SOAP 1.2 over SSL + HTTP basic authentication or WS-Security?

Question

So I'll be the first to admit I know little of WS-Security internals. I've got a SOAP service factory as below. When using this service with internal test-only .NET clients (using the autogenerated .cs proxy class via svcutil.exe + auto-generated WSDL) all is fine. I can see the first 4 security SOAP request-response handshaking pairs before the 5th 'actual' (encrypted) SOAP request/response. I understand security in general but wish I knew the details about this specific handshaking - I guess they are performing key exchange?

Anyway, partly because

I don't know the underlying SOAP security handshaking (WS-Security)
I DO know HTTPS and HTTP basic authentication (and prefer the speed of SSL transport vs per message SOAP crypto/sign-verify operations)
I want to secure the SOAP endpoint comms while preserving compatibility with non .NET clients

I was thinking I should be doing SOAP exchanges over HTTPS + HTTP basic authentication. So the questions boil to

Are SOAP exchanges over HTTPS + HTTP basic authentication ok? or a rare (=interop nightmare!) abomination?

Followup to above: How would I configure my service factory to the recommended settings? Needless to say, I want to stay miles away from Windows Authentication which is meaningless in an internet environment ...

public class SoapServiceHostFactory : ServiceHostFactory
{
    private Type serviceInterfaceType;

    public SoapServiceHostFactory(Type serviceInterfaceType)
    {
        this.serviceInterfaceType = serviceInterfaceType;
    }

    protected override ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
    {
        ServiceHost host = base.CreateServiceHost(serviceType, baseAddresses);
        ServiceMetadataBehavior smb = host.Description.Behaviors.Find<ServiceMetadataBehavior>();

        // Enable metadata
        if (smb == null)
        {
            smb = new ServiceMetadataBehavior();
            host.Description.Behaviors.Add(smb);
        }
        smb.HttpGetEnabled = true;

        // Enable debugging for service
        ServiceDebugBehavior sdb = host.Description.Behaviors.Find<ServiceDebugBehavior>();
        if (sdb == null)
        {
            sdb = new ServiceDebugBehavior();
            host.Description.Behaviors.Add(sdb);
        }
        sdb.IncludeExceptionDetailInFaults = true;

        // SOAP Security configuration
        WSHttpBinding myBinding = new WSHttpBinding();
        myBinding.Security.Mode = SecurityMode.Transport;

        host.AddServiceEndpoint(serviceInterfaceType, myBinding, "");
        return host;
    }
}

score 5 · Accepted Answer · answered Mar 03 '12 at 04:22

5

You will find SSL + Basic Auth to be massively more interoperable than WS-Security.

If you're just doing point to point integration then SSL would be the way to go for sure, if you have a more complex multi-hop, multi-party integration, then you might need to tough it out with WS-Security.

answered Mar 03 '12 at 04:22

superfell

18,780
4
59
81

Thanks. Maybe I should post the second part as a separate question, but how would I configure my SOAP service factory to do SSL + Basic Auth? Especially unclear is how would the Basic Auth know which dB/XML file to perform the lookup against? Tie in some membership provider? Thanks! – DeepSpace101 Mar 03 '12 at 22:17
1

Typically SSL & Auth and handled by the web server rather than the SOAP layer, but not sure about WCF specifically – superfell Mar 05 '12 at 21:05

SOAP 1.2 over SSL + HTTP basic authentication or WS-Security?

1 Answers1