0

The basicHttp binding works great for Java client with no problem, if I turn on the message security, would it causing trouble for Java client?

Since basicHttp is SOAP1.1, if message security is turned on, will it use WS-Security to support certificate based authentication?

TOMMY WANG
  • 1,382
  • 3
  • 16
  • 39

1 Answers1

1

It would be preferable to use Custom binding if you want to use certificate based authentication while using SOAP 1.1(Also considering interoperability like Java based clients or oracle services). AuthenticationMode would change based on your needs.

For example, the below binding shows Mutual certificate authentication on both server and client side + transport security(https).

<customBinding>
    <binding name="customSSLMutualCertificate" sendTimeout="00:05:00" receiveTimeout="00:05:00">
      <customTextMessageEncoding messageVersion="Soap11"/>
      <security defaultAlgorithmSuite="Basic256Rsa15" authenticationMode="MutualCertificate"
          requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="false"
          keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
          messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
          requireSignatureConfirmation="false" enableUnsecuredResponse="true">
        <localClientSettings cacheCookies="true" detectReplays="false"
            replayCacheSize="900000" maxClockSkew="00:05:00"
            maxCookieCachingTime="Infinite"
            replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
            sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
            timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
        <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
            maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
            negotiationTimeout="00:01:00" replayWindow="00:05:00"
            inactivityTimeout="00:02:00"
            sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
            reconnectTransportOnFailure="true" maxPendingSessions="128"
            maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
        <secureConversationBootstrap />
      </security>
      <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
                   maxReceivedMessageSize="65536" allowCookies="false"
                   authenticationScheme="Anonymous"
                   bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                   keepAliveEnabled="true" maxBufferSize="65536"
                   proxyAuthenticationScheme="Anonymous"
                   realm="" transferMode="Buffered"
                   unsafeConnectionNtlmAuthentication="false"
                   useDefaultWebProxy="true"  requireClientCertificate="false"/>
    </binding>
  </customBinding>

Also refer Does WCF support WS-Security with SOAP 1.1? for other options

Community
  • 1
  • 1
dera
  • 401
  • 2
  • 4
  • Thanks, I know the option is there, I've tested, it is working with a .net client, the question is, does it work for Java, as easy as regular basicHttp binding – TOMMY WANG Apr 28 '14 at 12:55
  • @TOMMYWANG - As I pointed out stick to Custom Binding for certificate based authentication where interoperability is a concern. And the above custom binding configuration does work with Java based services and clients. – dera Apr 29 '14 at 03:19