0

I have a WCF web service that is using WSHttpBinding. The security is TransportWithMessageCredential. I have a client connecting to me that is sending a Soap message with the To element in the header unsigned. My service doesn't like this and is throwing System.ServiceModel.Security.MessageSecurityException with the message "The message received over Transport security has unsigned 'To' header". I haven't been able to find the signing of the element specified specifically in the WS-Security spec but I have seen it recommended to prevent redirect attacks.

So does anyone know if there is anyway for me to configure my web service not to check for the To element to be signed? Also the other side of the issue but I cannot change how this client is connecting to me.

Community
  • 1
  • 1
Ian
  • 1
  • Why are you using WsHttpBinding if you have clients not satisfying needs of your binding? – Ladislav Mrnka May 22 '11 at 15:21
  • I chose WsHttpBinding because the specs for connection called for Soap 1.2, Ws-Addressing 1.0, WS-I Security 1.1, and TLS 1.0 and I thought this was the best option – Ian May 22 '11 at 15:52

1 Answers1

0

We've had the same issue, and contacted Microsoft support about it. They released a hotfix for this. See the KB article at

https://support.microsoft.com/en-us/kb/2974335

Kiran Mothe
  • 685
  • 5
  • 10