1

I am trying to communicate with a Java web service that I have no control over, and I'm trying to create a binding that'll work.

  1. Timestamp is not allowed in the header, so in order to use the includeTimestamp="false" attribute, I have to use a <customBinding>.
  2. They are using MTOM, so I have to use the <mtomMessagingEncoding> element.

Here is my <bindings> element:

<bindings>
  <customBinding >
    <binding name="MyBindingName" >
      <mtomMessageEncoding  />
      <transactionFlow />
      <security authenticationMode="UserNameOverTransport"
                includeTimestamp="false">            
      </security>
    </binding>
  </customBinding>
</bindings>

The SOAP web service requires that the message header be in the following format:

 <soap:Envelope ... >
  <soap:Header ... >
    <wsse:UsernameToken>
      <wsse:Username>doo</wsse:Username>
      <wsse:Password Type="wsse:PasswordText">fuss</wsse:Password>
    </...>
  </...>
 </...>

The closest I have come is:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
            xmlns:a="http://www.w3.org/2005/08/addressing" 
            xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1"></a:Action>
    <a:MessageID>urn:uuid:a368e205-a14d-4955-bf75-049cdd3a78c0</a:MessageID>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">https://blablabla</a:To>
    <o:Security s:mustUnderstand="1" 
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <o:UsernameToken u:Id="uuid-0f1e399b-31a8-4e00-a57f-277c21e94879-1">
      <o:Username><!-- Removed--></o:Username>
      <o:Password><!-- Removed--></o:Password>
    </o:UsernameToken>
   </o:Security>
 </s:Header>

I am sure I'm missing something trivial and stupid here, but for the life of me i can't figure out what it might be.

John Saunders
  • 160,644
  • 26
  • 247
  • 397
Scott Baker
  • 10,013
  • 17
  • 56
  • 102
  • What happens when you use "Add Service Reference"? – John Saunders Oct 10 '11 at 23:55
  • @JohnSaunders - I did use the "Add Service Reference", but the WSDL doesn't contain any ws-security information. – Scott Baker Oct 11 '11 at 15:27
  • 2
    Amazing the number of organizations who don't get that the WSDL is meant to describe the service. Is there any explanation for this? Like, maybe the security is implemented by something outside of the service? – John Saunders Oct 11 '11 at 15:28

1 Answers1

7

You must also configure message version because by default it uses WS-Addressing:

<bindings>
  <customBinding >
    <binding name="MyBindingName" >
      <mtomMessageEncoding messageVersion="Soap11" /> <!-- or Soap12 -->
      <security authenticationMode="UserNameOverTransport"
                includeTimestamp="false">            
      </security>
    </binding>
  </customBinding>
</bindings>

TransactionFlow element is not needed at all.

Btw. message you showed is not valid usage of WS-Security token because it must be inside Security element so if it is really what Java service expects it doesn't conform to WS-Security specification and you will have to use custom message header instead.

Ladislav Mrnka
  • 360,892
  • 59
  • 660
  • 670
  • So if I understand you correctly, the element should have a parent (according to the spec)? If this is so, I can get them to change their implementation. Where would I find a reference for this? – Scott Baker Oct 11 '11 at 15:12
  • ... implemented your changes and it works as expected - I see the element as you said. I'll talk to the Java dudes and see if they can't get it corrected. Thanks! – Scott Baker Oct 11 '11 at 15:26