Nicola Delfino

I meet people, I do things for @Microsoft and @CaledosLab. My opinions and my tweets are my own, not the views of my employer and should NEVER be taken seriously.

3 minute read

If you don't include a "Persona Partecipant" in your session manifest, credentials aren't propagated from one VAS to another one.
Have a loook to the counting scenario you can find in sample CSF directory. The example call in sequence 2 VASes, each on these increment a value by 1, so if you submit 100, you receive 102 as result.
 
This is the template manifest for the example:
 
<csfse:Session xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" timestamp="2006-03-27T18:42:09.9344400+02:00" timeout="15" serialize="None" state="Active" routeAnyAction="true" ackOnRouteMsgToParticipants="false" xmlns:csfse="http://www.microsoft.com/csf/20/Session/">
 <csfse:SessionName>CountingSample</csfse:SessionName>
 <csfse:Participants>
  <csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
   <csfse:ParticipantName>ServiceParticipant1</csfse:ParticipantName>
   <csfse:ParticipantID>ServiceParticipant1</csfse:ParticipantID>
   <csfse:ParticipantUrl>http://CSF01/CountingService2/Service2.ashx</csfse:ParticipantUrl>
   <csfse:ParticipantWsdlUrl>http://CSF01/CountingService2/Service2.ashx</csfse:ParticipantWsdlUrl>
  </csfse:Participant>
  <csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
   <csfse:ParticipantName>ServiceParticipant2</csfse:ParticipantName>
   <csfse:ParticipantID>ServiceParticipant2</csfse:ParticipantID>
   <csfse:ParticipantUrl>http://CSF01/CountingService1/Service1.ashx</csfse:ParticipantUrl>
   <csfse:ParticipantWsdlUrl>http://CSF01/CountingService1/Service1.ashx</csfse:ParticipantWsdlUrl>
  </csfse:Participant>
  <csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
   <csfse:ParticipantName>UIParticipant</csfse:ParticipantName>
   <csfse:ParticipantID>UIParticipant</csfse:ParticipantID>
   <csfse:ParticipantUrl>soap.tcp://localhost:9111/UiFormService</csfse:ParticipantUrl>
   <csfse:ParticipantWsdlUrl>soap.tcp://localhost:9111/UiFormService</csfse:ParticipantWsdlUrl>
  </csfse:Participant>
 </csfse:Participants>
 <csfse:RoutingTable version="1" timestamp="2006-03-27T18:42:13.9603020+02:00">
  <csfse:Routes>
   <csfse:Route>
    <csfse:Criteria>(ACTION EQ 'Add')</csfse:Criteria>
    <csfse:Destination>ServiceParticipant1[Add]</csfse:Destination>
    <csfse:Intercept/>
   </csfse:Route>
   <csfse:Route>
    <csfse:Criteria>((ACTION EQ 'AddResponse') AND (SOURCE EQ 'ServiceParticipant2'))</csfse:Criteria>
    <csfse:Destination>UIParticipant[RouteResponse]</csfse:Destination>
    <csfse:Intercept/>
   </csfse:Route>
   <csfse:Route>
    <csfse:Criteria>((ACTION EQ 'AddResponse') AND (SOURCE EQ 'ServiceParticipant1'))</csfse:Criteria>
    <csfse:Destination>ServiceParticipant2[Add]</csfse:Destination>
    <csfse:Intercept/>
   </csfse:Route>
  </csfse:Routes>
 </csfse:RoutingTable>
</csfse:Session>
 
Everything starts with a message with an "Add" action from UI partecipant.
The SOAP header is something like (some header removed to simplify the reading):
 
  <soap:Envelope>
    <soap:Header>
      <csfse:SessionID>urn:...</csfse:SessionID>
      <wsa:Action>Add</wsa:Action>
 ...
      <wsse:Security soap:mustUnderstand="1">
        <wsu:Timestamp wsu:Id="Timestamp-9f6829b8-d2d3-49c5-9c7c-60c026998a57">
          <wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
          <wsu:Expires>2006-03-27T16:56:38Z</wsu:Expires>
        </wsu:Timestamp>
        <wsse:UsernameToken wsu:Id="SecurityToken-...">
          <wsse:Username>administrator@fabrikam.com</wsse:Username>
          <wsse:Password>password</wsse:Password>
          <wsse:Nonce>VOlNA2DOTUoFuWOjfW8lvg==</wsse:Nonce>
          <wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
        </wsse:UsernameToken>
      </wsse:Security>
    </soap:Header>
    <soap:Body>
...
    </soap:Body>
  </soap:Envelope>
 
When session routes this message to ServicePartecipant1 the header becomes:
 
  <soap:Envelope>
    <soap:Header>
     <csfse:SessionID>urn:...</csfse:SessionID>
      <wsa:Action>Add</wsa:Action>
 ...    
      <wsse:Security>
        <wsu:Timestamp wsu:Id="Timestamp-f97709ea-9a36-4a3c-9c27-301e655c404a">
          <wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
          <wsu:Expires>2006-03-27T16:56:38Z</wsu:Expires>
        </wsu:Timestamp>
      </wsse:Security>
    </soap:Header>
    <soap:Body>
      ...
    </soap:Body>
  </soap:Envelope>
 
as you can see the username token is gone. If you want to keep it, modify template manifest as follows:
 
(1) add persona partecipant
 
<csfse:Participant timeout="30" role="Persona" mode="OneWay" type="WebService">
 <csfse:ParticipantName>PersonaParticipant</csfse:ParticipantName>
 <csfse:ParticipantID>PersonaParticipant</csfse:ParticipantID>
 <csfse:ParticipantUrl>...</csfse:ParticipantUrl>
 <csfse:ParticipantWsdlUrl>...</csfse:ParticipantWsdlUrl>
 <csfse:SecurityToken>
  <wsse:UsernameToken wsu:Id="SecurityToken-055ed3fb-b592-49c7-b2b7-6f18a1ff7a86">
   <wsse:Username>administrator@fabrikam.com</wsse:Username>
   <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">...</wsse:Password>
   <wsse:Nonce>wPasvF7+DZ2DTcuWfEKVsg==</wsse:Nonce>
   <wsu:Created>2006-03-24T17:07:19Z</wsu:Created>
  </wsse:UsernameToken>
 </csfse:SecurityToken>
</csfse:Participant>
 
(2) For any participant except for the Persona participant, the <policyDocument> tag indicates that secondary credentials are required for the participant. If a <policyDocument> tag is specified for a participant, then a  Session Persona <Participant> should also be defined. Warning: If you specify the <policyDocument> without a persona partecipant, the message is simply not ruoted!!!

You may also enjoy

Implementing cross HUBs routing in Azure

13 minute read

In this blog article, I’ll show you how to arrange the routing between two Hubs that are peering with each other so that all spokes in both Hubs can communic...