none
SOAP intermediaries and message security RRS feed

  • Question

  • Hello.

    I’m developing a SOAP intermediary service for a scenario where message security (using the WSHttpBinding) is used.

    I’ve used the following technique:

    1) The SOAP intermediary service (SIS) contract has only one operation, with a Message parameter and returns a Message. The current implementation simply forwards the message and the reply without any modifications.

    2) The SIS uses the WSHttpBinding WITHOUT security and has a service behavior with ValidateMustUnderstand set to false. This way, all the security related headers are ignored by the SIS. The SIS also communicates with the ultimate receiver using the WSHttpBinding WITHOUT security.

    3) The SIS endpoint dispatcher uses a MatchAllMessageFilter in order to process messages with the “To” header pointing to different addresses (the ultimate receivers addresses).

     
    My questions are:

    1) The ultimate receiver is receiving a message identical to the one sent to the SIS with one difference. The message sent by the originator has a “To” header with an “Id” attribute and is included in the signature. The message sent by the intermediary also has a “To” header with the SAME address but WITHOUT any “Id” attribute. Due to this the signature verification at the ultimate receiver fails. All the other headers are unmodified. I suspect that the modified “To” is being inserted automatically by the WCF runtime when I send the message. Is there any way to disable this behavior?

    2) Is this the correct methodology for constructing SOAP intermediaries. I’ve based my design on the “Router” sample of the SDK. However this sample doesn’t use message security.

     
    I thank in advance for any help.

    Pedro Felix

    Monday, August 28, 2006 4:50 PM
    Moderator

Answers

  • I have modified my code so that it uses message security that will be untouched by the router. 

    There seems to be some problem with my password on the sample site so I can just mail it to you if you want it.  Send mail to smason@microsoft.com and I'll reply with the code.

    Thanks!

    Scott

    Monday, September 11, 2006 10:04 PM

All replies

  • Please check this sample and see if it helps out:

     

    http://wcf.netfx3.com/files/folders/other_snippets/entry3790.aspx

    Thanks!

    Scott

     

    Monday, August 28, 2006 10:53 PM
  • Thanks for the reply.
    I've gave a quick browse on the sample that you link to.
    The techniques that you use are similar to the ones in the SDK sample and to the techniques that I'm also using. However, the sample doesn't use message security, so my main question remains: how to design a SOAP intermediary that will ignore and forward the security related headers without breaking the message signature.

    Thanks!

    Pedro Felix
    Monday, August 28, 2006 11:17 PM
    Moderator
  • I have modified my code so that it uses message security that will be untouched by the router. 

    There seems to be some problem with my password on the sample site so I can just mail it to you if you want it.  Send mail to smason@microsoft.com and I'll reply with the code.

    Thanks!

    Scott

    Monday, September 11, 2006 10:04 PM