4

I am trying to connect to a third party SOAP 1.1 service that requires SSL security and username/password credentials. An example of what is expected is:

<soapenv:Header>
    <wsse:Security>
        <wsse:UsernameToken>
            <wsse:Username>username</wsse:Username>
            <wsse:Password>password</wsse:Password>
        </wsse:UsernameToken>
    </wsse:Security>
</soapenv:Header>

My client configuration is as follows:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="thirdpartyservicebindingconfig">
                <security mode="TransportWithMessageCredential">
                    <message clientCredentialType="UserName"
                             algorithmSuite="Default" />
                </security>
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
        <endpoint address="https://..." 
                  binding="basicHttpBinding"
                  bindingConfiguration="thirdpartyservicebindingconfig"
                  contract="thirdpartyservicecontract" 
                  name="thirdpartyserviceendpoint" />
    </client>
</system.serviceModel>

Service client code is:

var client = new thirdpartyservicecontractclient();

client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password = "password";

var result = client.DoSomething();

I'm getting the following fault exception message:

Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security..

EDIT:
If I reconfigure security mode to "Transport":
<security mode="TransportWithMessageCredential">
I get an error from the third party service:

com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]: No Security Header found; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Message does not conform to configured policy [ AuthenticationTokenPolicy(S) ]: No Security Header found.

How can I configure my client to connect to this service?

  • WS Security using plain text passwords over SSL
Paul Fleming
  • 24,238
  • 8
  • 76
  • 113
  • I don't have the answer I'm afraid, but think you're on the right lines with TransportWithMessageCredential (i.e. the user / pass is in the SOAP header, then the entire thing is passed over an encrypted SSL connection), and basicHttpBinding which I believe is SOAP 1.1 – Kris C Aug 19 '12 at 16:32
  • Are the 3rd party able to share a working client config with you? Or is the 3rd party a non-WCF implementation that you're now using WCF to connect to? – Kris C Aug 19 '12 at 16:33
  • @KrisC. The 3rd party service in build in Java. – Paul Fleming Aug 19 '12 at 16:42
  • Does this help at all? http://stackoverflow.com/questions/9913662/issues-with-wcf-and-soap-ws-security-plaintext-username-no-ssl – Kris C Aug 19 '12 at 16:45
  • 1
    @Kris - I'm afraid it doesn't. I've spent all day researching this and I've found the [solution](http://www.west-wind.com/weblog/posts/2007/Dec/09/Tracing-WCF-Messages). Thanks for your input. – Paul Fleming Aug 19 '12 at 16:49
  • I'm likely to have to configure something fairly similar in the not too distant future. Thanks for sharing the solution! – Kris C Aug 19 '12 at 16:59

1 Answers1

5

It just so happens Rick Strahl had the same problem. Here's the link to his blog post describing and solving the problem.

Issue:

The issue is that WCF expects a TimeStamp Soap header in the response. If you look at the outbound response and the Soap headers you'll see that there's a timestamp there. The timestamp is expected to be returned on the return Soap response. Note that this is not a requirement of WS-Security so WCF is doing something 'special' here that is in effect breaking this service call.

Solution:

BindingElementCollection elements = client.Endpoint.Binding.CreateBindingElements();
elements.Find<SecurityBindingElement>().IncludeTimestamp = false;
client.Endpoint.Binding = new CustomBinding(elements);

The above code modifies the Binding configuration by explicitly removing the Timestamp from the outbound call which removes the requirement for the server to return it. And this makes WCF happy and the call goes through.

Paul Fleming
  • 24,238
  • 8
  • 76
  • 113