none
empty security header gives exception, is there a way around it?

    Question

  • Hello.

    When I use WCF client using basicHttpbinding with Username authentication over SSL, the reply message from oracle application server doesn't have Action tag. I get the exception saying it's missing security header. However the transaction itself is complete because when I look at the soap message, it sends username and password with neccessary parameters(which is simple two integers) and I get the reply with the vale(the sum of the two integers). However, since it doesn't have something like http://tempuri.org/ICalculator/AddResponse or something like that, it gives an exception. Is there any way to get rid of this exception? Why do I get this exception?

    Any suggestion would be greatly appreciated. Thank you.

    Thursday, March 15, 2007 8:08 AM

Answers

  • By using a custombinding with UserNameOverTransport instead of basicHttpBinding

    You can remove the timestamp with the property includeTimestamp set to false.

    In the security tag you can specify the message version (messageSecurityVersion property)

    See http://msdn2.microsoft.com/en-us/library/ms731314.aspx for valid values.

    The
    textMessageEncoding node specifies the addressing version

    See http://msdn2.microsoft.com/en-us/library/ms731787.aspx for valid values.

    Once this is done you then set the client endpoint to use binding="customBinding" bindingConfiguration="yourcustombindingname"

    This combined with the correct versions of ws-securiting and addressing will fix the problem.
    Thursday, April 12, 2007 7:15 PM

All replies

  • Hi,

       The exception you are seeing is due to the reply message not having a Security header in the response. The client is configured to do mixed mode security and hence your client binding has a Security Binding Element in the processing pipeline. We expect the response to contain a security header with just the timestamp for freshness verification. We have done interop with IBM stacks before. Can you check the settings on the IBM stack to see if it is configured correctly?

    Thanks,

    Govind

    Thursday, March 15, 2007 3:50 PM
    Moderator
  • Thanks for the reply, Govind.
    The server I'm using right now it not IBM, but Oracle application server.
    Do you know anything about this too?

    I thought what was missing was like action URI.  But is what I need just the timestamp rather and not action URI?
    Thanks for your time.
    Thursday, March 15, 2007 11:49 PM
  • The failure you are seeing is because the response message does not contain a security header. You can enable message logging on the client side to verify that this is true. When security is enabled on the client we will expect a security header to come back in the response as well. I haven't worked with Oracle application server directly. So I don't know how you can configure this.

    Thanks,

    Govind

    Friday, March 16, 2007 7:30 PM
    Moderator
  • Hi, Govind
    I have been checking the SOAP message using message logging.
    I'm pretty sure the reply message contains the security header.
    I list the SOAP message below. I get the fault message that soap header is empty.
    Does it help to identify exactly what I really need in responce message?

    P.S. I list the outgoing message from WCF client below too.

    <MessageLogTraceRecord>
    <HttpResponse xmlns="http://schemas.microsoft.com/2004/06/ServiceModel/Management/MessageTrace">
    <StatusCode>OK</StatusCode>
    <StatusDescription>OK</StatusDescription>
    <WebHeaders>
    <Connection>Keep-Alive</Connection>
    <Keep-Alive>timeout=15, max=100</Keep-Alive>
    <SOAPAction>""</SOAPAction>
    <Content-Length>615</Content-Length>
    <Content-Type>text/xml; charset=utf-8</Content-Type>
    <Date>Wed, 14 Mar 2007 01:21:36 GMT</Date>
    <Server>Oracle Containers for J2EE</Server>
    </WebHeaders>
    </HttpResponse>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns0="http://tempuri.org/">
    <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" env:mustUnderstand="1"></wsse:Security>
    </env:Header>
    <env:Body>
    <ns0:AddResponseElement>
    <ns0:result>7.0</ns0:result>
    </ns0:AddResponseElement>
    </env:Body>
    </env:Envelope>
    </MessageLogTraceRecord>

    <MessageLogTraceRecord>
    <Addressing xmlns="http://schemas.microsoft.com/2004/06/ServiceModel/Management/MessageTrace">
    <Action>http://tempuri.org//Add</Action>
    <To>https://nakaoka-pc.o.sysrdc.ns-sol.co.jp:4443/DotNetProvider-Provider-context-root/BasicHttpBinding_ICalculatorPort</To>
    </Addressing>
    <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <u:Timestamp u:Id="_0">
    <u:Created>2007-03-14T01:21:31.615Z</u:Created>
    <u:Expires>2007-03-14T01:26:31.615Z</u:Expires>
    </u:Timestamp>
    <o:UsernameToken u:Id="uuid-23b704b9-a287-42a4-b09d-076064a87dee-1">
    <o:Username>
    <!-- Removed -->
    </o:Username>
    <o:Password>
    <!-- Removed -->
    </o:Password>
    </o:UsernameToken>
    </o:Security>
    </s:Header>
    <s:Body>
    <AddElement xmlns="http://tempuri.org/">
    <n1>2</n1>
    <n2>5</n2>
    </AddElement>
    </s:Body>
    </s:Envelope>

    Thanks!!!
    Monday, March 19, 2007 12:43 AM
  • This question is very technical. But is there anything in the specification that when using Username token profile, you have to include security header with timestamp in it? Actually, was there anything at all about response message in either the SOAP Messag Security profile or Username Token Profile?

    My second question is, is there any way to ignore this exception on WCF client when the SOAP message is returned?

    I really hope someone can get me an answer. Thanks.
                       
    Tuesday, March 20, 2007 6:08 AM
  • Hi,

       In the message the you have posted there are a number issues I can see,

     

    1. The message is missing all addressing headers.You can setup WCF to accept such a message. So check your bindings for that.

    2. The security header is empty. In normal scenario the security header will have atleast the timestamp. Check the namespace of the security header element in he message you are sending and what is being received. There might be some namespace mismatch.

    When you have a UsernameOverTransport security binding element setup, the response WCF expects is to have a timestamp at the least. You can turn off timestamp validation and replay detection on WCF side. You cannot ignore this exception on WCF side.

    Can you post your binding information and service config?

    Thanks,

    Govind

     

    Saturday, March 24, 2007 11:03 PM
    Moderator
  • Hi, Govind
    First of all, I'd like to thank you for all the replies and answers to my questions.
    Regarding the previous response from you, in part 1, you talked about setting up WCF to accept a message that's missing all addressing headers. In part 2, you said we can turn off what WCF expects, namely a timestamp. How can I do that? If you can direct me to any material, I'm willing to read them and implement.
    Just below is the binding and configuration you requested. Thanks again.


    <?xml version="1.0" encoding="utf-8"?>
    <configuration>
        <system.serviceModel>
            <bindings>
                <basicHttpBinding>
                    <binding name="BasicHttpBinding_ICalculator" closeTimeout="00:01:00"
                        openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                        allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                        maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                        messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                        useDefaultWebProxy="true">
                        <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                            maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                        <security mode="TransportWithMessageCredential">
                            <transport clientCredentialType="None" proxyCredentialType="None"
                                realm="" />
                            <message clientCredentialType="UserName" algorithmSuite="Default" />
                        </security>
                    </binding>
                </basicHttpBinding>
            </bindings>
            <client>
                <endpoint address="https://nakaoka-pc.o.sysrdc.ns-sol.co.jp:4443/DotNetProvider-Provider-context-root/BasicHttpBinding_ICalculatorPort"
                    binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_ICalculator"
                    contract="UsernamePasswordOracleServiceWCFClient3_13.ICalculator"
                    name="BasicHttpBinding_ICalculatorPort" />
            </client>
        </system.serviceModel>
    </configuration>
    Thursday, March 29, 2007 12:16 AM
  • By using a custombinding with UserNameOverTransport instead of basicHttpBinding

    You can remove the timestamp with the property includeTimestamp set to false.

    In the security tag you can specify the message version (messageSecurityVersion property)

    See http://msdn2.microsoft.com/en-us/library/ms731314.aspx for valid values.

    The
    textMessageEncoding node specifies the addressing version

    See http://msdn2.microsoft.com/en-us/library/ms731787.aspx for valid values.

    Once this is done you then set the client endpoint to use binding="customBinding" bindingConfiguration="yourcustombindingname"

    This combined with the correct versions of ws-securiting and addressing will fix the problem.
    Thursday, April 12, 2007 7:15 PM