Issues with WCF and SOAP WS-Security PlainText Username (No SSL)

Question

We need to consume a SOAP 1.1 Web Service, developed using Java, from within a C#/.Net 4.0 application. We have no access to the service programming or the server it resides on. The service is exposed over a non SSL connection and requires WS-Security, Username/PasswordText.

Using SoapUI (http://soapui.org/) we are able to consume the web service simply by creating a project, pointing it to the WSDL and setting up a simple Username/PasswordText WS-Security configuration.

The issue is that we are unable to consume the Web Service using WCF. After some researching, we found information that leads us to believe that the issue may be an incompatibility between SOAP 1.1, WS-Security, and the wsHttpBinding. The C# code used is the following:

        //The WSService.ServiceClient class is generated by the Service Reference
        var client = new WSService.ServiceClient(); 

        client.ClientCredentials.UserName.UserName = "Username";
        client.ClientCredentials.UserName.Password = "Password";

        var response = client.MethodToBeConsumed();

The binding created is the following:

            <binding name="GeneratedBinding" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                <security mode="None">
                    <transport clientCredentialType="None" proxyCredentialType="None"
                        realm="" />
                    <message clientCredentialType="UserName" algorithmSuite="Default" />
                </security>
            </binding>

The binding created by the Service Reference is a basicHttpBinding. We understand that we need to use a wsHttpBinding for WS-Security (SOAP 1.2), but since the serivice uses SOAP 1.1, these two appear to not be compatible.

The correct request message should be (as generated by SOAPUI):

POST http://server:port/Service HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Authorization: Basic ENCRYPTEDPASSWORD
User-Agent: Jakarta Commons-HttpClient/3.1
Host: server:port
Content-Length: 324

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:service.version.details">
   <soapenv:Header/>
   <soapenv:Body>
      <urn:methodName>
         <arg0>1</arg0>
         <arg1>1</arg1>
      </urn:method>
   </soapenv:Body>
</soapenv:Envelope>

Is there really no way to achieve this using WCF? Can this be solved using a customBinding? Is our only available choice to craft the headers/messages manually and parse the responses? Do I have to assasinate a web service developer for using WS-Security with SOAP 1.1 over a non SSL connection?

Answer 1

The final solution was to insert the Authorization header into the requests as described in the following post:

http://social.msdn.microsoft.com/Forums/is/wcf/thread/4f8ab001-dafa-4347-bc41-95255ecc9230

This requiered no modification to the generated client or the bindings.

Answer 2

See if this helps you out (WSHttpBinding used, but told to make SOAP 1.1-compatible requests):

Does WCF support WS-Security with SOAP 1.1?