Gait Boxman
unread,Jan 26, 2012, 4:52:37 AM1/26/12You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to
Hi all,
I'm setting up a service for an externally defined contract.
It's running over SSL (mutual certicate), but also requires SOAP11/WSA10
and security for message signing.
So far so good: I've added ProtectionLevel=Sign on the MessageContract,
and use the following binding in my service.config file (it's a separate
windows service):
============
<customBinding>
<binding name="AfleverServiceSoapBinding_V1_1">
<security defaultAlgorithmSuite="TripleDesRsa15"
authenticationMode="MutualCertificateDuplex" requireDerivedKeys="false"
securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false"
allowSerializedSigningTokenOnReply="true" enableUnsecuredResponse="False">
<localClientSettings cacheCookies="true"
detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="10:00:00" replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60"/>
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128"
replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
maxPendingSessions="128" maxCachedCookies="1000"
timestampValidityDuration="00:05:00"/>
<secureConversationBootstrap/>
</security>
<mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11WSAddressing10" maxBufferSize="65536"
writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</mtomMessageEncoding>
<httpsTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" decompressionEnabled="true"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="true" />
</binding>
</customBinding>
============
But here's the catch: the response message is required to have a wsa:To
element in the SOAP header, and since it's suppressed by default, I need
to change the httpsTransport/@manualAddressing to 'true'.
However, if I try, the host won't open because the CustomBinding is
using message level security.
Does anyone know how to tweak the security element so that we can set
transport level security and fix the wsa:To header?
I tried removing the security element, but then the service doesn't
recognize the request signing..
thnx, Gait.