Handling asymmetric headers in a web service

Question

Good evening,

I'm in the process of moving some legacy .NET 2 code to .NET 4. In one small corner of this project, there is a WSE call to a SOAP web service run by a 3rd party. The service is quirky -- it uses UserTokenauthentication, which is fine, but the way it does doesn't not seem to work well with WCF.

My first approach was to configure the binding to use TransportWithMessageCredential and set the username/password by way of <clientName>.ClientCredentials.UserName. At runtime, this threw an exception that indicated that security was missing on the response. After some investigation with Fiddler, I discovered that while I was sending the UserToken header, but there was no security header in the response from the service. WCF considers that formatting invalid and throws an exception.

As an experiment, I switched the binding to use Transport security and added a <headers>...</headers> block in the endpoint configuration, essentially hard-coding the credentials. This worked and WCF was satisfied, because it was not trying to verify the message credentials.

I'm at the point where I have a working prototype, but I'm really unsatisfied with it from a design perspective, but I'm at a loss to come up with a better solution.

Is there a way to either (1) configure the service so it sends the UserToken but doesn't require the security block on return, or (2) inject the SOAP header in code, so it's more dynamic that putting it in the configuration?

Thanks!

Answer 1

First use the WCF BindingBox to convert your basic http binding to a custom binding. Then on the security element of the custom binding add this:

enableUnsecuredResponse="true"