none
Custom security header and namespace prefix control RRS feed

  • Question

  •  

    Hi!

     

    Perhaps some of you can help me with one of these question:

     

    1)

    For a client I'm creating a WCF client. Due to interoperability requirements  there is a custom soap spec defined which I have to follow.
    The soap wanted looks a lot like the basichttpbinding generated soap: the differences are that they want WS-addressing 1.0 support. So I'm using a custom binding with a textEncodingBindingElement set to Soap11WSAddressing10 and a httpTransportBindingElement as the transport channel.

    But here is the problem: in the soap spec defined, there is a custom security header which does comply to the ws-security 1.0 standards but cannot be generetad using system-defined security channels (at least, not that I am aware of).

    It contains the following : A UsernameToken with a Username (and ONLY a username!)

    A Signature2 which contains SignedInfo element in which is defined the CanocalizationMethod, the SignatureMethod and Reference to the Username element (in the UsernameToken element) to be signed. This Reference element further contains the DigestMethod (sha256) and DigestValue.

    The Signature2 element further defines the SignatureValue (to compare the username to) and a KeyInfo element which describes the certificate used to crypt the digest.

     

    Does anyone have tips how to create this header? Should i create a custom MessageHeader? Or is it possible to derive from an existing security binding?

     

    2)
    How can I define prefix - namespace pairs? Serialized messageheaders get a defaultNameSpace... This is not wat I want.. I want a namespace-prefix pair defined in the envelope, and the prefix later on used in the soap header elements. Who knows how to do this?

     

    Hope to get some good feedback!

    Kind Regards,
    RJ

    Thursday, October 11, 2007 2:21 PM

Answers

  • I've sent you an email with some background info, the WSDL, XSD's and a sample request.

    Hope to receive a reply soon!

     

    Might we find a constructive securitybinding solution for this particular problem (instead of using a messageinspector which adds a custom message header), I'll post it here!

     

    Thank you

     

    Thursday, October 18, 2007 8:47 AM

All replies

  • To handle the special prefix, namespace pairs part of your question, please see this post that I just put up: http://blogs.catalystss.com/blogs/scott_seely/archive/2007/10/16/232.aspx.

     

    I think you'll want to add a SecurityBinding to the mix and specify that the entire thing uses UsernamePassword authentication.

     

    I'm not positive that you aren't actually using the equivalent of a WSHttpBinding with message security-- signing only. Are you sure this must be as customized as you state?

    Tuesday, October 16, 2007 7:53 PM
  •  

    Thanks for your reply Scott! Your weblog posting gives a nice approach of custom defining your namespaces-prefixes. I think I can use this.

     

    About the security header:

    What I'm sure of, is that the resulting soap header must be the same as defined in the operability specifications. The service endpoint will be a http listener on top of MQseries and is Java based. This is why I have to comply to some interoparability standards like SOAP 1.1, WS-Adressing 1.0..


    I dont know if the resulting header is the equivalent of WSHttpBinding with message security -- signing only. 

    Please help me out  : if using message security over a non-secure transport, isn't it obliged (by WCF) that the message is encryped?  Is it possible to add a securitybinding with message security -- signing only, used over a non-secure transport?

     

    Further, I must use SOAP 1.1 (the java service side talks soap 1.1); and WSHttpBinding relies on SOAP 1.2.. so I cant use that binding.

     

    Right now I've constructed this solution:

    I've created serializable classes which represents exactly the security header. I use a MessageInspector which adds a custom MessageHeader. This message header as the overriden method OnWriteHeaderContents which adds the custom parts (UsernameToken and Signature2 elements) of the security header to the custom message header.

    I had real trouble getting the message header correctly serialized.  I had to use an XmlSerializer to add the parts to the messsage header, because by default, WCF will use the DataContractSerializer which does not support the use if XML attributes.

     

    I'd really prefer using a security bindingelement so, if you have advice how to accomplish this after reading the above contraints, please let me know!

     

    Wednesday, October 17, 2007 6:05 AM
  • Can you point to a valid WSDL doc or at least to the technology stack on the other side so that I can approximate it in my own environment? Version numbers of various components will be very important.

    Wednesday, October 17, 2007 9:09 PM
  • I've sent you an email with some background info, the WSDL, XSD's and a sample request.

    Hope to receive a reply soon!

     

    Might we find a constructive securitybinding solution for this particular problem (instead of using a messageinspector which adds a custom message header), I'll post it here!

     

    Thank you

     

    Thursday, October 18, 2007 8:47 AM
  • Scott - Can you please update your blog link? I am running into a similar issue and wanted to see your blog post.
    Wednesday, January 25, 2012 3:09 PM