WCF or WSE Edit security header

Question

I've been trying to change the soap security element either using WCF or WSE.

WCF: Implement a messageinspector and add your custom code in Beforerequestsent. Having set the following custom binding in the code behind, I don't see a security element in ref System.ServiceModel.Channels.Message request` There is a envelope and Header, Body but missing security element in header.

AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
x509ProtectionParameters.RequireDerivedKeys = false;
x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
x509ProtectionParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;

This is what the ref variable request looks like

<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">  <s:Header>    <a:Action s:mustUnderstand="1" />    <a:MessageID>urn:uuid:4e929e4c-882b-40dc-9794-e54b71c47148</a:MessageID>    <a:ReplyTo>      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>    
</a:ReplyTo>    
    <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo9rzFi9T6thDniQ9lRMdE0sAAAAA1RxuI+tGxUi69I44BS9+QcTNP3q82D9HmHmB8kuqWioACQAA</VsDebuggerCausalityData> 
 </s:Header> 
 <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">    <getEligibility xmlns="http://org/emedny/mhs/">      <input>        <transData</transData>      </input>  
  </getEligibility> 
  </s:Body>
</s:Envelope>

Although fiddler shows an outgoing security header, I am unable to get to the Security element in the Before request sent method

WSE: They recommend using a soap filter and override a few methods I have all the tokens in code behind

    ProxyGenerationWSDL.MHService MHs = new MHService();
    X509Certificate2 cert = GetCertificateFromStore("User");
    X509SecurityToken x5091 = new X509SecurityToken(cert);
    MHs.SetClientCredential(x5091);
    X509Certificate2 cert2 = GetCertificateFromStore("Server");
    X509SecurityToken x5092 = new X509SecurityToken(cert2);
    MHs.SetServiceCredential(x5092);
    UsernameToken tkuser = new UsernameToken("User1", "Pwd", PasswordOption.SendPlainText);
    MHs.RequestSoapContext.Security.Tokens.Add(x5091);
    MHs.RequestSoapContext.Security.Tokens.Add(x5092);
    MHs.RequestSoapContext.Security.Tokens.Add(tkuser);
    Microsoft.Web.Services3.Security.EncryptedData data = new Microsoft.Web.Services3.Security.EncryptedData(x5092);
    MHs.RequestSoapContext.Security.Elements.Add(new MessageSignature(x5091));

Now created a custom policy, policy assertion where I am overriding the following

public class ClientOutputFilter : SoapFilter
{
    public ClientOutputFilter()
        : base()
    { }

    public override SoapFilterResult ProcessMessage(SoapEnvelope envelope)
    {    
            XmlDocument document = new XmlDocument();
            string s = envelope.InnerXml;
            document.LoadXml(envelope.InnerXml);  //loading soap message as string 
            string path = "/*:Envelope/*:Header/*:Security/*:TimeStamp";
            XmlNodeList ndlist =
            document.SelectNodes(path);
//then remove the timestamp element from the security header

But even here the envelope has no security element.

Please suggest. What methods are to be overridden in order to edit the security header

Edited: Request which appears now

        <o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
        </o:BinarySecurityToken>
     <o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
        </o:BinarySecurityToken>
    <o:Username>UserName</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
</o:UsernameToken>

What needs to appear

<o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
  </o:BinarySecurityToken>
  <o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
  </o:BinarySecurityToken>
  <o:Username>UserName</o:Username>
    <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
    <o:Nonce>XXXX</o:Nonce>
    <o:Created>TTT</o:Created>
 </o:UsernameToken>

Edited to show Complete Soap request to show signing and encryption details

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mhs="http://org/emedny/mhs/" xmlns:urn="urn:hl7-org:v3">
<soapenv:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC....(eMedNY signed user MLS cert).......</wsse:BinarySecurityToken>
    <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">MIIDFj.....( eMedNY MLS web-service end-point public cert)........</wsse:BinarySecurityToken>
    <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-970e9a80-00cc-4c86-8ec4-3ba16e029a5b">
    <wsse:Username>....your_username.....</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">.....your_plaintext_password....</wsse:Password>
    <wsse:Nonce>KNyu6MsXCkTg4DDyvwvEiw==</wsse:Nonce>
    <wsu:Created>2010-09-15T18:00:30Z</wsu:Created>
    </wsse:UsernameToken>
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference>
    <wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </KeyInfo>
    <xenc:CipherData>
    <xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
    <xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
    </xenc:ReferenceList>
    </xenc:EncryptedKey>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    SAMP L E R EQUE ST W I T H WS S E CURI T Y
    eMedNY Meds History Service User Guide Page 13 of 48 February 16, 2012
    Version 1.1
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>wRUq.........</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>tBSsaZi........</SignatureValue>
    <KeyInfo>
    <wsse:SecurityTokenReference>
    <wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </KeyInfo>
    </Signature>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <xenc:CipherData>
    <xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedData>
    </soapenv:Body>

Do you have any idea about IClientMessageInspector, IDispatchMessageInspector and IEndpointBehavior i have mainupulated the soap message before sending with these.Check it might help you — Kamran Shahid, Jun 22 '13 at 18:25
@ Kamran Shahid: what abt WSE. How do I remove the timetamp node from security — user575219, Jun 22 '13 at 18:48

score 5 · Accepted Answer · edited Jun 22 '13 at 20:40

5

In WCF you need to use a custom message encoder. The inspector is called too early to change security. If you will share more details on the exact change you want to make maybe we can help with a better way.

edited Jun 22 '13 at 20:40

John Saunders

160,644
26
247
397

answered Jun 22 '13 at 18:26

Yaron Naveh

23,560
32
103
158

For WCF this is what I was lookin at may not be the best way to handle it.. I was considering adding a usernametoken with nonce in beforerequestsent. I would be adding two X509's using mutualcertificate in code behind custombinding and then do some Transformmessage, hardcoding to the security element. and insert a usernametoken+nonce. For WSE, nonce is not a problem, but it adds an additonal security timestamp. So i was looking to remove this in Soap filter – user575219 Jun 22 '13 at 18:37
I really don't want to do Customcredentials and implement all custom tokens.. It seems tooo complicated.. – user575219 Jun 22 '13 at 18:51
maybe this token can be usefull. it replaces the regular wcf username and adds nonce capabilities. http://blogs.msdn.com/b/aszego/archive/2010/06/24/usernametoken-profile-vs-wcf.aspx – Yaron Naveh Jun 22 '13 at 19:19
also please publish the message you get now and how it should look like after the change – Yaron Naveh Jun 22 '13 at 19:19
Please see edits.. I have added how the request looks now and how it is supposed to look like. – user575219 Jun 22 '13 at 20:28
in wcf your only options are a custom encoder or the custom token in the link from my previous comment. note the first option is a custom encoder not custom token. so you just need to implement one method and copy&paste the rest of the code). In the second link they implemented all the tokens for you. – Yaron Naveh Jun 22 '13 at 20:43
Ok got it.. What is the method to implement in Custom encoder.. Also, one another thing, In my soap request only the body is encrypted, signed. Which of these above methods suggested would be flexible to add that additional coding?. I believe WCF encrypts and signs all by default. If you want to see the encrypted part, see edit – user575219 Jun 22 '13 at 20:56
WSE does this with very few lines of coding. But it generates a timestamp element in the security header.(this is for WSE).2013-06-22T20:18:18.794Z2013-06-22T20:23:18.794Z The server rejects this element. – user575219 Jun 22 '13 at 21:04
can you remove the timestamp in wse or is it signed? – Yaron Naveh Jun 22 '13 at 21:14
this is a sample for a message encoder http://msdn.microsoft.com/en-us/library/ms751486.aspx – Yaron Naveh Jun 22 '13 at 21:18
you should not add code within the encoder to take care of signature/encryption. you need to configure the wcf binding directly – Yaron Naveh Jun 22 '13 at 21:18
Just out of interest,In WSE if I need to delete a timestamp element from security header, where would I start.. Start by making my own policy, policy assertions. What goes is these assertiosn.. can't use the builtin usernameassertion token and muutalassertion11. Because by default these are added.. .. Any suggestions?.. So all I am left with is a custom encoder in WCF. I will give it a try – user575219 Jun 22 '13 at 21:41
http://stackoverflow.com/questions/753327/remove-ws-addressing-ws-security-sections-from-wse-3-0-client-request – Yaron Naveh Jun 22 '13 at 21:48
Yes I looked at that... But he does a envelope.Header.RemoveAll() in the ProcessMessage.. I just need to remove the timestamp – user575219 Jun 22 '13 at 21:58

WCF or WSE Edit security header

1 Answers1

Linked