Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

With C#, WCF SOAP consumer that uses WSSE plain text authentication?

Tags:

c#

visual-studio-2012

wcf

asp.net-4.5

ws-security

I have a WCF SOAP consumer that is implemented by Visual Studio 2012 from a WSDL. The WSDL was generated by PeopleTools. The base object is of type System.ServiceModel.ClientBase.

I need the SOAP request to resemble:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:sch="http://xmlns.oracle.com/Enterprise/Tools/schemas">
    <soapenv:Header>
        <wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <wsse:UsernameToken>
                <wsse:Username>[plain text username goes here]</wsse:Username>
                <wsse:Password>[plain text password goes here]</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </soapenv:Header>
    <soapenv:Body>
        <sch:InputParameters>
            <Last_Name>Aren</Last_Name>
            <First_Name>Cambre</First_Name>
        </sch:InputParameters>
    </soapenv:Body>
</soapenv:Envelope>

Here's the closest we can get:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
        <a:MessageID>urn:uuid:3cc3f2ca-c647-466c-b38b-f2423462c837</a:MessageID>
        <a:ReplyTo>
            <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
        </a:ReplyTo>
        <a:To s:mustUnderstand="1">http://[internal URL to soap listener]</a:To>
    </s:Header>
    <s:Body>
        <t:RequestSecurityToken Context="uuid-7db82975-2b22-4236-94a1-b3344a0bf04d-1" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
            <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
            <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
            <t:KeySize>256</t:KeySize>
            <t:BinaryExchange ValueType=" http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">FgMBAFoBAABWAwFQ9IhUFGUO6tCH+0baQ0n/3us//MMXzQA78Udm4xFj5gAAGAAvADUABQAKwBPAFMAJwAoAMgA4ABMABAEAABX/AQABAAAKAAYABAAXABgACwACAQA=</t:BinaryExchange>
        </t:RequestSecurityToken>
    </s:Body>
</s:Envelope>

You'll notice two problems:

  • No plaintext WSSE credentials. Passes a binary form of the credentials that the service won't use.
  • Authentication is in Body, not Header.
  • The request omits InputParameters.

Here's the essential C# code:

var service = new ServiceWithBizarreNameFromPeoplesoft();

if (service.ClientCredentials == null)
   throw new NullReferenceException();
service.ClientCredentials.UserName.UserName = "test";
service.ClientCredentials.UserName.Password = "password";

var binding = new WSHttpBinding(SecurityMode.TransportWithMessageCredential) {Security = new WSHttpSecurity()};
service.Endpoint.Binding = binding;

binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
binding.Security.Mode = SecurityMode.Message;

var input = new InputParameters { Last_Name = "Cambre", First_Name = "Aren" };

var returnData = service.BizarrePeopleSoftNameForMethod(input);

There's no HTTP layer security, and transport is SSL-encrypted. Authentication is only based on the SOAP message.

like image 827
Aren Cambre Avatar asked Jan 14 '13 22:01

Aren Cambre

1 Answers

That is request for WS-SecureConversation token. It is used by WSHttpSecurity by default unless you change its EstablishSecurityContext property to false. Use this binding instead:

var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);    
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;

It will use SOAP 1.1 with UserName token and it will require HTTPS transport.

Edit:

For testing without HTTPS try to use this custom binding:

var securityElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
securityElement.AllowInsecureTransport = true;

var encodingElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
var transportElement = new HttpTransportBindingElement();

var binding = new CustomBinding(securityElement, encodingElement, transportElement);
like image 56
Ladislav Mrnka Avatar answered Oct 21 '22 19:10

Ladislav Mrnka
Sign in to Comment

Related questions

Roslyn Add a document to a project
Difference between Templates
Returning generic without knowing type
Running a mini-program in Mono.Csharp
How do I get file paths of items dropped onto a console application window?
System.Threading.Timer Not Starting?
Why is .NET's Complex type broken?
Emitting delegate function call
NewtonSoft JSON serializer and UTF8 support [closed]
Using a Property mapping with a Formula in NHIbernate
c# MemoryStream Encoding Vs. Encoding.GetChars()
Mono for Android - Supported Architecture - Drop x86?
Custom vs. non-custom attributes?
Error: Cannot obtain Metadata from http ......?wsdl
How to determine type of a variable? (not the type of the object)
TreeView/TreeViewItem ControlTemplates with dotted lines
How to highlight a selected item in the LongListSelector on WP8?
Unable to find the requested .Net Framework Data Provider. It may not be installed. vs 2010 and sql server 2008 express
How to set cells' background?
ContinuousTest / Moose : Here Be Dragons and general overlay questions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!