Yet another MessageSecurityException issue

Question

So I built a service which uses basic Auth Soap 1.2. Config below:

<customBinding>
    <binding name="MyHttpBinding">
      <security authenticationMode="UserNameOverTransport" securityHeaderLayout="Strict"
        allowInsecureTransport="false">
        <secureConversationBootstrap />
      </security>
      <textMessageEncoding messageVersion="Soap12" />
      <httpsTransport maxReceivedMessageSize="6553600" authenticationScheme="Basic" maxBufferSize="6553600" />
    </binding>
  </customBinding>

I have multiple clients calling it (WCF and Java). With WCF Client I do not have any issues, but with Java Client I get the following exception on server side:

System.ServiceModel.Security.MessageSecurityException Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.

What I dont know is how to get around this issue. The system needs to use Basic Authentication and must use Soap 1.2(thus the custom binding). I do not have control of the calling Java Client, but I am assured that it is calling the service using basic Auth.

Any suggestions?

Answer 1

you need to configure the java client to send a username token to the server. turn on Fiddler and compare the working soap (wcf client) to the non working one (java)

Answer 2

I am no Java expert but as far as I know, Java clients cannot implement SOAP 1.2 on the fly. And Java clients need external libraries to supplement the necessary policy/security headers in the 1.2 SOAP message.

I have directed my Java clients to use Metro libraries in order to consume my WCF service. (I am using a similar binding just like yours.) Here is a blog how to include Metro libraries.

Here is the MSDN link for interoperability.

Hope this helps!