ws-security

Does WCF support WS-Security with SOAP 1.1?

In order to use WS-Addressing (wsHttpBinding), but with SOAP 1.1 (SOAP 1.2 being the default), you need to define a custom WCF binding (e.g. in config) and use that: <bindings> <customBinding> <binding name=”WsHttpSoap11″ > <textMessageEncoding messageVersion=”Soap11WSAddressing10″ /> <httpTransport/> </binding> </customBinding> </bindings> and then in your endpoint definition, use: <endpoint name=”WsSoap11″ address=”…..” binding=”customBinding” bindingConfiguration=”wsHttpSoap11″ contract=”…..” /> … Read more

User authentication in SOAP Webservices

JAAS does not define how the authentication information should look like in SOAP, but WS-Security defines what kind of standardized tokens you can use during client-server exchange (Username+password token / X.509 certificate / SAML token / Kerberos Token). EDIT: With respect to Metro WebService stack, you need (steps taken from here and here): Inject the … Read more

Error in WCF client consuming Axis 2 web service with WS-Security UsernameToken PasswordDigest authentication scheme

I can confirm that the UPDATE from my question actually works: object IClientMessageInspector.BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel) { UsernameToken ut = new UsernameToken(“USERNAME”, “PASSWORD”, PasswordOption.SendHashed); XmlElement securityElement = ut.GetXml(new XmlDocument()); MessageHeader myHeader = MessageHeader.CreateHeader(“Security”, “http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”, securityElement, false); request.Headers.Add(myHeader); return Convert.DBNull; } And the client: CustomBehavior behavior = new CustomBehavior(“USERNAME”, “PASSWORD”); client.Endpoint.Behaviors.Add(behavior); The error message was … Read more

Prevent XXE Attack with JAXB

JAXB You can prevent the Xml eXternal Entity (XXE) attack by unmarshalling from an XMLStreamReader that has the IS_SUPPORTING_EXTERNAL_ENTITIES and/or XMLInputFactory.SUPPORT_DTD properties set to false. JAX-WS A JAX-WS implementation should take care of this for you. If it doesn’t I would recommend opening a bug against the specific implmententation. EXAMPLE Demo package xxe; import javax.xml.bind.*; … Read more

Correct way communicate WSSE Usernametoken for SOAP webservice

If you need to send UserName over HTTPS you can use standard approach (if your WSDL is correctly defined this should be created for you automatically by adding service reference): <bindings> <basicHttpBinding> <binding name=”secured”> <security mode=”TransportWithMessageCredential”> <message clientCredentialType=”UserName” /> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint name=”…” address=”https://…” contract=”…” binding=”basicHttpBinding” bindingConfiguration=”secured” /> </client> Ar you can … Read more

Connecting to WS-Security protected Web Service with PHP

Simply extend the SoapHeader to create a Wsse compilant authentication: class WsseAuthHeader extends SoapHeader { private $wss_ns=”http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd”; function __construct($user, $pass, $ns = null) { if ($ns) { $this->wss_ns = $ns; } $auth = new stdClass(); $auth->Username = new SoapVar($user, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wss_ns); $auth->Password = new SoapVar($pass, XSD_STRING, NULL, $this->wss_ns, NULL, $this->wss_ns); $username_token = … Read more