Reputation: 4919
I'm trying to consume Java Web Service using C# in desktop application.
My first attempt was using WebServicesClientProtocol, but I'm not able to add necessary attribute that is required by WSSE Username and Token Security Spec 1.1
I need to create request that has this structure:
<soap:Envelope xmlns:dz="" xmlns:soap="" xmlns:xsd="">
<wsse:Security xmlns:wsse="" xmlns:wsu="">
<wsse:UsernameToken wsu:Id="UsernameToken-E94CEB6F4708FB7C23148611494797612">
<wsse:Password Type="">XqEwZ/CxaBfFvh487TjvN8qD63c=</wsse:Password>
<wsse:Nonce EncodingType="">JzURe0CxvzRjmEcH/ndldw==</wsse:Nonce>
<wsse:BinarySecurityToken EncodingType="" ValueType="" wsu:Id="X509-E94CEB6F4708FB7C2314861149479517">MIIKnDCCB.........nmIngeg6d6TNI=</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-E94CEB6F4708FB7C23148611494795311" xmlns:ds="">
<ds:CanonicalizationMethod Algorithm="">
<ec:InclusiveNamespaces PrefixList="dz soap xsd" xmlns:ec=""/>
<ds:SignatureMethod Algorithm=""/>
<ds:Reference URI="#id-E94CEB6F4708FB7C23148611494795310">
<ds:Transform Algorithm="">
<ec:InclusiveNamespaces PrefixList="dz xsd" xmlns:ec=""/>
<ds:DigestMethod Algorithm=""/>
<ds:KeyInfo Id="KI-E94CEB6F4708FB7C2314861149479518">
<wsse:SecurityTokenReference wsse11:TokenType="" wsu:Id="STR-E94CEB6F4708FB7C2314861149479519" xmlns:wsse11="">
<wsse:Reference URI="#X509-E94CEB6F4708FB7C2314861149479517" ValueType=""/>
<soap:Body wsu:Id="id-E94CEB6F4708FB7C23148611494795310" xmlns:wsu="">
I've managed to create custom classes using IEndpointBehavior and IClientMessageInspector, but with them I'm only able to add UsernameToken
public class InspectorBehavior : IEndpointBehavior
/// <summary>
/// Gets or sets the custom ClientInspector.
/// </summary>
public ClientInspector ClientInspector { get; set; }
/// <summary>
/// Constructs a new InspectorBehavior
/// </summary>
/// <param name="clientInspector"><see cref="ClientInspector"/></param>
public InspectorBehavior(ClientInspector clientInspector)
ClientInspector = clientInspector;
/// <summary>
/// Implement to confirm that the endpoint meets some intended criteria.
/// </summary>
/// <param name="endpoint"><see cref="ServiceEndpoint"/></param>
public void Validate(ServiceEndpoint endpoint)
// not calling the base implementation
/// <summary>
/// Implement to pass data at runtime to bindings to support custom behavior.
/// </summary>
/// <param name="endpoint"><see cref="ServiceEndpoint"/></param>
/// <param name="bindingParameters"><see cref="BindingParameterCollection"/></param>
public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters)
// not calling the base implementation
/// <summary>
/// Implements a modification or extension of the service across an endpoint.
/// </summary>
/// <param name="endponit"><see cref="ServiceEndpoint"/></param>
/// <param name="endpointDispatcher"><see cref="EndpointDispatcher"/></param>
public void ApplyDispatchBehavior(ServiceEndpoint endponit, EndpointDispatcher endpointDispatcher)
// not calling the base implementation
/// <summary>
/// Implements the custom modification of the WCF client across an endpoint.
/// </summary>
/// <param name="endpoint"><see cref="ServiceEndpoint"/></param>
/// <param name="clientRuntime"><see cref="ClientRuntime"/></param>
public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)
if (this.ClientInspector == null)
throw new InvalidOperationException("Caller must supply ClientInspector.");
public class ClientInspector : IClientMessageInspector
/// <summary>
/// Gets or sets the custom MessageHeader.
/// </summary>
public MessageHeader[] Headers
/// <summary>
/// Constructs a new ClientInspector
/// </summary>
/// <param name="headers"><see cref="MessageHeader"/></param>
public ClientInspector(params MessageHeader[] headers)
Headers = headers;
/// <summary>
/// Enables inspection or modification of a message before a request message is sent to a service.
/// </summary>
/// <param name="request"><see cref="Message"/></param>
/// <param name="channel"><see cref="IClientChannel"/></param>
/// <returns></returns>
public object BeforeSendRequest(ref Message request, IClientChannel channel)
if (Headers != null)
for (int i = Headers.Length - 1; i >= 0; i--)
request.Headers.Insert(0, Headers[i]);
return request;
/// <summary>
/// Enables inspection or modification of a message after a reply message is received but
/// prior to passing it back to the client.
/// </summary>
/// <param name="reply"><see cref="Message"/></param>
/// <param name="correlationState">object</param>
public void AfterReceiveReply(ref Message reply, object correlationState)
// not calling the base implementation
public class SecurityHeader : MessageHeader
private readonly APIConfig config;
/// <summary>
/// Constructors a new SecurityHeader
/// </summary>
/// <param name="config"><see cref="APIConfig"/></param>
public SecurityHeader(APIConfig config)
this.config = config;
/// <summary>
/// Gets or sets a value that indicates whether the header must be understood, according to SOAP 1.1/1.2 specification.
/// </summary>
public override bool MustUnderstand
return true;
/// <summary>
/// Gets the name of the message header.
/// </summary>
public override string Name
return "Security";
/// <summary>
/// Gets the namespace of the message header.
/// </summary>
public override string Namespace
return "";
protected override void OnWriteStartHeader(XmlDictionaryWriter writer, MessageVersion messageVersion)
writer.WriteStartElement("wsse", Name, Namespace);
writer.WriteXmlnsAttribute("wsse", Namespace);
/// <summary>
/// Called when the header content is serialized using the specified XML writer.
/// </summary>
/// <param name="writer"><see cref="XmlDictionaryWriter"/></param>
/// <param name="messageVersion"><see cref="MessageVersion"/></param>
protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)
/// <summary>
/// Overwrites the default SOAP Security Header values generated by WCF with
/// those required by the UserService which implements WSE 2.0. This is required
/// for interoperability between a WCF Client and a WSE 2.0 Service.
/// </summary>
/// <param name="writer"><see cref="XmlDictionaryWriter"/></param>
private void WriteHeader(XmlDictionaryWriter writer)
// Create the Nonce
byte[] nonce = GenerateNonce();
// Create the Created Date
string created = DateTime.UtcNow.ToString("yyyy-MM-ddTHH:mm:ss.fffZ");
// Create the WSSE Security Header, starting with the Username Element
writer.WriteStartElement("wsse", "UsernameToken", Namespace);
writer.WriteXmlnsAttribute("wsu", "");
writer.WriteStartElement("wsse", "Username", null);
// Add the Password Element
writer.WriteStartElement("wsse", "Password", null);
writer.WriteAttributeString("Type", "");
writer.WriteString(GeneratePasswordDigest(nonce, created, config.Password));
// Add the Nonce Element
writer.WriteStartElement("wsse", "Nonce", null);
writer.WriteAttributeString("EncodingType", "");
writer.WriteBase64(nonce, 0, nonce.Length);
// Lastly, add the Created Element
writer.WriteStartElement("wsu", "Created", null);
/// <summary>
/// Generates a random Nonce for encryption purposes
/// </summary>
/// <returns>byte[]</returns>
private byte[] GenerateNonce()
RNGCryptoServiceProvider rand = new RNGCryptoServiceProvider();
byte[] buf = new byte[0x10];
return buf;
/// <summary>
/// Generates the PasswordDigest using a SHA1 Hash
/// </summary>
/// <param name="nonceBytes">byte[]</param>
/// <param name="created">string</param>
/// <param name="password">string</param>
/// <returns>string</returns>
private string GeneratePasswordDigest(byte[] nonceBytes, string created, string password)
// Convert the values to be hashed to bytes
byte[] createdBytes = Encoding.UTF8.GetBytes(created);
byte[] passwordBytes = Encoding.UTF8.GetBytes(password);
byte[] msgBytes = new byte[nonceBytes.Length + createdBytes.Length + passwordBytes.Length];
// Combine the values into one byte array
Array.Copy(nonceBytes, msgBytes, nonceBytes.Length);
Array.Copy(createdBytes, 0, msgBytes, nonceBytes.Length, createdBytes.Length);
Array.Copy(passwordBytes, 0, msgBytes, (nonceBytes.Length + createdBytes.Length), passwordBytes.Length);
// Generate the hash
SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider();
byte[] hashBytes = sha1.ComputeHash(msgBytes);
return Convert.ToBase64String(hashBytes);
public class APIConfig
/// <summary>
/// Gets or Sets the Password property
/// </summary>
public string Password
/// <summary>
/// Gets or Sets the Username property
/// </summary>
public string Username
With above code I'm able to create this request:
<s:Envelope xmlns:s="">
<wsse:Security xmlns:wsse="">
<wsse:UsernameToken xmlns:wsu="">
<wsse:Password Type="">1TiCoKWfNF3EdEH3qdU4inKklaw=</wsse:Password>
<wsse:Nonce EncodingType="">mAyz3SywR8sR9IkhDGJRIw==</wsse:Nonce>
<s:Body xmlns:xsi="" xmlns:xsd="">
<query xmlns="">
<userQueryId xsi:nil="true" xmlns=""/>
As You can see I'm missing BinarySecurityToken
and Signature
elements in my Security
I've tried using Microsoft.Web.Services3
but without luck.
For example constructor of BinarySecurityToken
is protected.
I have my client cert imported inside my cert store. I need to sign only the body of my request.
How can I add those two elements to Security
element inside Header
? i know I must use Microsoft.Web.Services3
but i don't know how.
I've searched over the internet for similar questions, but all I found was tutorials on how to add username and passwords, questions about adding Signature
and BinarySecurityToken
remains unanswered - How to sign xml with X509 cert, add digest value and signature to xml template
Upvotes: 12
Views: 5114
Reputation: 24426
this coded binding should produce a similar message:
var b = new CustomBinding();
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion =
sec.IncludeTimestamp = false;
sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;
b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
b.Elements.Add(new HttpsTransportBindingElement());
var c =
new ServiceReference1.SimpleServiceSoapClient(b, new EndpointAddress(new Uri(""), new DnsEndpointIdentity("WSE2QuickStartServer"), new AddressHeaderCollection()));
c.ClientCredentials.UserName.UserName = "yaron";
c.ClientCredentials.UserName.Password = "1234";
c.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
c.ClientCredentials.ServiceCertificate.DefaultCertificate = new X509Certificate2(@"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Server Public.cer");
c.ClientCredentials.ClientCertificate.Certificate = new X509Certificate2(@"C:\Program Files\Microsoft WSE\v2.0\Samples\Sample Test Certificates\Client Private.pfx", "wse2qs");
c.Endpoint.Contract.ProtectionLevel = System.Net.Security.ProtectionLevel.Sign;
The path you chose would require you to implement message signing by yourself which is harder.
Upvotes: 4