Geek Answers Handbook

How to get WCF to send password in digest mode when using UserNameOverTransport binding? (Convert WSE3.0 code to WCF)

I am trying to convert this WSE3.0 code to WCF:

// we use Microsoft WSE 3.0 to insert the username token in the soap header. // This strategy takes care of creating and inserting the Nonce and Created elements // for us, as well as creating a password digest based on Nonce, Created, and // the password itself. Refer to the WS-Secutiry UsernameToken Profile 1.1 // specification at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss. Microsoft.Web.Services3.Security.Tokens.UsernameToken nametoken; nametoken = new Microsoft.Web.Services3.Security.Tokens.UsernameToken(username, password, Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed); Microsoft.Web.Services3.Design.Policy ClientPolicy = new Microsoft.Web.Services3.Design.Policy(); ClientPolicy.Assertions.Add(new UsernameOverTransportAssertion()); this._proxy.SetPolicy(ClientPolicy); this._proxy.SetClientCredential<UsernameToken>(nametoken);

I got pretty close, except for sending the password in digest mode ( Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed in the above code):

 TransportSecurityBindingElement transportBindingElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement(); transportBindingElement.AllowInsecureTransport = true; transportBindingElement.EnableUnsecuredResponse = true; transportBindingElement.IncludeTimestamp = true; var binding = new CustomBinding(new BindingElement[] { // transportBindingElement, // new TextMessageEncodingBindingElement() { MessageVersion = MessageVersion.Soap11 }, // new HttpTransportBindingElement() { AuthenticationScheme = AuthenticationSchemes.Digest, }, // });

The above information still sends the password in plain text (unhashed). I found a link for someone trying to convert similar code with someone, stating that they could not configure WCF for this without creating a custom token to the serializer.

Is this statement accurate?

If so, what do I need to do to create and use this custom serializer?

It seems that the link can be a good starting place in combination with the PDF from the site linked in the comments, in which the following formula is given Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) , but if someone has a better explanation for that what I need to get, and how to get WCF to use my new serializer, I would love to listen to it.

+4
source share
1 answer

You found my question :)

This is a very interesting problem. MS was often accused of producing unsafe systems and APIs, and because of this, some engineers at MS began to incorporate some ideas about what is secure and what is not a new API. A UserNameToken profile with a digested password is the result of this. It is considered insufficiently protected, and because of this, it is completely excluded from the WCF. Well, this should not be a problem if WCF does not have an API for interacting with other platforms and frameworks, where a UserNameToken profile with a digested password is very popular.

Yes, we decided to use the traditional serializer when we solved the problem. This is not just about marker serializer. You really need to implement quite a few classes to make it work. I will not use our implementation because this is not my code, but you can try this one .

+4
source

More articles:


All Articles