WCF/basicHttp with message security interoperable with Java client?

StackOverflow https://stackoverflow.com/questions/23331937

  •  10-07-2023
  •  | 
  •  

Question

The basicHttp binding works great for Java client with no problem, if I turn on the message security, would it causing trouble for Java client?

Since basicHttp is SOAP1.1, if message security is turned on, will it use WS-Security to support certificate based authentication?

Was it helpful?

Solution

It would be preferable to use Custom binding if you want to use certificate based authentication while using SOAP 1.1(Also considering interoperability like Java based clients or oracle services). AuthenticationMode would change based on your needs.

For example, the below binding shows Mutual certificate authentication on both server and client side + transport security(https).

<customBinding>
    <binding name="customSSLMutualCertificate" sendTimeout="00:05:00" receiveTimeout="00:05:00">
      <customTextMessageEncoding messageVersion="Soap11"/>
      <security defaultAlgorithmSuite="Basic256Rsa15" authenticationMode="MutualCertificate"
          requireDerivedKeys="false" securityHeaderLayout="Lax" includeTimestamp="false"
          keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncrypt"
          messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
          requireSignatureConfirmation="false" enableUnsecuredResponse="true">
        <localClientSettings cacheCookies="true" detectReplays="false"
            replayCacheSize="900000" maxClockSkew="00:05:00"
            maxCookieCachingTime="Infinite"
            replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
            sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
            timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
        <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
            maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
            negotiationTimeout="00:01:00" replayWindow="00:05:00"
            inactivityTimeout="00:02:00"
            sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
            reconnectTransportOnFailure="true" maxPendingSessions="128"
            maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
        <secureConversationBootstrap />
      </security>
      <httpsTransport manualAddressing="false" maxBufferPoolSize="524288"
                   maxReceivedMessageSize="65536" allowCookies="false"
                   authenticationScheme="Anonymous"
                   bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                   keepAliveEnabled="true" maxBufferSize="65536"
                   proxyAuthenticationScheme="Anonymous"
                   realm="" transferMode="Buffered"
                   unsafeConnectionNtlmAuthentication="false"
                   useDefaultWebProxy="true"  requireClientCertificate="false"/>
    </binding>
  </customBinding>

Also refer Does WCF support WS-Security with SOAP 1.1? for other options

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top