Databases
StackOverflow2013
Postsdbo
POC# Webservice error: Message security verification failed
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POC# Webservice error: Message security verification failed
    text
    copied!<p>I am trying to consume an authetication Web Service passing in SOAP header with UsernameToken using custom binding</p> <pre><code>ICollection&lt;BindingElement&gt; bindingElements = new List&lt;BindingElement&gt;(); HttpsTransportBindingElement httpBindingElement = new HttpsTransportBindingElement(); CustomTextMessageBindingElement textBindingElement = new CustomTextMessageBindingElement(); SecurityBindingElement securityElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); securityElement.IncludeTimestamp = false; bindingElements.Add(securityElement); bindingElements.Add(textBindingElement); bindingElements.Add(httpBindingElement); CustomBinding binding = new CustomBinding(bindingElements); EndpointAddress address = new EndpointAddress("https://...."); var client = new WebServiceClient(binding, address); client.ClientCredentials.UserName.UserName = "USERNAME HERE"; client.ClientCredentials.UserName.Password = "PASSWORD HERE"; using (new OperationContextScope(client.InnerChannel)) { var req = new WebServiceRequest(); var resp = client.initiate(req); } </code></pre> <p>getting an exception:</p> <blockquote> <p>Message security verification failed.</p> <p>Cannot read the token from the 'BinarySecurityToken' element with the '<a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" rel="nofollow">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd</a>' namespace for BinarySecretSecurityToken, with a 'oblix:ObSSOCookie' ValueType. If this element is expected to be valid, ensure that security is configured to consume tokens with the name, namespace and value type specified."}</p> </blockquote> <p>Server stack trace: </p> <blockquote> <p>at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout) at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates) at System.ServiceModel.Channels.SecurityChannelFactory<code>1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory</code>1.SecurityRequestChannel.Request(Message message, TimeSpan timeout) at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)</p> </blockquote> <p>Here's the response caught by fiddler:</p> <pre><code>&lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"&gt; &lt;env:Header&gt; &lt;wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt; &lt;wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="oblix:ObSSOCookie" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:oblix="http://schemas.oblix.com/ws/2004/04/authentication"&gt;&lt;!--REMOVED--&gt;&lt;/wsse:BinarySecurityToken&gt; &lt;/wsse:Security&gt; &lt;/env:Header&gt; &lt;env:Body&gt; &lt;MobileAppsLoginSSOProcessResponse xmlns="http://xmlns.oracle.com/MobileAppsLoginSSO"&gt; &lt;ReturnStatus&gt;SUCCESS&lt;/ReturnStatus&gt; &lt;/MobileAppsLoginSSOProcessResponse&gt; &lt;/env:Body&gt; &lt;/env:Envelope&gt; </code></pre> <p>I am using CustomTextMessageEncoder following <a href="http://msdn.microsoft.com/en-us/library/ms751486%28v=vs.100%29.aspx" rel="nofollow">http://msdn.microsoft.com/en-us/library/ms751486%28v=vs.100%29.aspx</a></p> <p><strong>EDIT:</strong></p> <p>As suggested by Yaron, unless I strip out the BinarySecurityToken tag from the response, the code fails with above Message Security Validation Failed exception.</p> <p>The 'oblix:ObSSOCookie' in the response is authentication cookie sent by service back to client on successful authentication and I believe, client needs to save this cookie. </p> <p><strong>Solution:</strong> As suggested by Yaron in final edit, I removed <code>SecurityElementBinding</code> from Custom Binding and used Custom Message Inspector (<code>IClientMessageInspector</code>) to inject Security tag into the header.</p> <p>This allowed to interpret the response only from SOAP body and I can read the SOAP response header in <code>AfterReceiveReply</code> of my <code>IClientMessageInspector</code> implementation.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload