I have a problem with custom authentication over https. What I need is a secure channel and authenitcation on message level. I got it working quite well, but my custom validator never gets called when I send a message to the web service using SoapUI. The
service is called, however the Validate method in the custom validator is never called. The validator is available for the runtime, I have checked by misspelling the type in customUserNamePasswordValidatorType which caused an exception saying it could not
find type when I accessed the WSDL.
I believe you hosted your web application on IIS, in this case, the basic authentication is handled by IIS, and customUsernamePasswordValidator never get called.
A solution is to use TransportWithMessageCredential security, and set message credential to "UserName".
Thanks,
Thanks,
Mog Liang
Microsoft Online Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Marked as answer by gekka on Jan 21, 2011 02:17 PM
I tried changing security mode to TransportWithMessageCredential and keeping the message credential type as UserName, but this time I get the below SOAP error:
An error occurred when verifying security for the message.
And the trace gives me:
Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for
security and the client is not using security.
This happens when I use SoapUI and include username and password in my message. If I consume the web service from a WCF application, I get the same result. I also tried to disable Basic Authentication in IIS7, but still the same errors described above. I
am using a self-signed certificate for SSL, could this maybe be a problem? The certificate is valid though..
gekka
Member
6 Points
4 Posts
Custom UserNamePasswordValidator never called
Jan 19, 2011 02:12 PM|LINK
Hi,
I have a problem with custom authentication over https. What I need is a secure channel and authenitcation on message level. I got it working quite well, but my custom validator never gets called when I send a message to the web service using SoapUI. The service is called, however the Validate method in the custom validator is never called. The validator is available for the runtime, I have checked by misspelling the type in customUserNamePasswordValidatorType which caused an exception saying it could not find type when I accessed the WSDL.
Here's my config:
<system.serviceModel> <bindings> <wsHttpBinding> <binding name="SalesAppBinding"> <security mode="Transport"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" negotiateServiceCredential="true" establishSecurityContext="false"/> </security> </binding> </wsHttpBinding> </bindings> <services> <service behaviorConfiguration="SalesAppBehaviour" name="SalesApp.SalesApp"> <endpoint address="/SalesApp" binding="wsHttpBinding" bindingConfiguration="SalesAppBinding" name="SalesApp" contract="SalesApp.ISalesApp"> </endpoint> <endpoint contract="SalesApp.ISalesApp" binding="mexHttpsBinding" address="mex" /> </service> </services> <behaviors> <serviceBehaviors> <behavior name="SalesAppBehaviour"> <serviceCredentials> <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="SalesApp.Security.SalesAppValidator, SalesApp.Security"/> </serviceCredentials> <serviceMetadata httpsGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="true" /> </behavior> </serviceBehaviors> </behaviors> <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> <diagnostics> <messageLogging maxMessagesToLog="30000" logEntireMessage="true" logMessagesAtServiceLevel="false" logMalformedMessages="true" logMessagesAtTransportLevel="true"> <filters> <clear/> </filters> </messageLogging> </diagnostics> </system.serviceModel>Can anyone please help?
Best regards,
Geir Morten Hagen
wfc
Mog Liang - ...
Participant
1402 Points
146 Posts
Re: Custom UserNamePasswordValidator never called
Jan 21, 2011 03:36 AM|LINK
Hi Geir,
I believe you hosted your web application on IIS, in this case, the basic authentication is handled by IIS, and customUsernamePasswordValidator never get called.
A solution is to use TransportWithMessageCredential security, and set message credential to "UserName".
Thanks,
Thanks,
Microsoft Online Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
gekka
Member
6 Points
4 Posts
Re: Custom UserNamePasswordValidator never called
Jan 21, 2011 02:36 PM|LINK
Hi and thank you for your answer.
I tried changing security mode to TransportWithMessageCredential and keeping the message credential type as UserName, but this time I get the below SOAP error:
An error occurred when verifying security for the message.
And the trace gives me:
Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.
This happens when I use SoapUI and include username and password in my message. If I consume the web service from a WCF application, I get the same result. I also tried to disable Basic Authentication in IIS7, but still the same errors described above. I am using a self-signed certificate for SSL, could this maybe be a problem? The certificate is valid though..
Any more input would be highly appreciated :)
Best regards,
Geir Morten
gekka
Member
6 Points
4 Posts
Re: Custom UserNamePasswordValidator never called
Jan 21, 2011 02:38 PM|LINK
Nevermind, solved it right now! An issue with SoapUI actually... Is my face red? :D
Anyway, thanks for help :)