I'm developing an ios app which will invoke a web service operation. The existing web service is configured with wsHttpBinding security set as TransportWithMessageCredential.
I've used wsdl2objc to generate the implementation files (from wsdl) and have setup a small app for testing purposes. I'm not able to get the app to talk to the web service correctly though, and from what I've read it seems virtually impossible with these web config settings (wsHttpBinding, Transport and Message security).
I've done quite a bit of research, and with the help of information found on this site (and others), I've managed to find out what SOAP requests should look like. I basically used WCF Test Client with Fiddler monitoring the traffic. I also tried soapUI, which wasn't as successful as I'd hoped.
I did setup a test web service locally and I can successfully consume, but only when the web config has security using BasicHttpBinding or wsHttpBinding security mode = "none" (which I understand is just like basicHttpBinding).
My solution (I hope) is...what if I write a web service to call this web service? Both web services will reside on the server, but the one the iphone will consume is configured with SSL. The idea is then to manually encrypt the operation (and necessary attributes) using an ios security framework (HMAC) or other hashing algorythm, and have the SSL web service decrypt and then invoke the requested operation from the existing web service. Does this make sense? I'm thinking this seems too simple, that I must be missing something. Does anyone see any real problem with this?
Thanks.
Edit I just wanted to clarify my situation a little: My app is not able to consume the existing web service as it is configured. My thought was to create a web service which will talk with this one. The new web service will simply decrypt the incoming data and invoke a method on the existing web service. Once a response is received, the new web service will encrypt the data and send it back to the iphone app. Sorry if I'm not being clear.
Update
Here is the soap envelope (from Fiddler):
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/IService/ValidateMe</a:Action>
<a:MessageID>urn:uuid:81d70393-5356-4e3a-b209-49ea53068935</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://mibe.stpa.com/WCFService/IVService.svc/ValidationService</a:To>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<u:Timestamp u:Id="_0">
<u:Created>2013-02-10T04:48:18.646Z</u:Created>
<u:Expires>2013-02-10T04:53:18.646Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc" u:Id="uuid-0191ec20-905d-4ef0-a818-3eced0e02ecf-32">
<c:Identifier>urn:uuid:06bd1d3e-97e5-41bc-afce-3993736f202d</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>/RpEprwYbnSypHXVF/rdxn3nkRo=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>ya8hHooO129dNOHplhY3xRndoDk=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-0191ec20-905d-4ef0-a818-3eced0e02ecf-32"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<ValidateMe xmlns="http://tempuri.org/">
<memberId>950470173</memberId>
</ValidateMe>
</s:Body>
</s:Envelope>
