none
How to sign response manually in WCF with certificate RRS feed

  • Question

  • Could anyone point me in the right direction on how to manually sign the message body in WCF using a certificate?

    I'm thinking: implement IDispatchMessageInspector to intercept the message before reply is sent, sign it, craft the security header, add it to the message, and send it out. The problem is, I can't find an easy way to craft the security header. What looks like a simple task for WSE (How to: Sign a SOAP Message Using an X.509 Certificate) seems to be a very complicated task in WCF.

    I couldn't find anything useful, and hope that someone has tackled this problem by now.

    BACKGROUND:

    I'm working on a WCF service that needs to accept unsecured request (from a Java client) and return a signed response.

    Now, I got the other way around to work (accept signed request and send unsigned response) using custom binding with enableUnsecuredResponse="true".

    Looking at the source code that attribute doesn't seem to help because it's used in combination with ActAsInitiator property, which is false in my case (for service side).

    In MessageSecurityProtocol:

    protected bool RequiresIncomingSecurityProcessing(Message message)
        {
            // if we are receiveing a response that has no security that we should accept this AND no security header exists
            // then it is OK to skip the header.
            if (this.factory.ActAsInitiator
              && this.factory.SecurityBindingElement.EnableUnsecuredResponse
              && !this.factory.StandardsManager.SecurityVersion.DoesMessageContainSecurityHeader(message))
                return false;
    
            bool requiresAppSecurity = this.factory.RequireIntegrity || this.factory.RequireConfidentiality || this.factory.DetectReplays;
            return requiresAppSecurity || factory.ExpectSupportingTokens;
        }

    Thanks,

    Vlad


    Best regards, Vladimir

    Saturday, October 3, 2015 11:50 PM

Answers

  • Hi guys,

    sorry for the delay in reply, been too busy.

    Thanks for the suggestions, but I couldn't find a way to easily/elegantly solve the problem in WCF.
    I ended up manuallly signing and crafting the response in IDispatchMessageInspector, following this thread from stackoverflow.


    Best regards, Vladimir


    Sunday, November 29, 2015 5:12 AM

All replies

  • Hi,

    According to your description, it seems that your wcf service is using basichttpbinding instead of wshttpbinding. PLease change that.

    Please refer to the setting about Message Security with a Certificate Client:

    https://msdn.microsoft.com/en-us/library/ms733098(v=vs.110).aspx

    #WCF message security and client certificate authentication with self-signed certificates

    http://robbincremers.me/2011/12/29/wcf-message-security-and-client-certificate-authentication-with-self-signed-certificates/


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, October 5, 2015 3:20 AM
  • Hi Pengzhen,

    Thank you for your reply.

    The problem I'm facing, and the reason why I chose to go down the path of manually signing the response, is that the client is sending unsecured request.

    The client doesn't want to sign the request due to performance implications, and the service must sign the response. So I can't use client authentication with certificate.

    I couldn't find a way to configure WCF to allow unsecured request and secured (signed) response.

    The only other option at this point is signing the response manually.

    Thanks
    Vlad


    Best regards, Vladimir

    Monday, October 5, 2015 8:34 PM
  • Hi,

    We can set message securty with none clientCredentialType:

    <wsHttpBinding>
            <binding name="WSHttpBinding_ICalculator" >
              <security mode="Message">
                <message clientCredentialType="None" />
              </security>
            </binding>
          </wsHttpBinding>

    For more information, please refer to the document:

    https://msdn.microsoft.com/en-us/library/ms733938(v=vs.110).aspx


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, October 19, 2015 7:54 AM
  • Hi, 

    thanks again for the response. 

    I'm not qute sure you understand my requirement.

    Client is Java client, and I have no control over that. The client will not sign the message at all.
    Setting the clientCredentialType to None as described above just means that client is not authenticated.

    WCF still expects the message (request) to be secured as stated with security mode="Message".
    With the above settings the message will be secured using established shared security context.
    I need to accept a request without security header, and return signed response.

    I will post a simplified solution to illustrate the problem.


    Best regards, Vladimir

    Monday, October 19, 2015 8:48 AM
  • Hi Vladimir.Ilic,

    Is it possible to share us the simplified solution you mentioned in the last post?

    It may help us to understand your questions.

    Thanks,

    Friday, October 23, 2015 9:18 AM
    Moderator
  • Hi guys,

    sorry for the delay in reply, been too busy.

    Thanks for the suggestions, but I couldn't find a way to easily/elegantly solve the problem in WCF.
    I ended up manuallly signing and crafting the response in IDispatchMessageInspector, following this thread from stackoverflow.


    Best regards, Vladimir


    Sunday, November 29, 2015 5:12 AM