C# .NET 4.0 WCF MessageSecurityException, "Security header is empty." when consuming a service

Question

When using WCF and C# in a project I get an exception, MesssageSecurityException, with the message "Security header is empty.". Here follows the response (according to MS Service Trace Viewer):

    <soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing">
      <soapenv:Header>
        <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="true"></wsse:Security>
        <wsa:Action>_WHAT_I_DID_</wsa:Action>
        <wsa:RelatesTo>_MSG_ID_OF_REQUEST_</wsa:RelatesTo>
      </soapenv:Header>
      <soapenv:Body>
        _CORRECT_BODY_
      </soapenv:Body>
    </soapenv:Envelope>

Indeed, the security header is "empty", but it is still correct accprding to the security header definition as far as I can tell.

I've also tried editing the bindings, but that doesn't seem to help as well. I also found a similar problem where enabling EnableUnsecuredResponse would help, but it doesn't here.

Here is the response according to SoapUI:

<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="true" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"/>
      <wsa:Action>_WHAT_I_DID_</wsa:Action>
      <wsa:RelatesTo>_REQ_MSG_ID_</wsa:RelatesTo>
   </soapenv:Header>
   <soapenv:Body>
      _CORRECT_BODY_
   </soapenv:Body>
</soapenv:Envelope>

They are almost identical, except for how they close the security header. Which is interesting, but should not raise the exception?

I also found a similar problem where the solution was to create a custom message encoder and strip the entire security header, although this would work it is an extra unneeded step. Is that the only way to do it with .Net and WCF? Can't WCF handle security headers without content?

EDIT: Clarification of the issue, is writing an encoder which drops the security header the only way to recieve and parse SOAP-messages with empty security headers using WCF?

EDIT2: Adding part of conf:

    <binding name="NinjaBinding">
      <security allowSerializedSigningTokenOnReply="true" enableUnsecuredResponse="true"
      authenticationMode="UserNameOverTransport" requireDerivedKeys="false"
      securityHeaderLayout="Lax" includeTimestamp="false" allowInsecureTransport="true"
      keyEntropyMode="ClientEntropy"
      messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
      requireSecurityContextCancellation="false">
        <localServiceSettings detectReplays="false" />
        <secureConversationBootstrap _IDENTICAL_TO_ABOVE_
        </secureConversationBootstrap>
      </security>
      <textMessageEncoding />
      <httpsTransport />
    </binding>

As far as I know, its configure to allow practically everything?

Answer 1

(Now I'm answering my own question since I've been able to elicit some kind of answer)

In short, no you cannot use WCF "out of the box" (ie through *.config) with application servers which provide empty security headers in responses. You have to implement an encoder which modifies messages to a format acceptable by the WCF-framework.

For more information read this blog which contains a quite good walkthrough of the encoder and its applications. This blog (another blog) also provides a code snippet capable of solving my issue, ie modifying the security header.

I wonder why MS and Oracle products never can co-exist peacefully :D