SOAP 1.2 over SSL + HTTP basic authentication or WS-Security?

Question

So I'll be the first to admit I know little of WS-Security internals. I've got a SOAP service factory as below. When using this service with internal test-only .NET clients (using the autogenerated .cs proxy class via svcutil.exe + auto-generated WSDL) all is fine. I can see the first 4 security SOAP request-response handshaking pairs before the 5th 'actual' (encrypted) SOAP request/response. I understand security in general but wish I knew the details about this specific handshaking - I guess they are performing key exchange?

Anyway, partly because

1. I don't know the underlying SOAP security handshaking (WS-Security)
2. I DO know HTTPS and HTTP basic authentication (and prefer the speed of SSL transport vs per message SOAP crypto/sign-verify operations)
3. I want to secure the SOAP endpoint comms while preserving compatibility with non .NET clients

I was thinking I should be doing SOAP exchanges over HTTPS + HTTP basic authentication. So the questions boil to

1. Are SOAP exchanges over HTTPS + HTTP basic authentication ok? or a rare (=interop nightmare!) abomination?

2. Followup to above: How would I configure my service factory to the recommended settings? Needless to say, I want to stay miles away from Windows Authentication which is meaningless in an internet environment ...

   public class SoapServiceHostFactory : ServiceHostFactory
   {
       private Type serviceInterfaceType;
   
       public SoapServiceHostFactory(Type serviceInterfaceType)
       {
           this.serviceInterfaceType = serviceInterfaceType;
       }
   
       protected override ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
       {
           ServiceHost host = base.CreateServiceHost(serviceType, baseAddresses);
           ServiceMetadataBehavior smb = host.Description.Behaviors.Find<ServiceMetadataBehavior>();
   
           // Enable metadata
           if (smb == null)
           {
               smb = new ServiceMetadataBehavior();
               host.Description.Behaviors.Add(smb);
           }
           smb.HttpGetEnabled = true;
   
           // Enable debugging for service
           ServiceDebugBehavior sdb = host.Description.Behaviors.Find<ServiceDebugBehavior>();
           if (sdb == null)
           {
               sdb = new ServiceDebugBehavior();
               host.Description.Behaviors.Add(sdb);
           }
           sdb.IncludeExceptionDetailInFaults = true;
   
           // SOAP Security configuration
           WSHttpBinding myBinding = new WSHttpBinding();
           myBinding.Security.Mode = SecurityMode.Transport;
   
           host.AddServiceEndpoint(serviceInterfaceType, myBinding, "");
           return host;
       }
   }
   

Answer 1

You will find SSL + Basic Auth to be massively more interoperable than WS-Security.

If you're just doing point to point integration then SSL would be the way to go for sure, if you have a more complex multi-hop, multi-party integration, then you might need to tough it out with WS-Security.