Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Encrypt WCF message password

Tags:

c#

security

web-services

wcf

A third party in charge of developing Java based webservice came back to us with requirement that message header needs to look like this:

<soapenv:Header>
 <wsse:Security>
     <xenc:ReferenceList>
        <xenc:DataReference URI="#EncDataId-1"/>
     </xenc:ReferenceList>
     <wsse:UsernameToken>
        <wsse:Username>[snip]</wsse:Username>
        <xenc:EncryptedData Id="EncDataId-1" Type="http://www.w3.org/2001/04/xmlenc#Element">
           <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <ds:KeyName>[snip]</ds:KeyName>
           </ds:KeyInfo>
           <xenc:CipherData>
              <xenc:CipherValue>[snip]</xenc:CipherValue>
           </xenc:CipherData>
        </xenc:EncryptedData>
     </wsse:UsernameToken>
  </wsse:Security>
</soapenv:Header>

Given my very surfacish understanding of this security voodoo magic I am having trouble figuring out how configure my client to produce such header. Right now my code looks like this:

client.ClientCredentials.UserName.UserName = "[snip]";
client.ClientCredentials.UserName.Password = "[snip]";

and the header:

<s:Header>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <o:UsernameToken u:Id="uuid-e906a1ca-aa63-474c-b4ac-cf9b90ab2435-1">
            <o:Username>[snip]</o:Username>
            <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[snip]</o:Password>
        </o:UsernameToken>
    </o:Security>
</s:Header>

and binding:

<binding name="SMSSoap11">
    <security mode="TransportWithMessageCredential" />
</binding>
like image 637
Ilia G Avatar asked Mar 08 '26 10:03

Ilia G

1 Answers

WCF will not produce this output for you. You will have to write your own token for this and maybe even more. WCF supports only username token with plain password out-of-the-box and your code example even doesn't look like any part of username token specification. If the goal is to use encrypted password with WS-Security then the security header seems incomplete.

You should ask Java developers what are security requirements in terms of WS-SecurityPolicy?

like image 172
Ladislav Mrnka Avatar answered Mar 10 '26 00:03

Ladislav Mrnka
Sign in to Comment

Related questions

Generic serialization of lists in C#
Sequence multiplication in c# [duplicate]
Using Serialization to copy entities between two ObjectContexts in Entity Framework
Short circuit waiting on all tasks in any order
Generate runnable exe from MSTest test
C# wrapper for DCMTK library using SWIG
Getting error in SQL query with function use
C++ null pointer argument as optional argument alternative in C#
Can volatile keyword be used for building thread safe auto clear cache?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!