CSF Session doesn't propagate credential from source to destination VAS
If you don't include a "Persona Partecipant" in your session manifest, credentials aren't propagated from one VAS to another one.
Have a loook to the counting scenario you can find in sample CSF directory. The example call in sequence 2 VASes, each on these increment a value by 1, so if you submit 100, you receive 102 as result.
This is the template manifest for the example:
<csfse:Session xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" timestamp="2006-03-27T18:42:09.9344400+02:00" timeout="15" serialize="None" state="Active" routeAnyAction="true" ackOnRouteMsgToParticipants="false" xmlns:csfse="https://www.microsoft.com/csf/20/Session/">
<csfse:SessionName>CountingSample</csfse:SessionName>
<csfse:Participants>
<csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
<csfse:ParticipantName>ServiceParticipant1</csfse:ParticipantName>
<csfse:ParticipantID>ServiceParticipant1</csfse:ParticipantID>
<csfse:ParticipantUrl>https://CSF01/CountingService2/Service2.ashx</csfse:ParticipantUrl>
<csfse:ParticipantWsdlUrl>https://CSF01/CountingService2/Service2.ashx</csfse:ParticipantWsdlUrl>
</csfse:Participant>
<csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
<csfse:ParticipantName>ServiceParticipant2</csfse:ParticipantName>
<csfse:ParticipantID>ServiceParticipant2</csfse:ParticipantID>
<csfse:ParticipantUrl>https://CSF01/CountingService1/Service1.ashx</csfse:ParticipantUrl>
<csfse:ParticipantWsdlUrl>https://CSF01/CountingService1/Service1.ashx</csfse:ParticipantWsdlUrl>
</csfse:Participant>
<csfse:Participant timeout="30" role="Service" mode="OneWay" type="WebService">
<csfse:ParticipantName>UIParticipant</csfse:ParticipantName>
<csfse:ParticipantID>UIParticipant</csfse:ParticipantID>
<csfse:ParticipantUrl>soap.tcp://localhost:9111/UiFormService</csfse:ParticipantUrl>
<csfse:ParticipantWsdlUrl>soap.tcp://localhost:9111/UiFormService</csfse:ParticipantWsdlUrl>
</csfse:Participant>
</csfse:Participants>
<csfse:RoutingTable version="1" timestamp="2006-03-27T18:42:13.9603020+02:00">
<csfse:Routes>
<csfse:Route>
<csfse:Criteria>(ACTION EQ 'Add')</csfse:Criteria>
<csfse:Destination>ServiceParticipant1[Add]</csfse:Destination>
<csfse:Intercept/>
</csfse:Route>
<csfse:Route>
<csfse:Criteria>((ACTION EQ 'AddResponse') AND (SOURCE EQ 'ServiceParticipant2'))</csfse:Criteria>
<csfse:Destination>UIParticipant[RouteResponse]</csfse:Destination>
<csfse:Intercept/>
</csfse:Route>
<csfse:Route>
<csfse:Criteria>((ACTION EQ 'AddResponse') AND (SOURCE EQ 'ServiceParticipant1'))</csfse:Criteria>
<csfse:Destination>ServiceParticipant2[Add]</csfse:Destination>
<csfse:Intercept/>
</csfse:Route>
</csfse:Routes>
</csfse:RoutingTable>
</csfse:Session>
Everything starts with a message with an "Add" action from UI partecipant.
The SOAP header is something like (some header removed to simplify the reading):
<soap:Envelope>
<soap:Header>
<csfse:SessionID>urn:...</csfse:SessionID>
<wsa:Action>Add</wsa:Action>
...
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-9f6829b8-d2d3-49c5-9c7c-60c026998a57">
<wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
<wsu:Expires>2006-03-27T16:56:38Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="SecurityToken-...">
<wsse:Username>administrator@fabrikam.com</wsse:Username>
<wsse:Password>password</wsse:Password>
<wsse:Nonce>VOlNA2DOTUoFuWOjfW8lvg==</wsse:Nonce>
<wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
...
</soap:Body>
</soap:Envelope>
When session routes this message to ServicePartecipant1 the header becomes:
<soap:Envelope>
<soap:Header>
<csfse:SessionID>urn:...</csfse:SessionID>
<wsa:Action>Add</wsa:Action>
...
<wsse:Security>
<wsu:Timestamp wsu:Id="Timestamp-f97709ea-9a36-4a3c-9c27-301e655c404a">
<wsu:Created>2006-03-27T16:51:38Z</wsu:Created>
<wsu:Expires>2006-03-27T16:56:38Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
...
</soap:Body>
</soap:Envelope>
as you can see the username token is gone. If you want to keep it, modify template manifest as follows:
(1) add persona partecipant
<csfse:Participant timeout="30" role="Persona" mode="OneWay" type="WebService">
<csfse:ParticipantName>PersonaParticipant</csfse:ParticipantName>
<csfse:ParticipantID>PersonaParticipant</csfse:ParticipantID>
<csfse:ParticipantUrl>...</csfse:ParticipantUrl>
<csfse:ParticipantWsdlUrl>...</csfse:ParticipantWsdlUrl>
<csfse:SecurityToken>
<wsse:UsernameToken wsu:Id="SecurityToken-055ed3fb-b592-49c7-b2b7-6f18a1ff7a86">
<wsse:Username>administrator@fabrikam.com</wsse:Username>
<wsse:Password Type="https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">...</wsse:Password>
<wsse:Nonce>wPasvF7+DZ2DTcuWfEKVsg==</wsse:Nonce>
<wsu:Created>2006-03-24T17:07:19Z</wsu:Created>
</wsse:UsernameToken>
</csfse:SecurityToken>
</csfse:Participant>
(2) For any participant except for the Persona participant, the <policyDocument> tag indicates that secondary credentials are required for the participant. If a <policyDocument> tag is specified for a participant, then a Session Persona <Participant> should also be defined. Warning: If you specify the <policyDocument> without a persona partecipant, the message is simply not ruoted!!!