Reputation: 150108
Configure WCF for WS-Security with Username over https
I'm trying to call a Java based, WS-Security enabled web service over https using a WCF client and can't seem to get the security configuration right. Using SvcTraceViewer, I don't see the expected security header with any of the security configurations I have tried.
My most recent security configuration is:
<wsHttpBinding>
<binding name="MySoapBinding" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportWithMessageCredential">
<transport/>
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false"/>
</security>
</binding>
</wsHttpBinding>
and I set the username/password in code like this:
svc.ClientCredentials.UserName.UserName = TestBase.userName;
svc.ClientCredentials.UserName.Password = TestBase.password;
The Java web service expects a security header like this:
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-bf41c571-7d32-438c-937e-7d83a3ac2d14">
<wsu:Created>2010-12-27T16:43:16Z</wsu:Created>
<wsu:Expires>2010-12-27T16:48:16Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-4c9b30b1-d697-4c64-89cb-a6d7e857aebf">
<wsse:Username>MyUserName</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MyPassword</wsse:Password>
<wsse:Nonce>pzLdD4S+OCDG6Ut9Ur1oOQ==</wsse:Nonce>
<wsu:Created>2010-12-27T16:43:16Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
I see no Security header at all.
I have read quite a bit online about transport vs. message level security and security modes, but can't seem to find the right set of options. How should I configure my binding for
- https communication
- Username/passowrd in the SOAP header, in plain text (WS-Security)
- Timestamp required
- Nonce required
Upvotes: 2
Views: 12476
Answers (1)
Reputation: 150108
Turns out Rick Strahl had almost exactly the same issue. It turns out that SvcTraceViewer does not show the actual on-the-wire message. However, his blog outlines a procedure to proxy through Charles (or in my case Fiddler 2, which is free) to see the actual message.
It turns out that I'm sending a Timestamp element as required by the web service I'm calling, but if I do, WCF demands a Timestamp in the response (which I'm not getting). The error message is quite misleading. Fortunately I can have the service changed to return a Timestamp.
http://www.west-wind.com/weblog/posts/205198.aspx
Upvotes: 3
Related Questions
- WCF custom userName authentication using HTTP
- How to configure WCF client for WS-Security (UsernameToken + Encrypted body SOAP (no signature))
- How to make WCF Client conform to specific WS-Security - sign UsernameToken and SecurityTokenReference
- wsFederationHttpBinding, passing custom user Identity to STS
- Configure WCF Service to enable HTTPS and Transport Credential with User Name and Password
- WCF client configuration for 3rd party SOAP 1.1 service with plain text username credentials over SSL
- How do I consume a WS-Security service in WCF over HTTPS?
- Issues with WCF and SOAP WS-Security PlainText Username (No SSL)
- WCF security, username password without certificate
- WCF Service with custom username password authentication problem