none
WCF sign Soap Body ONLY RRS feed

  • Question

  • I'm trying to implement SOAP client in C#, using WCF.  Reference file generated using wsdl provided by third party java service.

    It requires client to sign the soap message using X509 v3 certificate, but sign only the Body, not header.

    Now when I use the "CertificateOverTransport", TimeStamp is getting signed and security check failed at server.

    <security defaultAlgorithmSuite="Basic256Sha256Rsa15" enableUnsecuredResponse="true"
                authenticationMode="CertificateOverTransport" messageProtectionOrder="SignBeforeEncrypt"
                messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                <secureConversationBootstrap />
              </security>          

    When I use "MutualCertificate", both Header & body get signed and server rejected security failed.

              <security

                defaultAlgorithmSuite="Basic256Sha256Rsa15"
                enableUnsecuredResponse="true"            
                authenticationMode="MutualCertificate"
                messageProtectionOrder="SignBeforeEncrypt"
                messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
                <secureConversationBootstrap />
              </security>

    Question is, Is it possible and how to configure wcf to sign only the body ?  Any help or pointers much appreciated.

    Tuesday, October 22, 2013 8:51 PM

Answers

  • If you can obtain and alter the XML of your request before sending, then you can use our SecureBlackbox to sign SOAP message (SecureBlackbox contains components to sign and verify both SOAP requests and SOAP responses).

    Sincerely yours, Eugene Mayevski

    Wednesday, October 23, 2013 11:22 AM
  • thanks Eugene, Unfortunately we couldn't use third party libraries in the project i'm working on. I got it working with the help of some posts from "Yaron".
    • Marked as answer by Cp2013 Tuesday, October 29, 2013 6:09 PM
    Tuesday, October 29, 2013 6:09 PM

All replies

  • If you can obtain and alter the XML of your request before sending, then you can use our SecureBlackbox to sign SOAP message (SecureBlackbox contains components to sign and verify both SOAP requests and SOAP responses).

    Sincerely yours, Eugene Mayevski

    Wednesday, October 23, 2013 11:22 AM
  • thanks Eugene, Unfortunately we couldn't use third party libraries in the project i'm working on. I got it working with the help of some posts from "Yaron".
    • Marked as answer by Cp2013 Tuesday, October 29, 2013 6:09 PM
    Tuesday, October 29, 2013 6:09 PM