signature-method>RSA-SHA1</signature-method>
</signature-methods>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<verify-timestamp created="true" expiry="28800"/>
</verify-signature>
<decrypt>
<encryption-methods>
<encryption-method>AES-128</encryption-method>
<encryption-method>AES-256</encryption-method>
<encryption-method>3DES</encryption-method>
</encryption-methods>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbe-elements>
</decrypt>
</inbound>
<outbound>
<signature>
<signature-method>RSA-SHA1</signature-method>
<tbs-elements>
<tbs-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbs-elements>
<add-timestamp created="true" expiry="28800"/>
</signature>
<encrypt>
<recipient-key alias="wcfcert"/>
<encryption-method>3DES</encryption-method>
<tbe-elements>
<tbe-element local-part="Body"
name-space="http://schemas.xmlsoap.org/soap/envelope/"/>
</tbe-elements>
</encrypt>
</outbound>
</security>
</runtime>
<operations>
<operation name="add"/>
</operations>
</port-info>
</webservice-client>
</oracle-webservice-clients>
As you can see in the highlighted section, this client does not provide any credentials for authentication and uses certificates to sign and encrypt the message. Given that the WCF service is not implementing any key negotiation by default, using WS-Trust client application it’s able to successfully invoke the WCF Service explained on the previous section. The messages produced from the interactions between the Oracle clients and the WCF services are WS-Security 2004-01 compatible messages.
Conclusion
These two articles have explained the techniques used to implement the Anonymous over Certificate WS-Security scenario between WCF and Oracle Application Server. Specifically, this article complemented the first part explaining how to invoke a WCF Service that implements Anonymous over Certificate from Oracle App Server.