Protection level settings ignored on faults

Question

I have a protection level behavior that overrides the default settings and sets the protection level to only sign messages. This works correctly under normal operating conditions, however if the service returns an exception or the service authorization manager does, the response is always encrypted.

Why? Am I missing something?

Answer 1

Hi Alex,

Please give us your service configuration so that we can know how you set up protection level in this situation. Please have a look at Understanding Protection Level for some noticeable usages:
http://msdn.microsoft.com/en-us/library/aa347692.aspx

Also have a look at this article about how to define typed fault type and specify protection level for fault exception:
http://msdn.microsoft.com/en-us/library/aa347791.aspx

Public Interface ICalculator
    ' Set the ProtectionLevel on a FaultContractAttribute.
    <OperationContract(ProtectionLevel := ProtectionLevel.EncryptAndSign), _
     FaultContract(GetType(MathFault), ProtectionLevel := ProtectionLevel.EncryptAndSign)>  _
    Function Add(ByVal a As Double, ByVal b As Double) As Double
End Interface

---

Best regards,
Riquel
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.

Answer 2

I'm basically overriding (or at least attempted to) the protection level using an endpoint behavior.

The protection level set for the service's interface class is sign, as seen below:

[ServiceContract(ProtectionLevel=ProtectionLevel.Sign)]

    public interface IHelloWorldService

    {

        

        [OperationContract]

        string HelloWorld(string name);

    }

Code for the behavior:

 public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)

        {

            var proReq =

                bindingParameters.Remove<ChannelProtectionRequirements>();

            proReq = new ChannelProtectionRequirements();

            MessagePartSpecification unProtectedSpec = new MessagePartSpecification();

            MessagePartSpecification protectedSpec = new MessagePartSpecification(true);

            switch (level)

            {

                case ProtectionLevel.None:

                    proReq.OutgoingSignatureParts.AddParts(unProtectedSpec, "*");

                    proReq.IncomingSignatureParts.AddParts(unProtectedSpec, "*");

                    proReq.OutgoingEncryptionParts.AddParts(unProtectedSpec, "*");

                    proReq.IncomingEncryptionParts.AddParts(unProtectedSpec, "*");

                    break;

                case ProtectionLevel.Sign:

                    proReq.OutgoingSignatureParts.AddParts(protectedSpec, "*");

                    proReq.IncomingSignatureParts.AddParts(protectedSpec, "*");

                    proReq.OutgoingEncryptionParts.AddParts(unProtectedSpec, "*");

                    proReq.IncomingEncryptionParts.AddParts(unProtectedSpec, "*");

                    break;

                case ProtectionLevel.EncryptAndSign:

                    proReq.OutgoingSignatureParts.AddParts(protectedSpec, "*");

                    proReq.IncomingSignatureParts.AddParts(protectedSpec, "*");

                    proReq.OutgoingEncryptionParts.AddParts(protectedSpec, "*");

                    proReq.IncomingEncryptionParts.AddParts(protectedSpec, "*");

                    break;

            }

         

            

            proReq.OutgoingSignatureParts.AddParts(protectedSpec, "*");

            

            proReq.IncomingSignatureParts.AddParts(protectedSpec, "*");

            

            bindingParameters.Add(proReq);

        }

The binding portion of the web.config

     <customBinding>

        <!-- this represents the binding to the STS SAML Issuer    -->

        <binding name="MutalCertificateBinding">

          <security authenticationMode="MutualCertificate" requireSecurityContextCancellation="false" requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" requireDerivedKeys="true">

          </security>

          <httpTransport/>

        </binding>

        <!-- This presents the hello world service we are providing-->

        <binding name="ServiceBinding">

          <security authenticationMode="IssuedTokenForCertificate"  allowSerializedSigningTokenOnReply="true"

                     includeTimestamp="true" requireDerivedKeys="false" securityHeaderLayout="Lax"

                    messageProtectionOrder="SignBeforeEncrypt"  requireSignatureConfirmation="false" 

                     keyEntropyMode="CombinedEntropy" 

                    >

            <issuedTokenParameters  tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">

              <!-- only trust tokens from this issuer-->

              <issuer   address="http://localhost:81/SecureTokenService-Client/Service.svc" bindingConfiguration="MutalCertificateBinding" binding="customBinding">

                <identity  >

                  <dns value="WCFQuickstartServer"/>

                </identity> 

              </issuer>

            </issuedTokenParameters>

          </security>

          <security authenticationMode="MutualCertificate" allowSerializedSigningTokenOnReply="true"

                     includeTimestamp="true" requireDerivedKeys="false" securityHeaderLayout="Lax"

                     messageProtectionOrder="SignBeforeEncrypt">

            

          </security>

          <httpTransport/>