This week's book giveaway is in the OO, Patterns, UML and Refactoring forum. We're giving away four copies of Refactoring for Software Design Smells: Managing Technical Debt and have Girish Suryanarayana, Ganesh Samarthyam & Tushar Sharma on-line! See this thread for details.
hi all, this may not be the right place to ask this question, but i believe a java web service developer must have done this. i've a web service written in java. i'm testing its interoperability with .Net. i'm able to sign, verify signature and encrypt using a .Net client. the only point where i'm stuck is decrypting a soap response using .Net client. i'm not finding any code sample for this on google. also don't have much knowledge of .Net APIs the MSDN topic for decryption is for web service part not for client part please provide me some link or pointer if some one has done this earlier. i'll be extremely helpful.
The write ups suggest that decryption happens automatically on the client side as long as the "base class that the proxy class derives from is Microsoft.Web.Services2.WebServicesClientProtocol". Code (or a policy) only needs to be added to require that the contents is encrypted.
Provided all the username/password/tokens have been configured correctly (the client would need the private key token for decryption) the response message might look just different enough for the automatic decryption not to fire.
If this was my problem - I'd set up a simple service-client pair, both implemented in .NET, first very plain, adding encryption later (but no SSL/TLS). Once that works I would take a snapshot of the SOAP messages that are exchanged with something like Apache TCPMon (Tutorial) or java.net tcpmon.
Then I would try to slip in a Java implementation of the same web service. At this point it may work. If it doesn't, take snapshots of the SOAP request and response pairs and compare them to the .NET ones. There may be a difference in the response that is preventing the client from detecting the encrypted content. Once you have identified that difference you may be able to change the Java web service to emit the needed SOAP response. [ May 13, 2008: Message edited by: Peer Reynders ]
Joined: Jan 05, 2007
i tried adding a policy file, but i'm getting the same error i was getting before that.
there must be some way to specify the security token for decrypting a soap response because i'm able to add tokens for signing, signature verification and encryption. but no code sample is available for decryption in a .Net client.
here is my policy file.
here is a part of soap response
i'm using the same token in policy file. [ May 14, 2008: Message edited by: gaurav abbi ]
Joined: Aug 19, 2005
Originally posted by gaurav abbi:
there must be some way to specify the security token for decrypting a soap response because i'm able to add tokens for signing, signature verification and encryption.
I would assume that the certificate has to be registered with the client.
The client would send the public key in the request, the server would encrypt the message with the public key. Then WSE would use the private key associated with the certificate to decrypt the message for you.
The decryption step seems to be happening automagically, .... So, I gather that the encrypted message is including the serial number of the certificate, so that the server can find that certificate in the certificate manager to decrypt the message.
Joined: Jan 05, 2007
hi Peer, there's something wrong with the site. i can't see any of posts for this topic except the previous one posted by me
I am also generating a client in .NET, but I have problems validating the signature of the web service security, could you tell me where did you find the information to do this or post your policy? You have to do your own class to verifya the signature?