Geek Answers Handbook

Problems with WCF and SOAP WS-Security Name PlainText (without SSL)

We need to use the SOAP 1.1 web service developed using Java from a C # / Net 4.0 application. We do not have access to service programming or to the server on which it is located. The service is provided over a non-SSL connection and requires WS-Security, Username / PasswordText.

Using SoapUI (http://soapui.org/), we can use the web service simply by creating a project, pointing it to WSDL and setting up a simple WS-Security Username / PasswordText configuration.

The problem is that we cannot use the web service using WCF. After some research, we found information that makes us think that the problem may be incompatibility between SOAP 1.1, WS-Security, and wsHttpBinding. The C # code used is as follows:

//The WSService.ServiceClient class is generated by the Service Reference var client = new WSService.ServiceClient(); client.ClientCredentials.UserName.UserName = "Username"; client.ClientCredentials.UserName.Password = "Password"; var response = client.MethodToBeConsumed();

The generated binding is as follows:

  <binding name="GeneratedBinding" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="None"> <transport clientCredentialType="None" proxyCredentialType="None" realm="" /> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security> </binding>

The binding created by the Service Reference is the base HTTPBinding. We understand that we need to use wsHttpBinding for WS-Security (SOAP 1.2), but since serivice uses SOAP 1.1, the two do not seem to be compatible.

The correct request message should be (generated by SOAPUI):

 POST http://server:port/Service HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Authorization: Basic ENCRYPTEDPASSWORD User-Agent: Jakarta Commons-HttpClient/3.1 Host: server:port Content-Length: 324 <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:service.version.details"> <soapenv:Header/> <soapenv:Body> <urn:methodName> <arg0>1</arg0> <arg1>1</arg1> </urn:method> </soapenv:Body> </soapenv:Envelope>

Is there a way to achieve this with WCF? Can this be solved with customBinding? Is our only choice available for manually processing headers / messages and analyzing responses? Do I need to attack a web service developer to use WS-Security with SOAP 1.1 over a non-SSL connection?

+3
source share
2 answers

The final solution was to insert the authorization header into the requests, as described in the following message:

http://social.msdn.microsoft.com/Forums/is/wcf/thread/4f8ab001-dafa-4347-bc41-95255ecc9230

This did not require changes to the generated client or bindings.

+3
source

See if this helps you (using WSHttpBinding, but is told to make requests compatible with SOAP 1.1):

Does WCF support WS-Security using SOAP 1.1?

0
source

More articles:


All Articles