info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
WCF .NET4 CustomBinding with Message signing and manualAddressing over httpsTransport ??
305 views
Skip to first unread message
Gait Boxman
Jan 26, 2012, 4:52:37 AM1/26/12
to
Hi all,
I'm setting up a service for an externally defined contract.
It's running over SSL (mutual certicate), but also requires SOAP11/WSA10
and security for message signing.
So far so good: I've added ProtectionLevel=Sign on the MessageContract,
and use the following binding in my service.config file (it's a separate
windows service):
============
<customBinding>
<binding name="AfleverServiceSoapBinding_V1_1">
<security defaultAlgorithmSuite="TripleDesRsa15"
authenticationMode="MutualCertificateDuplex" requireDerivedKeys="false"
securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false"
allowSerializedSigningTokenOnReply="true" enableUnsecuredResponse="False">
<localClientSettings cacheCookies="true"
detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="10:00:00" replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60"/>
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128"
replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
maxPendingSessions="128" maxCachedCookies="1000"
timestampValidityDuration="00:05:00"/>
<secureConversationBootstrap/>
</security>
<mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11WSAddressing10" maxBufferSize="65536"
writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</mtomMessageEncoding>
<httpsTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" decompressionEnabled="true"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="true" />
</binding>
</customBinding>
============
But here's the catch: the response message is required to have a wsa:To
element in the SOAP header, and since it's suppressed by default, I need
to change the httpsTransport/@manualAddressing to 'true'.
However, if I try, the host won't open because the CustomBinding is
using message level security.
Does anyone know how to tweak the security element so that we can set
transport level security and fix the wsa:To header?
I tried removing the security element, but then the service doesn't
recognize the request signing..
thnx, Gait.
I'm setting up a service for an externally defined contract.
It's running over SSL (mutual certicate), but also requires SOAP11/WSA10
and security for message signing.
So far so good: I've added ProtectionLevel=Sign on the MessageContract,
and use the following binding in my service.config file (it's a separate
windows service):
============
<customBinding>
<binding name="AfleverServiceSoapBinding_V1_1">
<security defaultAlgorithmSuite="TripleDesRsa15"
authenticationMode="MutualCertificateDuplex" requireDerivedKeys="false"
securityHeaderLayout="Lax" includeTimestamp="true"
keyEntropyMode="CombinedEntropy"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false"
allowSerializedSigningTokenOnReply="true" enableUnsecuredResponse="False">
<localClientSettings cacheCookies="true"
detectReplays="true" replayCacheSize="900000" maxClockSkew="00:05:00"
maxCookieCachingTime="10:00:00" replayWindow="00:05:00"
sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60"/>
<localServiceSettings detectReplays="true"
issuedCookieLifetime="10:00:00" maxStatefulNegotiations="128"
replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00"
inactivityTimeout="00:02:00" sessionKeyRenewalInterval="15:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
maxPendingSessions="128" maxCachedCookies="1000"
timestampValidityDuration="00:05:00"/>
<secureConversationBootstrap/>
</security>
<mtomMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11WSAddressing10" maxBufferSize="65536"
writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192"
maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</mtomMessageEncoding>
<httpsTransport manualAddressing="false"
maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false"
authenticationScheme="Anonymous"
bypassProxyOnLocal="false" decompressionEnabled="true"
hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536"
proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered"
unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" requireClientCertificate="true" />
</binding>
</customBinding>
============
But here's the catch: the response message is required to have a wsa:To
element in the SOAP header, and since it's suppressed by default, I need
to change the httpsTransport/@manualAddressing to 'true'.
However, if I try, the host won't open because the CustomBinding is
using message level security.
Does anyone know how to tweak the security element so that we can set
transport level security and fix the wsa:To header?
I tried removing the security element, but then the service doesn't
recognize the request signing..
thnx, Gait.
0 new messages