CSF Session doesn’t propagate credential from source to destination VAS


If you don't include a "Persona Partecipant" in your session manifest, credentials aren't propagated from one VAS to another one.

Have a loook to the counting scenario you can find in sample CSF directory. The example call in sequence 2 VASes, each on these increment a value by 1, so if you submit 100, you receive 102 as result.

 

This is the template manifest for the example:

 

<csfse:Session xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" timestamp="2006-03-27T18:42:09.9344400+02:00" timeout="15" serialize="None" state="Active" routeAnyAction="true" ackOnRouteMsgToParticipants="false" xmlns:csfse="http://www.microsoft.com/csf/20/Session/">
 <csfse:SessionName>CountingSample</csfse:SessionName>
 <csfse:Participants>
  <csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
   <csfse:ParticipantName>ServiceParticipant1</csfse:ParticipantName>
   <csfse:ParticipantID>ServiceParticipant1</csfse:ParticipantID>
   <csfse:ParticipantUrl>http://CSF01/CountingService2/Service2.ashx</csfse:ParticipantUrl>
   <csfse:ParticipantWsdlUrl>http://CSF01/CountingService2/Service2.ashx</csfse:ParticipantWsdlUrl>
  </csfse:Participant>
  <csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
   <csfse:ParticipantName>ServiceParticipant2</csfse:ParticipantName>
   <csfse:ParticipantID>ServiceParticipant2</csfse:ParticipantID>
   <csfse:ParticipantUrl>http://CSF01/CountingService1/Service1.ashx</csfse:ParticipantUrl>
   <csfse:ParticipantWsdlUrl>http://CSF01/CountingService1/Service1.ashx</csfse:ParticipantWsdlUrl>
  </csfse:Participant>
  <csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
   <csfse:ParticipantName>UIParticipant</csfse:ParticipantName>
   <csfse:ParticipantID>UIParticipant</csfse:ParticipantID>
   <csfse:ParticipantUrl>soap.tcp://localhost:9111/UiFormService</csfse:ParticipantUrl>
   <csfse:ParticipantWsdlUrl>soap.tcp://localhost:9111/UiFormService</csfse:ParticipantWsdlUrl>
  </csfse:Participant>
 </csfse:Participants>
 <csfse:RoutingTable version="1" timestamp="2006-03-27T18:42:13.9603020+02:00">
  <csfse:Routes>
   <csfse:Route>
    <csfse:Criteria>(ACTION EQ 'Add')</csfse:Criteria>
    <csfse:Destination>ServiceParticipant1[Add]</csfse:Destination>
    <csfse:Intercept/>
   </csfse:Route>
   <csfse:Route>
    <csfse:Criteria>((ACTION EQ 'AddResponse') AND (SOURCE EQ 'ServiceParticipant2'))</csfse:Criteria>
    <csfse:Destination>UIParticipant[RouteResponse]</csfse:Destination>
    <csfse:Intercept/>
   </csfse:Route>
   <csfse:Route>
    <csfse:Criteria>((ACTION EQ 'AddResponse') AND (SOURCE EQ 'ServiceParticipant1'))</csfse:Criteria>
    <csfse:Destination>ServiceParticipant2[Add]</csfse:Destination>
    <csfse:Intercept/>
   </csfse:Route>
  </csfse:Routes>
 </csfse:RoutingTable>
</csfse:Session>

 

Everything starts with a message with an "Add" action from UI partecipant.
The SOAP header is something like (some header removed to simplify the reading):

 

  <soap:Envelope>
    <soap:Header>
      <csfse:SessionID>urn:...</csfse:SessionID>
      <wsa:Action>Add</wsa:Action>
 ...
      <wsse:Security soap:mustUnderstand="1">
        <wsu:Timestamp wsu:Id="Timestamp-9f6829b8-d2d3-49c5-9c7c-60c026998a57">
          <wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
          <wsu:Expires>2006-03-27T16:56:38Z</wsu:Expires>
        </wsu:Timestamp>
        <wsse:UsernameToken wsu:Id="SecurityToken-...">
          <wsse:Username>administrator@fabrikam.com</wsse:Username>
          <wsse:Password>password</wsse:Password>
          <wsse:Nonce>VOlNA2DOTUoFuWOjfW8lvg==</wsse:Nonce>
          <wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
        </wsse:UsernameToken>
      </wsse:Security>
    </soap:Header>
    <soap:Body>
...
    </soap:Body>
  </soap:Envelope>

 

When session routes this message to ServicePartecipant1 the header becomes:

 

  <soap:Envelope>
    <soap:Header>
     <csfse:SessionID>urn:...</csfse:SessionID>
      <wsa:Action>Add</wsa:Action>
 ...    
      <wsse:Security>
        <wsu:Timestamp wsu:Id="Timestamp-f97709ea-9a36-4a3c-9c27-301e655c404a">
          <wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
          <wsu:Expires>2006-03-27T16:56:38Z</wsu:Expires>
        </wsu:Timestamp>
      </wsse:Security>
    </soap:Header>
    <soap:Body>
      ...
    </soap:Body>
  </soap:Envelope>

 

as you can see the username token is gone. If you want to keep it, modify template manifest as follows:

 

(1) add persona partecipant

 

<csfse:Participant timeout="30" role="Persona" mode="OneWay" type="WebService">
 <csfse:ParticipantName>PersonaParticipant</csfse:ParticipantName>
 <csfse:ParticipantID>PersonaParticipant</csfse:ParticipantID>
 <csfse:ParticipantUrl>...</csfse:ParticipantUrl>
 <csfse:ParticipantWsdlUrl>...</csfse:ParticipantWsdlUrl>
 <csfse:SecurityToken>
  <wsse:UsernameToken wsu:Id="SecurityToken-055ed3fb-b592-49c7-b2b7-6f18a1ff7a86">
   <wsse:Username>administrator@fabrikam.com</wsse:Username>
   <wsse:Password Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">...</wsse:Password>
   <wsse:Nonce>wPasvF7+DZ2DTcuWfEKVsg==</wsse:Nonce>
   <wsu:Created>2006-03-24T17:07:19Z</wsu:Created>
  </wsse:UsernameToken>
 </csfse:SecurityToken>
</csfse:Participant>

 

(2) For any participant except for the Persona participant, the <policyDocument> tag indicates that secondary credentials are required for the participant. If a <policyDocument> tag is specified for a participant, then a  Session Persona <Participant> should also be defined. Warning: If you specify the <policyDocument> without a persona partecipant, the message is simply not ruoted!!!

Comments (0)

Skip to main content