Reputation: 11866
How can I control which elements are signed in a WCF SOAP request?
I am creating a WCF client for a Java web service that is out of my control, and have run into a problem, in that the service returns an InvalidSecurity fault if the Timestamp header element is signed.
I am currently using the following SecurityBindingElement, but this automatically signs the Timestamp element. How can I stop this behaviour? More generally, how can I control which elements are signed and which aren't?
var version = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(version);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion = version;
sec.IncludeTimestamp = true;
sec.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
Upvotes: 3
Views: 1900
Answers (3)
Reputation: 41
I'm unable to vote up the answer, but Chris's suggestion worked for me. I wanted to prevent signing the body (and thus expecting a signed response body). I went to my interface, and added the ProtectionLevel=None to every instance of the MessageBody attribute in my MessageContracts. Because none of the parts need to be signed, WCF skips signing the request body and doesn't expect the response body to be signed either. It still signs my header fields.
Upvotes: 0
Reputation: 24426
In general you can control which elements get signed by implementing a custom endpoint behavior and in AddBindingParameters() do something like this:
ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();
requirements.IncomingSignatureParts...
However I don't see a way to remove an element in this api - only to add some. Maybe you can hack this with private reflection.
Also I'm not sure this will work for security. I think your only way is to either set "includeTimestamp" to false, in which case you will not send a timestamp to the client. If you must send a timestamp (unsigned) then still keep it false and create the timestamp yourself via a custom encoder. Should not be hard. Just watch out not to changes anything else in the message if it is signed.
Upvotes: 1
Reputation: 2481
Each element in your header can be tagged with [MessageHeader] - with this you can set the protection level.
Upvotes: 1
Related Questions
- Signing SOAP Message with XML Signature and WCF
- How to sign a SOAP request with WCF
- How can i sign soap headers in WCF client
- WCF- Sign a specific field inside the body of a soap message
- WCF Client Sign only soap body
- Stop WCF From Adding A Signature To The SOAP Header
- WCF over HTTPS and Signing the body
- Signing and only signing SOAP body with Transport layer security in IIS
- Using WCF to send a signed Request and receive an unsigned Response
- Specify parts of the header that have to be signed and/or encrypted in WCF with binding that support standards