4

I'm trying to convert this WSE3.0 code to WCF:

// we use Microsoft WSE 3.0 to insert the username token in the soap header.
// This strategy takes care of creating and inserting the Nonce and Created elements 
// for us, as well as creating a password digest based on Nonce, Created, and 
// the password itself.  Refer to the WS-Secutiry UsernameToken Profile 1.1
// specification at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.

Microsoft.Web.Services3.Security.Tokens.UsernameToken nametoken;
nametoken = new Microsoft.Web.Services3.Security.Tokens.UsernameToken(username, password, Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed);
Microsoft.Web.Services3.Design.Policy ClientPolicy = new Microsoft.Web.Services3.Design.Policy();

ClientPolicy.Assertions.Add(new UsernameOverTransportAssertion());
this._proxy.SetPolicy(ClientPolicy);
this._proxy.SetClientCredential<UsernameToken>(nametoken);

I have gotten pretty close except for sending the password in digest mode (Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed in the above code`):

TransportSecurityBindingElement transportBindingElement =
    SecurityBindingElement.CreateUserNameOverTransportBindingElement();
transportBindingElement.AllowInsecureTransport = true;
transportBindingElement.EnableUnsecuredResponse = true;
transportBindingElement.IncludeTimestamp = true;
var binding = new CustomBinding(new BindingElement[] { //
    transportBindingElement, //
    new TextMessageEncodingBindingElement() {
        MessageVersion = MessageVersion.Soap11
    }, //
    new HttpTransportBindingElement() {
        AuthenticationScheme = AuthenticationSchemes.Digest,
    }, //
});

The above still sends the password in plain text (unhashed). I found this link to somebody trying to convert similar code with somebody stating that it was not possible to set up WCF to do this without writing a custom token serializer.

Is this statement accurate?

If it is, what do I need to do to create and use this custom serializer?

It looks like this link might be a good starting place when combined with the PDF from the site linked in the comments that gives the following formula Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) but if anybody has a better explanation of exactly what I need to derive from and how to get WCF to use my new serializer I'd love to hear it.

Redwood
  • 66,744
  • 41
  • 126
  • 187
  • 1
    There is an excellent article on this at [Codeproject](http://www.codeproject.com/KB/WCF/DigestAuthWCFRest.aspx) – Gert Arnold Aug 05 '11 at 19:03
  • Looks like a useful article, thanks. I've only skimmed it thus far but will definitely be using it as a reference in getting things working. – Redwood Aug 05 '11 at 19:48

1 Answers1

5

You found my question :)

This is very interesting problem. MS was often blamed that they produce insecure systems and APIs and because of that some engineers in MS became incorporating some ideas about what is secure and what is not to new APIs. UserNameToken profile with digested password is exactly result of this effort. It is considered as not secure enough and because of that it is completely omitted from WCF. Well, it should not be a problem if WCF would not be an API for interoperability with other platforms and frameworks where UserNameToken profile with digested password is very popular.

Yes we did custom token serializer when we solved the problem. It is not only about token serializer. You actually have to implement quite lot of classes to make it work. I will not share our implementation because it wasn't my code but you can try this one.

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • Thanks for both the comments and the link to one implementation. I haven't had a chance to try the code out yet, but when I do I will certainly report back. +1 until then with hopefully more to come. – Redwood Aug 05 '11 at 19:45
  • Code from the implementation you linked to worked great. For future readers the sample client in the code has all the information on setting up your binding and swapping out the client credentials. I did find one or two odd behaviors in the sample code though, so make sure you read it over. For example UsernameToken.GetPasswordDigestAsBase64() overwrites any `nonce` you configured in the constructor instead of using the supplied value (fix this is required to allow unit testing to make sure the expected digest is returned for known inputs). – Redwood Aug 05 '11 at 21:18
  • The original link is broken. Try this https://learn.microsoft.com/it-it/archive/blogs/aszego/usernametoken-profile-vs-wcf – Ottavio Campana Feb 14 '20 at 13:25