Yaron Naveh's Web Services 2.0 Blog

Xml-Crypto: An Xml digital signature library for Node.js

2012-05-20T20:24:00.000+03:00

Get xml-crypto on github

Node.js does not always have the right libraries for Xml operations. When such libraries exist they are not always cross platform (read: work on windows). I've just published xml-crypto, the first xml digital signature library for node. As a bonus this library is written in pure javascript so it is cross platform.

What is Xml Digital signature?
There's a tl;dr version here. The essence is that dig-sig allows to protect content from unauthorized modification by telling us who created that content and if anyone had altered it since. Xml dig-sig is a special flavour which has some interesting implementation aspects.

A typical xml signature looks like this:

Installing Xml-Crypto

Install with npm:

npm install xml-crypto

A pre requisite it to have openssl installed and its /bin to be on the system path. I used version 1.0.1c but it should work on older versions too.

Signing an xml document

Use this code:

The result wil be:

Note:

sig.getSignedXml() returns the original xml document with the signature pushed as the last child of the root node (as above). This assumes you are not signing the root node but only sub node(s) otherwise this is not valid. If you do sign the root node call sig.getSignatureXml() to get just the signature part and sig.getOriginalXmlWithIds() to get the original xml with Id attributes added on relevant elements (required for validation).

Verifying a signed document

You can use any dom parser you want in your code (or none, depending on your usage). This sample uses xmldom so you should install it first:

npm install xmldom

Then run:

Note:

The xml-crypto api requires you to supply it separately the xml signature ("<Signature>...</Signature>", in loadSignature) and the signed xml (in checkSignature). The signed xml may or may not contain the signature in it, but you are still required to supply the signature separately.

Supported Algorithms

The first release always uses the following algorithems:

Exclusive Canonicalization http://www.w3.org/2001/10/xml-exc-c14n#

SHA1 digests http://www.w3.org/2000/09/xmldsig#sha1

RSA-SHA1 signature algorithm http://www.w3.org/2000/09/xmldsig#rsa-sha1

you are able to extend xml-crypto with further algorithms. I will author a post about it soon.

Key formats

You need to use .pem formatted certificates for both signing and validation. If you have pfx x.509 certificates there's an easy way to convert them to pem. I will author a post about this soon.

The code

Get xml-crypto on github

How to fix Wcf cache of dynamic Wsdls

2012-05-05T21:28:00.000+03:00

One of the least used Wcf extension points is IWsdlExportExtension. This extension allows to customize the wsdl document which Wcf emits. Since you rarely want to do that, this extension is not commonly used. When it is already used it is usually in the context of flattening the wsdl. A different use case I have recently seen is to push dynamic content into the wsdl. More specifically a user was trying to generate xsd schemas from a live database table and to put it to the wsdl so clients would always get the latest schema. The Wcf service itself was treating the request as Xml anyway so it did not care for such changes. The requirement was for the wsdl to reflect the latest db changes at any time. Our problem was that once the wsdl was generated for the first time it would not be regenerated. This resulted in a stale schema.

This is how we created the wsdl exporter:

When we run this service and open the wsdl we get this:

When we refresh the wsdl after a few seconds we still get this:

This is not a browser or proxy cache. Wcf does not recreate the wsdl - which can also be seen by putting a breakpoint (which is only called once) on the exporter.

This behavior makes since when you consider the case where there is no importer extension - then the wsdl is generated based on the data contract assembly, and as long as that assembly does not change the wsdl will not also. However we have chose to put dynamic logic in ExportEndpoint method so that default behavior did not work well for us.

One way to fix that is to use a message inspector to update the wsdl before it is sent to the client. In this case IWsdlExportExtension is not required at all. This approach is described here.
An alternative could be to build a Wcf rest endpoint in the same service to act as a proxy to the real wsdl.

Tweets of the week: It's DevOps Borat

2012-05-05T00:07:00.000+03:00

Borat likes DevOps:

Soap / Rest / Wsdl still a hot topic:

Tweets of the week: A Wcf love/hate thing

2012-04-27T18:49:00.000+03:00

Since I opened my twitter account I've seen a few ~~witty fights~~ insights on web services, so here I share them. If you stumble upon anything worth to get into my next list let me know.

Soap vs. Rest reloaded?

Wcf love/hate thing:

Asp.Net Web API to the rescue:

Wsdl confessions:

If you see anything worth to put in my next list let me know.

Declaratively ignoring must understand headers

2012-04-27T00:01:00.000+03:00

A soap header may specify a "must understand" flag. This instructs any processing node to throw an exception if this header is not understood by it. Such a behavior is sometimes useful and sometimes very annoying, depending on the circumstances. Let's see how such header looks like in soap:

By default a Wcf service will validate all incoming mustUnderstand headers a client sends. If it does not understand them it will throw the famous 'Did not understand "MustUnderstand" header' exception. Typically you would instruct Wcf not to validate these headers like this:

But this kind of "hard codes" this behavior to the service. Wouldn't it be nice to decide at the configuration level if we want such a behavior or not?

All we need to do is define this class:

Then in the config register it:

And we can now configure our endpoint(s) with this behavior:

When EnableUnsecuredRespose requires an unsecured response

2012-04-25T20:38:00.000+03:00

A few weeks ago I had to call a legacy wse2 service from a Wcf client. The service behavior was:

Request must be encrypted and signed at the message level

Request must contain a timestamp inside the security header

Response is neither encrypted nor signed

Response nevertheless contains a timestamp inside a security header

You might think that dismissing the signature requirement from the response would do good for interoperability - after all this is less work. However this time less was more. Turns out that Wcf loves symmetry and does not encourage messages in one direction to be signed and in the other direction to be clear. But hey! This complaint is so WCF 3.5. In 4.0 we got the goodie of EnableUnsecuredResponse:

When this setting is on Wcf should be ok with an unsigned response. But in my case even with this flag I was still getting this error:

The security header element ‘timestamp’ with ‘Timestamp-xxxx’ id must be signed.

As you remember the service returns an unsigned timestamp element. Turns out we have this chain of rules:

request contains a timestamp and has some signature requirement -->
the timestamp is always signed (even if we do not wish that) -->
the response must contain a signed timestamp unless EnableUnsecuredRespose in on. In that case timestamp is optional, but if present it must be signed.

So I had to find a way to remove the timestmap from the response. Since the service could not be changed I used my good old friend the custom encoder.

But even after that I got this error:

The 'body', 'http://schemas.xmlsoap.org/soap/envelope/', required message part was not signed.

So WCF was still looking for some ws-security goodies. To solve this I had to remove the security element all together from the response. Here is the snippet I added to the encoder:

Many times removing the security element at all exposes us to some risks like replay attacks or a man in the middle. However here we knew up front that the service does not use any interesting security features in the response so there was no regression.

Conclusion
EnableUnsecuredRespose will allow us not to have a security element in the response even if the request has it. But if the response contains a security element nevertheless, then wcf will take it seriously and if it does not comply with the expected requirements the interaction will fail.

Ws.js - A ws-* implementation for node.js

2012-04-21T21:22:00.000+03:00

(Get Ws.js on github)

Some time ago I introduced Wcf.js - a wcf-inspired client soap stack for node.js. However Wcf.js itself is a small wrapper on top of Ws.js - the ws-* implementation for node.js. You got it right: Your node.js apps can now access your core services using various ws-* standards. No more proxies for "protocol bridging", no more service rewrites.

Get it here.

Here is a quick sample on what we can do with Ws.js:

The above example adds a username token to the soap. The output soap will be:

For detailed usage instructions check it out on github.

Ws.js currently supports:

MTOM

WS-Security (username tokens only)

WS-Addressing (all versions)

HTTP(S)

Coming up next is probably deeper ws-security support including x.509 certificates encryption and signature. Needless to say that any capability added to ws.js will also apply to wcf.js.

Here is the project page on github.

I'm on Twitter: @YaronNaveh

2012-04-15T04:15:00.000+03:00

I just started my twitter account - @YaronNaveh (yeah I'm a late bloomer). I'l be mostly writing about the stuff I love (node.js, wcf, web services) but expect some new stuff too! See you there.

WCF users voice survey

2012-04-08T21:50:00.001+03:00

Carlos shares the WCF UserVoice channel. That's a great chance for all of us to influence the next version of WCF. If you're a WCF user - go vote.

My votes go to open source WCF. Like many of the .Net libraries WCF classes become sealed exactly where I want to change their behavior. This is especially true for all things security. Sometimes it is really important to tweak the way WCF signs a message or handles a signed one but today this requires to implement a very long chain of extensions.

The current predominant features also include support for REST in the routing service and web sockets support on earlier windows versions. So far the traditional request to simplify configuration and bindings is not too visible, possibly because the WCF simplification features have done a great deal here (or because people are more focused on Rest these days).

Wcf to WebSphere interop: ActivityId is not protected

2012-03-30T16:20:00.000+03:00

I recently had to call a secured WebSphere service from a Wcf client. Fine tuning all the settings was challenging so I turned on Wcf tracing. The latter gave me detailed errors which helped me to see where I was wrong. But after fixing everything I knew of, I got this new error:

An element, ActivityId, with nsuri, http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics, is not protected by signing algorithm, sha1, and digest algorithm Rejected by filter; SOAP fault sent

Having no idea where this ActivityId element comes from , I took a quick look at the message my Wcf client was sending:

  <s:Header>
    <ActivityId CorrelationId="db5feb51-ae82-4c1b-bd68-1bdb2d09bbc6" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">f5aada53-669f-46d7-acc5-8d45e437ed86</ActivityId>
  </s:Header>

Where does this ActivityId come from?
Turns out this header is emitted by Wcf when we turn tracing on. Wcf uses this header to color the message as it flows between various layers so it can later show a single view of it.
In my case the WebSphere expected clients to sign all headers. This particular header was not signed (since wcf tracing just adds it as is) so WebSphere complained about a policy violation.
After turning off the Wcf trace settings the integration worked like a charm. So you can say the whole issue was kind of a drug side affect.

Xml stack for node.js that works on windows

2012-03-29T14:00:00.000+02:00

When I developed wcf.js I extensively used xml operations. Finding the right libraries was not an easy task so I thought to share my findings here. My requirements were to use dom style xml parsing and that the whole stack will be multi-platform (read: work on windows). It turned out that there are many libraries that fulfill one of these requirements but it was very hard to find one which fulfills both. Then I wanted to run xpath operations on the dom. And again I needed a library that works on windows and integrates well with the former dom parser.

I started my journey with googling for "node.js xml parser". I immediately found node-xml which is a pure javascript sax parser. Finding other sax parsers was also easy but that was not what I had in mind. I then moved to "node.js xml dom". This actually led me to the main listing of node libraries sorted by category, and I immediately turned to the xml section. I felt like I was drinking from the firehose: Over 15 xml parsers were listed. It was very disappointing to find out that most of them are based on libxml2 which means they will work on windows only via cygwin. That's evil.

xmldom
Just before I started to roll my own xml parser I have found xmldom. Xmldom is a pure javascript implementation of dom (and sax) which makes it fully portable to any environment.

xpath.js
I also needed an xpath engine. Finding one that is cross platform was not an easier task. I have finally found xpath.js. The latter was actually not written as a node.js module (it dates back to 2006) but it was fairly easy to migrate it there. As you can see here, I just added to it this method in the end:

function SelectNodes(doc, xpath)

{
  var parser = new XPathParser();
  var xpath = parser.parse(xpath);
  var context = new XPathContext();
  context.expressionContextNode = doc.documentElement;
  var res = xpath.evaluate(context)
  return res.toArray();
}

exports.SelectNodes = SelectNodes;

Making it all work together
The following sample shows how to parse an xml document and match an xpath on it.
Note you should include the updated xpath.js as part of your project (e.g. in /lib) and the second line in the sample should reference that path. You should also install xmldom using npm install xmldom.

var select = require('./xpath').SelectNodes //the path to xpath.js in your project
  , Dom = require('xmldom').DOMParser

var doc = new Dom().parseFromString('<x><y id="1"></y></x>')
  , res = select(doc, "//*[@id]") //select all nodes that has an "id" attribute

if (res.length==1)
  console.log(res[0].localName); //prints "y"

Wcf and Node.js, better together

2012-02-25T22:53:00.000+02:00

(get wcf.js on github!)

Take a look at the following code:

var binding = new WSHttpBinding(
{ MessageEncoding: "Mtom"
, SecurityMode:"TransportWithMessageCredential"
})
, proxy = new Proxy(binding)

proxy.ClientCredentials.Username.Username = "yaron";
proxy.ClientCredentials.Username.Password = "1234";

proxy.send(message, function(response) {
console.log(response)
});

Do you see anything...um, special? Well c# already has the "var" keyword since version 3.0 so maybe it is some kind of a c#-ish dialect? Or maybe it is a CTP for javascript as a CLR language? Or something related to the azure sdk for node.js?

Not at all. This is a snippet from wcf.js - a pure javascript node.js module that makes wcf and node.js work together!

As node assumes its central place in modern web development, many developers build node apps that must consume downstream wcf services. Now if these services use ~~WCF Web API~~ ASP.NET Web API it is very easy. It is also a breeze if you are in a position to add a basic http binding to the Wcf service, and just a little bit of more work if you plan to employ a wcf router to do the protocol bridging. Wcf.js is a library that aims to provide a pure-javascript development experiece for such scenarios.

Note that building new node.js ws-* based services is a non-goal for this project. Putting aside all the religious wars, Soap is not the "node way", so you should stick to Rest where you'll get good language support (json) and built-in libraries.

"Hello, Wcf... from node"

You are closer than you think to consume your first Wcf service node.js:

1. Create a new wcf web site in VS and call it "Wcf2Node". If you use .Net 4 than BasicHttpBinding is the default, otherwise in web.config replace WsHttp with BasicHttp. No need to deploy, just run the service in VS using F5.

2. Create anywhere a folder for the node side and from the command line enter its root and execute:

$> npm install wcf.js

3. In the same folder create test.js:

var BasicHttpBinding = require('wcf.js').BasicHttpBinding

  , Proxy = require('wcf.js').Proxy

  , binding = new BasicHttpBinding()

  , proxy = new Proxy(binding, "
http://localhost:12/Wcf2Node/Service.svc")

, message = '<Envelope xmlns=' +
'"http://schemas.xmlsoap.org/soap/envelope/">' +
'<Header />' +
'<Body>' +
'<GetData xmlns="http://tempuri.org/">' +
'<value>123</value>' +
'</GetData>' +
'</Body>' +
'</Envelope>'

proxy.send(message, "http://tempuri.org/IService/GetData", function(response, ctx) {

  console.log(response)

});

4. In test.js, change the port 12 (don't ask...) to the port your service runs on.

5. Now we can execute node:

$> node test.js

6. You should now see the output soap on the console.

Of course this sample is not very interesting and you may be better off sending the raw soap using request. Let's see something more interesting. If your service uses ssl + username token (transport with message credential), the config may look like this:

The following modifications to the previous example will allow to consume it from node:

...
binding = new WSHttpBinding(
{ SecurityMode: "TransportWithMessageCredential"
, MessageClientCredentialType: "UserName"
})
...

proxy.ClientCredentials.Username.Username = "yaron";
proxy.ClientCredentials.Username.Password = "1234";
proxy.send(...)

And here is the wire soap:

<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">

<Header>
<o:Security>
<u:Timestamp>
<u:Created>2012-02-26T11:03:40Z</u:Created>
<u:Expires>2012-02-26T11:08:40Z</u:Expires>
</u:Timestamp>
<o:UsernameToken>
<o:Username>yaron</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">1234</o:Password>
</o:UsernameToken>
</o:Security>
</Header>

<Body>
<EchoString xmlns="http://tempuri.org/">
<s>123</s>
</EchoString>
</Body>

If you use Mtom check out this code:

(The formatting here is a bit strage due to my blog layout - it looks much better in github!)

var CustomBinding = require('wcf.js').CustomBinding

  , MtomMessageEncodingBindingElement = require('wcf.js').MtomMessageEncodingBindingElement

  , HttpTransportBindingElement = require('wcf.js').HttpTransportBindingElement

  , Proxy = require('wcf.js').Proxy

  , fs = require('fs')

  , binding = new CustomBinding(

        [ new MtomMessageEncodingBindingElement({MessageVersion: "Soap12WSAddressing10"}),

        , new HttpTransportBindingElement()

])

  , proxy = new Proxy(binding, "http://localhost:7171/Service/mtom")

, message = '<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">' +
'<s:Header />' +
'<s:Body>' +
'<EchoFiles xmlns="http://tempuri.org/">' +
'<value xmlns:a="http://schemas.datacontract.org/2004/07/" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">' +
'<a:File1 />' +
'</value>' +
'</EchoFiles>' +
'</s:Body>' +
'</s:Envelope>'

proxy.addAttachment("//*[local-name(.)='File1']", "me.jpg");

proxy.send(message, "http://tempuri.org/IService/EchoFiles", function(response, ctx) {

  var file = proxy.getAttachment("//*[local-name(.)='File1']")

  fs.writeFileSync("result.jpg", file)     

});

Mtom is a little bit trickier since wcf.js needs to know which nodes are binary. Using simple xpath can help you achieve that.

Getting your hands dirty with Soap
Wcf.js uses soap in its raw format. Code generation of proxies does not resonate well with a dynamic language like javascript. I also assume you are consuming an existing service which already has working clients so you should be able to get a working soap sample. And if you do like some level of abstraction between you and your soap I recommend node-soap, though it still does not integrate with wcf.js.

If you will use raw soap requests and responses you would need a good xml library. And while node has plenty of dom / xpath libraries, they are not windows friendly. My next post will be on a good match here.

Supported standards
Wcf implements many of the ws-* standards and even more via proprietary extensions. The first version of wcf.js supports the following:

MTOM

WS-Security (Username token only)

WS-Addressing (all versions)

HTTP(S)

The supported binding are:

BasicHttpBinding

WSHttpBinding

CustomBinding

What do you want to see next? Let me know.

Get the code
Wcf.js is hosted in GitHub, and everyone is welcome to contribute features and fixes if needed.
Wcf.js is powered by ws.js, the actual standards implementation, which I will introduce in an upcoming post.

I'm an MVP (again!)

2011-07-01T21:58:00.000+03:00

I guess I can skip the traditional email quote by now. I just got the 2011 MVP award in Connected System Developer. Becoming an MVP last year was the beginning of a very interesting year. I'm super exited to get this award for the second time. I'll do my best to justify this recognition.

Binding Box now supprots the Wcf Interop Bindings

2011-06-18T01:03:00.001+03:00

Earlier this week Microsoft had released the Wcf Interop Bindings and VS extension. You can download and try it from here.

Today I am proud to announce that the Wcf Binding Box supports these interoperability bindings.

What is the Wcf Binding Box?
It is an online bindings converter. You give it a binding configuration (e.g. WSHttpBinding) and it returns an equivalent custom binding.

Full explanation is here.

Why do we need it?
Because it's fun :) And also allows to take a working WSHttpBinding and further customize it with settings which it does not directly expose, for example MaxClockSkew.

How the interop bindings relate to this?
Suppose you use the interop bindings to author a Wcf service which WebLogic consumes. You may want to further configure your Wcf service with settings that the WebLogicBinding does not expose. Since the WebLogicBinding internally inherits from WSHttpBinding this is a similar use case to the original purpose of the binding box.

Example

Put this WebSphere binding as the input in the binding box:

and this is the custom binding output:

Check out the binding box here.

Test drive the shiny new Wcf interop bindings

2011-06-14T23:31:00.000+03:00

wcf.codeplex.com is the place where most of the wcf action happens at these days. If you have been following it recently you have seen a lot of activity around Rest and Http. As of yesterday Soap officially joins the codepex party. Microsoft has just released the WCF Express Interop Bindings - a new Visual Studio extension for Soap web services interoperability. If you use Wcf this matters to you!

What did Microsoft release yesterday?

Web services interoperability is always a pain. When security is involved it is usualy more then a casual 'oouch'. Yes, WsHttpBinding has a specific permutation of settings which can interoperate with Oracle web logic. And I know a lot of people who have tried to find that permutation in a brute force manner. Mostly doing this is a waste of time which we prefer to invest in more productive areas.

So here's the idea behind yesterday's shipping: We now have a new binding, WebLogicBinding, which only allow us to configure settings which are interoperable with web logic. So all settings are interoperable! We also have bindings for web sphere, axis2 (wso2) and metro (wsit / glassfigh / tango).
In addition we got a nice wizard on top of Visual Studio's new project dialog which allows us to easily author interoperable services using these bindings.

But don't we already have WS-Policy for interoperability?

WS-Policy helps clients to generate proxies which complies with the service requirements as expressed by the Wsdl. The express bindings solves a prior problem: How to write from the first place a service which a specific client platform can support? Once we write such a service its Wsdl will contain the WS-Policy pixy dust so that the client can auto-configure itself.

Nice... I'll take two!
You can take four: MetroBinding, WebSphereBinding, WebLogicBinding and Wso2InteropBinding.
Take them from here.

Tutorial - WCF and Metro interop

Let's see why web services interoperability just got a whole lot easier.
We'll create a WCF service with mutual x.509 certificates in the message level and consume it with a Metro client.

1. Prepare the environment
You need VS 2010 and the express bindings. After you extract the bindings zip simply execute bin\Microsoft.ServiceModel.Interop.Extension.vsix which will install it on VS.

2. Create a new service

In VS create a new project. Note how the Wcf node now contains a new project type "Express Interop Wcf Service Application":

Choose that project type.

3. Configure the express binding wizard

A few moments after creating the project you will see the wizard.
First choose the platform our clients will use - Metro, this time.

Now we need to configure our security requirements. Choose "mutual certificate" which means both client and server will present an x.509 certificate in the message level. It also implies encryption and digital signature (in this case). To keep it simple we omit the secure conversation.

Next in the advanced settings use the Basic128 algorithm since it is the one Metro supports by default (for Basic256 a patch needs to be applied).

Finally configure the certificate.

I recommend to use this certificate (password: adminadmin):

Now run the service. This is a web site project so it will open the documentation page with the Wsdl link. Make sure to have the Wsdl url handy since we will use it in a moment.

Now we want to configure Metro.

1. Set up the environment

You should have NetBeans 7 (or higher), though NetBeans 6.7 also worked for me.

2. Create a new project of type Java Application:

Any of the default settings are fine:

3. Right click the package in the project view and add a new "web service client":

Now is a good time to paste that Wsdl url:

4. The service reference is now in the project view so right click it and edit the Web Service Attributes (similar to the Wcf configuration... just very different :):

5. This step is a workaround if your NetBeans version ships with Metro 2.0 (which is the case for NetBeans 7). See below how to know if you need it.

We can see that Metro had automatically identified that client and server certificates are required. This was due to the WS-Policy in the Wsdl.

Before we continue we need to do some trick. NetBeans 7 ships with Metro 2.0 which has a bug with certificates. In favor of those who reach this post via a search engine this is the error message:

java.lang.NullPointerException
...
at com.sun.xml.ws.security.impl.policy.CertificateRetriever.digestBST (CertificateRetriever.java:136)

To solve this you need to download Metro 2.1 (or higher). For now just extract it to some folder.

Now as part of this workaround check the "use development defaults" drop down in the quality attributes dialog you opened in step 4. Also approve any message you are prompt with.

Click Ok to close the dialog.

In the project pane expand the libraries node. It should look like this:

This workaround applies to version 2. If you see another version (even smaller) no need for this. What you need to do is delete all the references to Metro jar files (don't delete the jdk though). Instead of them right click the "libraries" node, choose "add jar/folder..." and choose the jar files in metro\bin folder from the metro 2.1 zip you just extracted. Add all jar files in that folder. The libraries node will now look like this:

6. We are now ready to do the actual configuration. Open again the web service quality attribute form as you did in step 4. Uncheck the "use development defaults" check box. Now configure the keystore and trust store. I recommend to use this java key store file:

Open "keystore..." and "Truststore.." each in its turn and do the below.
Set the path to the .jks file you extracted form the certificates file above, set the password to "adminadmin", and click "load alias". The alias for the key store is xws-security-client and for the trust store is xws-security-server.

7. Now we need to write the client code.

Since most of my readers are .Net developers let's see if we can pull this one out without any Java coding at all.

Drag the GetData node from the project pane to the main() method. It should now look like this (depending on the netbeans version):

public static void main(String[] args) {

try { // Call Web Service Operation
     org.tempuri.Service service = new org.tempuri.Service();
     org.tempuri.IService port = service.getMetroBindingIService();
     // TODO initialize WS operation arguments here
     java.lang.Integer value = Integer.valueOf(0);
     // TODO process result here
     java.lang.String result = port.getData(value);
     System.out.println("Result = "+result);
}
catch (Exception ex) {

}

}

if you use Netbeans 7 it will only generate a method so you would need to add code that calls it:

public static void main(String[] args) {
try
{
     String s = getData(2);
     System.out.println("result is" + s);
} catch (Exception ex) {
     System.out.println(ex.getMessage() + ex.getStackTrace().toString());
}
}

private static String getData(java.lang.Integer value) {
   org.tempuri.Service service = new org.tempuri.Service();
   org.tempuri.IService port = service.getMetroBindingIService();
   return port.getData(value);
}
}

7. Now run the application (F6).

Here is the output:

the result is: 2

Web services interoperability was never easier!

Cannot resolve KeyInfo for unwrapping key

2011-05-08T17:44:00.000+03:00

With web services sometimes your client is able to receive a good response from the server but your client will still throw exception due to some policy violation. With wcf / mutual authentication the following error can appear:

Cannot resolve KeyInfo for unwrapping key: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = X509IssuerSerialKeyIdentifierClause(Issuer = 'CN=MyCert', Serial = '-903515464456238801534567116928')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 0,
)

This error usually means that the server had digitally signed its response using an unexpected certificate. The expected certificate is the one which the client has configured as the server certificate and have possibly used to encrypt the message with.

So as with many of the security interoperability problems, you should verify that you use the correct certificate on both sides of the wire.

Anyone else having problems with Google Calendar?

2011-05-08T00:56:00.001+03:00

Update (july 11): Fixed!

I'll start by saying that google calendar is a great product which I was happy to use for quite a while. Not any more, it seams. For some reason I intermittently don't get email notifications about scheduled events. I have first noticed that over a year ago and assumed it is a one off glitch. I have then noticed it in many more occasions and since last week I don't get notifications at all.

I mainly use gcal as a "send myself a future email reminder" application. While it does not contain any important appointments, I do have there information about birthdays, random arrangements, sites without rss which I periodically visit etc. And while managing to live without these unsent reminders makes me wonder if I had ever needed them anyway, it is still annoying.

This issue appears in several gcal forum threads, has a special troubleshooting page, and is actually a known issue. The last link says "We're currently investigating reports from users who indicate that they're not receiving email notifications for their events". How many users? What is the current status?

Just out of curiosity - does anyone else experience missing email notifications from google calendar?

Wcf with WS-Addressing March 2004

2011-05-06T22:09:00.000+03:00

Wcf supports two WS-Addressing versions – the August 2004 draft and the actual standard v 1.0. There is another wsa version which is used by some soap stacks (who said wse 2?) – the march 2004 draft. To turn this fact to a more practical problem, you might need to write a wcf client to a (non Wcf) service which expects a request like this:

<Envelope xmlns="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/03/addressing">

<Header>

    <wsa:Action>http://myAction</wsa:Action>
    <wsa:MessageID>uuid:5024616c-d0r2-56h3-bjj7-ab10p89eee63</wsa:MessageID>
    <wsa:ReplyTo>
      <wsa:Address>http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous</wsa:Address>
    </wsa:ReplyTo>
    <wsa:To>http://server/Calc</wsa:To>
...

(note the bold wsa version – wcf cannot emit it).

One straight forward way to do this with wcf is to push these headers to the soap using a message inspector. But what if you also need to sign the wsa headers with a digital signature?

In this case you need to write a custom behavior which push the wsa headers to the IncomingSignatureParts property. The whole code looks like this:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.Serialization;
using System.ServiceModel;
using System.ServiceModel.Channels;
using System.ServiceModel.Description;
using System.ServiceModel.Dispatcher;
using System.ServiceModel.Security;
using System.Text;
using System.Xml;
using System.Xml.Linq;
using MyApplication.ServiceReference1;

namespace MyApplication
{

    public class SignMessageHeaderBehavior : Attribute, IEndpointBehavior
    {

        string action;

        List<XmlQualifiedName> headers;

        public SignMessageHeaderBehavior(List<XmlQualifiedName> headers, string action)
        {

            this.headers = headers;

            this.action = action;

        }

        public void Validate(ServiceEndpoint endpoint)
        {

        }

        public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
        {
            var requirements = bindingParameters.Find<ChannelProtectionRequirements>();

            foreach (var h in headers)
            {
                var part = new MessagePartSpecification(h);
                requirements.IncomingSignatureParts.AddParts(part, action);
            }
        }

        public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher)
        {

        }

        public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)
        {

            clientRuntime.MessageInspectors.Add(new AddHeaderMessageInspector());

        }

    }

    [DataContract(Namespace="http://schemas.xmlsoap.org/ws/2004/03/addressing")]
    public class ReplyToHeader
    {
        [DataMember]
        public string Address { get; set; }
    }

    public class AddHeaderMessageInspector : IClientMessageInspector
    {

        public object BeforeSendRequest(ref Message request, IClientChannel channel)
        {

            request.Headers.Add(MessageHeader.CreateHeader("Action", "http://schemas.xmlsoap.org/ws/2004/03/addressing", "http://myAction"));
            request.Headers.Add(MessageHeader.CreateHeader("MessageID", "http://schemas.xmlsoap.org/ws/2004/03/addressing", "uuid:5024616c-d0r2-56h3-bjj7-ab10p89eee63"));
            request.Headers.Add(MessageHeader.CreateHeader("ReplyTo", "http://schemas.xmlsoap.org/ws/2004/03/addressing", new ReplyToHeader() { Address = "http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous" }));
            request.Headers.Add(MessageHeader.CreateHeader("To", "http://schemas.xmlsoap.org/ws/2004/03/addressing", "http://server/Calc"));


            return request;

        }

        public void AfterReceiveReply(ref Message reply, object correlationState)
        {

        }

    }

    class Program
    {

        static void Main(string[] args)
        {

            var c = new SimpleServiceSoapClient();

            var headers = new List<XmlQualifiedName>();
            headers.Add(new XmlQualifiedName("Action", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));
            headers.Add(new XmlQualifiedName("MessageID", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));
            headers.Add(new XmlQualifiedName("ReplyTo", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));
            headers.Add(new XmlQualifiedName("To", "http://schemas.xmlsoap.org/ws/2004/03/addressing"));

           c.Endpoint.Behaviors.Add(
                new SignMessageHeaderBehavior(headers, "http://tempuri.org/EchoString"));

            c.EchoString("123");

        }
    }
}

svcutil.exe with a wsdl on the local disk

2011-04-23T13:57:00.001+03:00

svcutil.exe is a command line to generate wcf proxies from wsdl files (and more).

for example the following command:

$> svcutil http://localhost/MyServices/Service.svc?WSDL

will generate Service.cs which is the proxy you can add to your project.

Sometimes the wsdl file is not on a url but on the local disk. In theory this should work:

$> svcutil c:\services\calc.wsdl

In practice this would work only if the wsdl does not reference other wsdl or xsd files (even if their relative reference is correct). The same would work with "add service reference" in VS so not sure why it fails here. One solution is to explicitly specify all the referenced schema files in the command:

$> svcutil" c:\services\calc.wsdl" "c:\person.xsd c:\units.xsd"

This usually works but requires manual work and is not always desired when a large number of references is used.

An alternative would be to upload the wsdl and the references to a web server and svcutil from there. If you have iis on your dev machine this is actually pretty simple:

1. copy the wsdl root folder to a subfolder under c:\inetpub\wwwroot
2. run

$> svcutil http://localhost/root/calc.wsdl

That's all, no need to specify all files. svcutil works well from url locations. Do not forget to remove the wsdl folder after so your iis folder would stay clean.

...and, we're back!

2011-04-22T22:32:00.001+03:00

This post violates at least 4 of the blogging cliches. Read at your own risk!

You might have noticed I've disappeared for a while. The reason is that I have been practically leaving on an airplane in the last two months beeing over 80 hours in flights.

In early march I have visited Redmond for the MVP global summit. I've met people which so far I've only seen in the cover of their books. I've met some of my favorite bloggers and readers. And even though I'm a Connected Systems MVP I took a picture with the Biztalk MVP's (thanks to leonid who took the photo):

I have then visited customers in many states in the US. I never regretted for taking that extra coat and clothes because some places were damn cold! Still I had a lot of fun, met some super smart people, and also had time to visit beautiful places:

Shortly after I came back home I got my 5th star in the MSDN forums:

I'm very proud for being able to help so many people. I am going to continue and participate in these forums not only because I love to help but also since I learn a lot on the way.

More lessons learned on Windows Azure pricing

2011-02-25T13:58:00.000+02:00

My Bart Simpson's guide to windows Azure has been highly successful. From Twitter to the post comments to my mail box I got a lot of good feedback.

Here are some insights you might want to know:

Extra small instances might not be included in your free Azure account.
David Pallmann was the first to notice that some of the special Azure offers (like the MSDN one) actually have some small letters:

**Extra small compute instances are available in beta and are billed separately from other compute instance sizes.

This practically means you pay for these instances from day 1! Here is my account:

So you should check your account details and determine if extra small instances work for you.

I also recommend you check out David's Hidden Costs in the Cloud series which has some important insights.

Hot news: Azure trial with extra small instances
A few days ago Microsoft has started to offer an introductory offer which includes 750 free monthly hours of x-small instances (until June). Check it out.

Also thanks to David Makogon I've fixed an error in the config sample to configure extra small instances.

Bart Simpson's guide to Windows Azure

2011-02-19T15:17:00.002+02:00

The original name of this post was "a poor developer's guide to windows azure" but then I found the Bart Simpson's Chalkboard Generator:

My Azure story begins back in PDC08 where Microsoft announced a community preview of Windows Azure which includes a free subscription for a limited period. I took advantage of this to develop the Wcf binding box (which btw got some good reviews). A few months after, the preview has ended and my account became read only. I was not too bothered by it as I had other things in mind. A few weeks ago I had a crazy idea to build a wsdl2-->wsdl1 converter. The most natural way to do it was to create an online service. But my azure trial is already in freeze, and I did not want to pay a hosting service just to host a free contribution I make for the community. What could I do? I then remembered that I (and my contest winners) have a special MSDN premium Azure offer. And this is how wsdl2wsdl came to life. Veni, vidi, vici? Oh my...

A few days after going on air I get this email from Microsoft:

Your Windows Azure Platform Usage Estimate - 75% of Base Units Consumed‏

This e-mail notification comes to you as a courtesy to update you on your Windows Azure platform usage. Our records indicate that your subscription has exceeded 75% of the compute hours amount included with your offer for your current billing period. Any hours in excess of the amount included with your offer will be charged at standard rates.

Total Consumed*: 592.000000 Compute Hours
Amount included with your offer: 750 Compute Hours
Amount over (under) your monthly average: -158.000000 Compute Hours

Let's see... I should get 750 compute hours / month, a month has 31 days (a worse case analyses), 750 / 31 > 24 which means I should have more than 24 complimentary compute hours per day. How could they run out so fast?

Bart Simpson's Azure Rule #1:

As a developer, it made too much sense to develop the binding box and wsdl2wsdl in a separate visual studio solutions. This yields two separate azure hosted services:

And this yields two separate bill items per day:

This means I was not paying for 24 compute hours per day, I was paying 24*2!

Now you may say RTFM. But nobody does it. Not when we download some open source library from the web, and not when we upload something in the other direction.

But why did the bill had 4 itmes and not two?

Bart Simpson's Azure Rule #2:

Not only did I had two hosted services online, but I also had two environments for each - staging and deployment. You pay for what you get:

2 services * 2 deployments = 4 * 24 hours a day = 96 hours a day!

Bart Simpson's Azure Rule #3:

I was on my way to a Chapter 11 when I decided to panically press the stop button on my unintended deployments:

However this does not reduce costs:

Suspending your deployment will still result in charges because the compute instances are allocated to you and cannot be allocated to another customer.

Remember: Always delete deployments you do not want to pay for. Suspending / stopping them still results in charges.

Bart Simpson's Azure Rule #4:

For applications with very small needs an extra small instance should be enough. It can save you costs by up to 60%! Configuring it is very easy:

Conclusion

Homer Simpson once said "Trying is the first step towards failure." In my case it was the first step to this blog post and to my first two weeks Azure bill:

I'll end the month on around 50$ which is not too bad for a commercial site. But for a contribution to the community and my fun? Oh my...

Weather you are an independent developer or a Fortune 5000 company - know the Azure pricing model and how your account fits in.

Wcf: Keyset does not exist

2011-02-13T19:20:00.060+02:00

When using X.509 certificates with Wcf the below error may appear:

System.Security.Cryptography.CryptographicException: Keyset does not exist
ArgumentException: The certificate 'CN=MyCert' must have a private key that is capable of key exchange. The process must have access rights for the private key.

95% of the time this means that the certificate which the server/client use either does not have a private key or the Wcf host process does not have permissions to the key.

No private key
This case applies when the certificate is expected to have a private key, e.g. the server private certificate when defined on the server side, and not the server public when defined on the client. To check if the certificate has a private key follow these steps:

1. start-->run-->"mmc"

2. file-->add remove snap in...

3. double click "certificates" in the list

4. Choose "My user account" if the certificate is located in the current user store, or "Computer account" if located on the local machine store. If you are unsure you can repeat the process twice each time with a different choice.

5. click Finish + Ok

6. now expand the tree to the correct store and when you see the certificate double click it. Then check if it has the little key icon on it. If it does not then you did not import it with its private key (or got the wrong cert).

No permissions
Even if the certificate has a private key, it still does not mean all users on the machine have access to it. One common gotcha is to give access to the admin (or logged in user) but forget that IIS usually runs under another user account. This may cause a code to work correctly under an interactive user but to fail under IIS or any windows service. One way to check if this is the case is אם give the user full permissions to the key (temporarily!).

How to give permissions to a key?
the hard way is using WinHttpCertCfg.exe (details ,download):

winhttpcertcfg -g -c LOCAL_MACHINE\My -s CN=WSE2QuickStartServer -a SomeUser

Another way is using some gui utility and WseCertificate2.exe is a good one:

1. install the Wse2 sdk

2. run C:\Program Files\Microsoft WSE\v2.0\Tools\Certificates\WseCertificate2.exe

3. choose the certificate using the location / store drop down lists and the "open certificate" button.

4. click the "view private key file properties..." button on the bottom.

5. depending on your OS version, grant permissions for the user you want.

If all this did not help ten make sure that when have you installed the certificate you checked the "mark this key as exportable" checkbox:

Sometimes these permissions are cached so you can also restart IIS (and maybe even the PC). And as always with certificate, when you're already pulling out your hair it's time to uninstall all certificates and start all over again.

Wcf support for Wsdl2

2011-02-12T12:28:00.003+02:00

Last time I introduced wsdl2wsdl, an online wsdl2-->wsdl1 converter.
Today I am proud to announce svcutil2 - a Wcf proxy generator for Wsdl2. svcutil2, like the original svcutil, generates Wcf proxies from Wsdl2 documents. This is a huge accelerator for web services interoperability. See related discussion here.

svcutil2 is fully open sourced in CodePlex.

How to generate Wcf clients from Wsdl2 documents?
1. Download the latest version of svcutil2.exe from CodePlex

2. Open the VS command console or otherwise make sure the original svcutil.exe is in the current path (usually located in C:\Program Files\Microsoft SDKs\Windows\v6.0A\bin)

3. Use svcutil2 exactly like you use svcutil:

$> svcutil2.exe http://webservices20.cloudapp.net/wsdl2wsdl/wsdl/simple2.wsdl

you can also work with Wsdl's from file system or use any of the svcutil available flags.

Downgrade! Convert Wsdl 2.0 to Wsdl 1.1 (Wsdl2Wsdl)

2011-02-05T23:53:00.003+02:00

Wsdl2Wsdl is Here!

Wsdl 2.0 never fulfilled its promises: It did not replace Wsdl 1.1 and soap stacks rarely support it. It did not became the Metadata standard for Rest based web services. And in an era where a service metadata can be summed up with a resource uri, Wsdl 2.0 is barely looked at as a simplification. All this is hardly Wsdl 2.0 fault. It's the timing. The backlash against Soap/Wsdl based services was far behind its point of no return in the period where Wsdl 2.0 was expected to get high adoption. It is not too risky to bet that Wsdl 2.0 will never be implemented by existing soap stacks, and Wcf is no exception.

And the sky is blue. So?
While service authors may elegantly ignore Wsdl 2, if you're on the consumer side you might need to consume a service which metadata is a Wsdl 2 document. Most chances are that your client stack does not support code generation from this version of Wsdl. This is an annoying interoperability problem.

Wsdl2Wsdl
I have written an online Wsdl 2 --> Wsdl 1 converter. While there are a number of Wsdl1 --> Wsdl 2 converters available, I have yet to find one in the opposite direction.
Wsdl2Wsdl provides you a url which dynamically converts the Wsdl per demand. This means you always get the live version of the wsdl.

Can I run Wsdl2Wsdl on my premise?
The current version of Wsdl2Wsdl is web based so if your Wsdl has some secrets / IP you should take this into consideration. I plan to open source it and ship an on premise version. You are welcome to contact me if you need this urgently.

Where is Wsdl2Wsdl?
It's hosted on my Azure account:

http://webservices20.cloudapp.net/wsdl2wsdl.html

Drop me a mail with any issue or feedback.