2

I'm trying to call a Java based, WS-Security enabled web service over https using a WCF client and can't seem to get the security configuration right. Using SvcTraceViewer, I don't see the expected security header with any of the security configurations I have tried.

My most recent security configuration is:

    <wsHttpBinding>
        <binding name="MySoapBinding" closeTimeout="00:01:00"
            openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
            allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
            maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
            messageEncoding="Text" textEncoding="utf-8"
            useDefaultWebProxy="true">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="TransportWithMessageCredential">
            <transport/>
            <message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false"/>
          </security>
        </binding>
    </wsHttpBinding>

and I set the username/password in code like this:

    svc.ClientCredentials.UserName.UserName = TestBase.userName;
    svc.ClientCredentials.UserName.Password = TestBase.password;

The Java web service expects a security header like this:

<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-bf41c571-7d32-438c-937e-7d83a3ac2d14">
<wsu:Created>2010-12-27T16:43:16Z</wsu:Created>
<wsu:Expires>2010-12-27T16:48:16Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-4c9b30b1-d697-4c64-89cb-a6d7e857aebf">
<wsse:Username>MyUserName</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MyPassword</wsse:Password>
<wsse:Nonce>pzLdD4S+OCDG6Ut9Ur1oOQ==</wsse:Nonce>
<wsu:Created>2010-12-27T16:43:16Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>

I see no Security header at all.

I have read quite a bit online about transport vs. message level security and security modes, but can't seem to find the right set of options. How should I configure my binding for

  • https communication
  • Username/passowrd in the SOAP header, in plain text (WS-Security)
  • Timestamp required
  • Nonce required
Eric J.
  • 147,927
  • 63
  • 340
  • 553
  • How do you check if header is included? WCF supports user name token profile over secured transport channel but it supports only plain text password which doesn't need additional elements. So I'm little bit affraid that it does not send nonce and created elements. – Ladislav Mrnka Dec 28 '10 at 11:33
  • @Ladislav: I'm using SvcTraceViewer to view the local trace log (and enabled message logging in my app.config) – Eric J. Dec 28 '10 at 17:18

1 Answers1

3

Turns out Rick Strahl had almost exactly the same issue. It turns out that SvcTraceViewer does not show the actual on-the-wire message. However, his blog outlines a procedure to proxy through Charles (or in my case Fiddler 2, which is free) to see the actual message.

It turns out that I'm sending a Timestamp element as required by the web service I'm calling, but if I do, WCF demands a Timestamp in the response (which I'm not getting). The error message is quite misleading. Fortunately I can have the service changed to return a Timestamp.

http://www.west-wind.com/weblog/posts/205198.aspx

Eric J.
  • 147,927
  • 63
  • 340
  • 553