How to add custom soap headers or use username auth under http?

Question

I am trying to modify and add custom headers to a soap message in the BeforeSendRequest method like this:

    public object BeforeSendRequest(ref System.ServiceModel.Channels.Message request, IClientChannel channel)
    {
        MessageHeader header = MessageHeader.CreateHeader("name", "http://myname", "Oscar");
        request.Headers.Add(header);

        return null;
    }

Everything is ok at this point, the header is added in the soap headers like this:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<ActivityId CorrelationId="51efbfdb-2187-45b9-81fc-6a38815d5bed" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">d1351a78-a53a-4d32-ad35-fca6d4262adf</ActivityId>
<name xmlns="http://myname">Oscar</name>
</s:Header>

The problem is that I want to add something bigger in the headers and the final result has to be like this:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<ActivityId CorrelationId="51efbfdb-2187-45b9-81fc-6a38815d5bed" xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">d1351a78-a53a-4d32-ad35-fca6d4262adf</ActivityId>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:UsernameToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:Username xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">username</wsse:Username>
      <wsse:Password xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">password</wsse:Password>
    </wsse:UsernameToken>
</wsse:Security>
</s:Header>

Is there a way to achieve this?

PS. Please guys :-) do not criticize me, I am in the following situation:

When adding this username and password auth, you need to be over https, the problem is that this Java based webservice which I am trying to communicate is under http and I think it is not compliant because according to the 3rd link "It is considered bad practice to pass credentials over an unsecured connection" but they solved it adding the headers in the config file (something I did without success).

I read these links too and tried them. Also when doing things from links 1 and 2, I got a kind of exception in Visual Studio which says something like "It is expected https and not http" that's why I am trying MessageInspectors using BeforeSendRequest method.

score 1 · Answer 1 · answered May 16 '12 at 12:30

1

ClearUsernameBinding is the solution

answered May 16 '12 at 12:30

Yaron Naveh

23,560
32
103
158

This is new for me :-) thank you for sharing this. I got one question for you, did you trace the soap message using fiddler and appears as the result I want? (with – Oscar Jara May 16 '12 at 14:57
it should be very similar, you should try it. – Yaron Naveh May 16 '12 at 16:33

score 0 · Accepted Answer · answered May 16 '12 at 02:33

0

The 3rd parameter of CreateHeader is an object. By default this object is serialized using the DataContractSerializer so if you create a data contract that models the header structure you can pass an instance as the 3rd parameter and it will create the header you want

answered May 16 '12 at 02:33

Richard Blewett

6,089
1
18
23

you mean something like this? http://weblogs.asp.net/paolopia/archive/2008/02/25/handling-custom-soap-headers-via-wcf-behaviors.aspx – Oscar Jara May 16 '12 at 04:08

score 0 · Answer 3 · edited May 23 '17 at 12:27

I had the same problem, though my service was https. And it should be a configuration matter, you shouldn't need to handle this manually.

Anyway, you don't have to use the MessageInspectors using BeforeSendRequest. You should try and change the config generated code adding some security configuration. WCF will then create what headers you need. Then in code add the credentials and you should be ok.

I imagine that the generated proxy is creating you a customBinding or basicHttpBinding. basicHttpBinding though not supporting the WS-Security specifications, so you should change this either to custom or wsHttpBinding. You can play with and find the correct configuration to gain the desired results.

What I added was "Sample config syntax":

<customBinding>
        <binding name="MessageServerBinding">
          <security defaultAlgorithmSuite="Default" authenticationMode="UserNameOverTransport"
            requireDerivedKeys="true" includeTimestamp="true" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
            <secureConversationBootstrap />
          </security>
........
</binding>
</customBinding>

This is a sample configuration, e.g. you might not need to include a timestamp, or you could need a Nonce which if I remember correctly needs some more effore, not much though.

For check this discussion: WCF: Adding Nonce to UsernameToken

Hope this helps.

Do I need https using "UserNameOverTransport"? I suppose that yes but this WS is under http and it's not compliant. — Oscar Jara, May 16 '12 at 15:26

How to add custom soap headers or use username auth under http?

3 Answers3