https://stackoverflow.com/questions/17253930
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianIn WCF you need to use a custom message encoder. The inspector is called too early to change security. If you will share more details on the exact change you want to make maybe we can help with a better way.
WCF or WSE Edit security header
Question
I've been trying to change the soap security element either using WCF or WSE.
WCF: Implement a messageinspector and add your custom code in Beforerequestsent. Having set the following custom binding in the code behind, I don't see a security element in ref System.ServiceModel.Channels.Message request` There is a envelope and Header, Body but missing security element in header.
AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10); X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters(); x509ProtectionParameters.RequireDerivedKeys = false; x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier; x509ProtectionParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal; x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;This is what the ref variable request looks like
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope"> <s:Header> <a:Action s:mustUnderstand="1" /> <a:MessageID>urn:uuid:4e929e4c-882b-40dc-9794-e54b71c47148</a:MessageID> <a:ReplyTo> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> </a:ReplyTo> <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo9rzFi9T6thDniQ9lRMdE0sAAAAA1RxuI+tGxUi69I44BS9+QcTNP3q82D9HmHmB8kuqWioACQAA</VsDebuggerCausalityData> </s:Header> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <getEligibility xmlns="http://org/emedny/mhs/"> <input> <transData</transData> </input> </getEligibility> </s:Body> </s:Envelope>Although fiddler shows an outgoing security header, I am unable to get to the Security element in the Before request sent method
WSE: They recommend using a soap filter and override a few methods I have all the tokens in code behind
ProxyGenerationWSDL.MHService MHs = new MHService(); X509Certificate2 cert = GetCertificateFromStore("User"); X509SecurityToken x5091 = new X509SecurityToken(cert); MHs.SetClientCredential(x5091); X509Certificate2 cert2 = GetCertificateFromStore("Server"); X509SecurityToken x5092 = new X509SecurityToken(cert2); MHs.SetServiceCredential(x5092); UsernameToken tkuser = new UsernameToken("User1", "Pwd", PasswordOption.SendPlainText); MHs.RequestSoapContext.Security.Tokens.Add(x5091); MHs.RequestSoapContext.Security.Tokens.Add(x5092); MHs.RequestSoapContext.Security.Tokens.Add(tkuser); Microsoft.Web.Services3.Security.EncryptedData data = new Microsoft.Web.Services3.Security.EncryptedData(x5092); MHs.RequestSoapContext.Security.Elements.Add(new MessageSignature(x5091));Now created a custom policy, policy assertion where I am overriding the following
public class ClientOutputFilter : SoapFilter { public ClientOutputFilter() : base() { } public override SoapFilterResult ProcessMessage(SoapEnvelope envelope) { XmlDocument document = new XmlDocument(); string s = envelope.InnerXml; document.LoadXml(envelope.InnerXml); //loading soap message as string string path = "/*:Envelope/*:Header/*:Security/*:TimeStamp"; XmlNodeList ndlist = document.SelectNodes(path); //then remove the timestamp element from the security headerBut even here the envelope has no security element.
Please suggest. What methods are to be overridden in order to edit the security header
Edited: Request which appears now
<o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
</o:BinarySecurityToken>
<o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
</o:BinarySecurityToken>
<o:Username>UserName</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
</o:UsernameToken>
What needs to appear
<o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
</o:BinarySecurityToken>
<o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
</o:BinarySecurityToken>
<o:Username>UserName</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
<o:Nonce>XXXX</o:Nonce>
<o:Created>TTT</o:Created>
</o:UsernameToken>
Edited to show Complete Soap request to show signing and encryption details
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mhs="http://org/emedny/mhs/" xmlns:urn="urn:hl7-org:v3">
<soapenv:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC....(eMedNY signed user MLS cert).......</wsse:BinarySecurityToken>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">MIIDFj.....( eMedNY MLS web-service end-point public cert)........</wsse:BinarySecurityToken>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-970e9a80-00cc-4c86-8ec4-3ba16e029a5b">
<wsse:Username>....your_username.....</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">.....your_plaintext_password....</wsse:Password>
<wsse:Nonce>KNyu6MsXCkTg4DDyvwvEiw==</wsse:Nonce>
<wsu:Created>2010-09-15T18:00:30Z</wsu:Created>
</wsse:UsernameToken>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
SAMP L E R EQUE ST W I T H WS S E CURI T Y
eMedNY Meds History Service User Guide Page 13 of 48 February 16, 2012
Version 1.1
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>wRUq.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<xenc:CipherData>
<xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soapenv:Body>
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
