wcf-security

Signing SOAP messages using X.509 certificate from WCF service to Java webservice

OK. After few tries and errors here is the solution using SignedXml and IClientMessageInspector/BeforeSendRequest pattern. Thanks a lot to Yaron Naveh for his relevant suggestions. // Sign an XML request and return it public static string SignRequest(string request, string SubjectName, string Signature, string keyInfoRefId) { if (string.IsNullOrEmpty(request)) throw new ArgumentNullException(“request”); if (string.IsNullOrEmpty(SubjectName)) throw new ArgumentNullException(“SubjectName”); … Read more

WCF sessions with a wsHttpBinding and without windows security

You can have WCF hold session information in memory in a pretty simple way. To eliminate any possible external influences in my instructions, I’ll assume you’re starting with a brand new project: Create a new WCF Service Library project. This project will already contain a service with a WSHttpBiding binding preconfigured. Go to the service … Read more

How to get the X509Certificate from a client request

this is how we do this in the constructor of our webservice: if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets == null) throw new SecurityException (“No claimset service configured wrong”); if (OperationContext.Current.ServiceSecurityContext.AuthorizationContext.ClaimSets.Count <= 0) throw new SecurityException (“No claimset service configured wrong”); var cert = ((X509CertificateClaimSet) OperationContext.Current.ServiceSecurityContext. AuthorizationContext.ClaimSets[0]).X509Certificate; //this contains the thumbprint cert.Thumbprint

How can I use WCF with the basichttpbinding only , SSL and Basic Authentication in IIS?

After some digging and asking some questions to a few colleagues, we finally solved the problem. Important to understand is there are 2 aspects of security in this case. The IIS security and the WCF security. IIS security: Enable SSL & enable Basic Authentication. Disable Anonymous Authentication. (Of course, create a windows account/group and set … Read more

Correct way communicate WSSE Usernametoken for SOAP webservice

If you need to send UserName over HTTPS you can use standard approach (if your WSDL is correctly defined this should be created for you automatically by adding service reference): <bindings> <basicHttpBinding> <binding name=”secured”> <security mode=”TransportWithMessageCredential”> <message clientCredentialType=”UserName” /> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint name=”…” address=”https://…” contract=”…” binding=”basicHttpBinding” bindingConfiguration=”secured” /> </client> Ar you can … Read more

xmlHttp.getResponseHeader + Not working for CORS

First, a little background: You are using Access-Control-Allow-Headers, which specifies which request headers the client is allowed to send, but you are not specifying which response headers the client is allowed to read. To allow the client to read non-simple response headers, you need to use Access-Control-Expose-Headers. From the HTML5 Rocks CORS page: During a … Read more

WCF Transport vs Message

Security in WCF actually consists of several features. The difference between those two is how are messages signed and encrypted. Transport security provides only point-to-point channel security. It means that HTTPS establish secure channel only between client and server exposed to client. But if this server is just a load balancer or reverse proxy server … Read more

Passing FormsAuthentication cookie to a WCF service

It sounds like you’re looking for the Windows Communication Foundation Authentication Service. EDIT: After re-reading the question more carefully (and after Ariel’s comment) I’d like to retract the above suggestion. The WCF Authentication Service won’t add much to this scenario. I haven’t done this between WCF and ASP.NET, however I have configured ASP.NET applications to … Read more