WCF: Message Security with UsernameToken / Password over HTTP not supported?


  • Hello,

    I have a question regarding the use of Webservice Security according to "WSS SOAP Message Security 1.0" (OASIS 2004)
    with a WCF Client developed with VS2008 / .NET 3.5.

    We would like to use basic WSS with UsernameTokenProfile (Username and plain or hashed password) over http (i.e. without SSL).
    Since the webservice is used in an VPN environment, no extra security (like SSL) is required.

    Is it correct that WCF / .NET 3.5 does not support this profile used with http?
    That would mean that WCF does not fully support OASIS WSS standard.

    With WSE 3.0 there was no problem.

    I searched the forum but could not find a clear answer.
    Some people say "WCF does not allow you to send UserName tokens using regular unsecured http (basicHttpBinding)" others state
    "WCF does not require https to be used in order to use message security".

    If there is no problem with it, I would like to find a client code example.
    Please note that the webservice is implemented on JEE (Oracle AS).

    thanks for any help.


    Wednesday, January 21, 2009 12:14 PM

All replies