4

My client has some SAP service, which I need to call. I have pre-generated proxy classes, everything works fine (when security disabled on their side), now I need to enable their security policy. They gave me this as "specification":

  • SOAP 1.1
  • SSL
  • WS-Security signature only, encryption optional...

http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0.pdf

SAP statment for their service:

Message Format for XML Signature

SOAP messages must include the following data:

a) BinarySecurityToken with ValueType "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" and EncodingType "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

b) Timestamp element

c) Signature signing Timestamp and Body, referencing the BinarySecurityToken using a direct reference.

d) Digest algorithm is http://www.w3.org/2000/09/xmldsig#sha1

e) Signature algorithm is http://www.w3.org/2000/09/xmldsig#rsa-sha1

Is this enough information for me to get this working? I am not expert in WCF security, so I would be very happy for any help and useful resources.

halfer
  • 19,824
  • 17
  • 99
  • 186
rouen
  • 5,003
  • 2
  • 25
  • 48

2 Answers2

3

Sounds like you need to utilise WCF Message Inspectors that can intercept messages you send and recieve and apply custom soap headers.

Check the below links for some guidance on how to implement them:

  1. MSDN - IDispatchMessageInspector - to modify messages sent
  2. MSDN - IClientMessageInspector - to intercept and read messages you receive
  3. Paolo Pialorsi Blog - Writing a WCF Message Inspector
  4. Kirk Evans Blog - Modify Message Content With WCF
  5. Steven Cheng Article - How to inspect and modify WCF message via custom MessageInspector

Hope this helps.

Tanner
  • 22,205
  • 9
  • 65
  • 83
  • 2
    you just successfully scared the shit out of me man :) i am gonna take a look at it, thanks ;) – rouen Nov 09 '12 at 14:21
  • Ha ha... Post back if you have any further questions, I implemented some of these a while back and know it can be fiddly to setup. – Tanner Nov 09 '12 at 14:26
  • @Tanner Hey dude, seperate question. Sorry for reviving an old thread. My WSDL includes a timestamp, but it also needs to sign it. How can I sign my Timestamp manually? (It's part of the Security header (WS-Security)) I have a question on SO about this: https://stackoverflow.com/questions/50876441/how-to-specify-that-the-timestamp-thats-part-of-ws-security-needs-to-be-signed – S. ten Brinke Jun 17 '18 at 09:41
0

I think you should ask about Soap Envelope that the other side waiting for. And then maybe using CustomBinding or Implement Message Inspector interfaces.

Max Kilovatiy
  • 798
  • 1
  • 11
  • 32