ansaurus

Question

WCF Message Credential Implementation Details

Answer 1

A:

In your case since your are hard coding them in the code, they will be stored in the dll.

Try opening the dll with reflector, and your should be able to find them.

Shiraz Bhaiji 2009-10-28 13:48:16

I'm actually looking to find out how they are passed in the SOAP 1.2 message -not what the username and password are in the .net code client assembly

Toran Billups 2009-10-28 13:55:59

I think that they are in the SOAP Header, you could use fiddler to check. You need to run over ssl in you want to protect them from sniffers.

Shiraz Bhaiji 2009-10-28 14:07:11

Answer 2

A:

Here's how a sample SOAP message might look like:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"&gt;
  <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue&lt;/a:Action&gt;
    <a:MessageID>urn:uuid:01d3a7d2-dc5a-42cf-acf0-3dd6bd50230e</a:MessageID>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous&lt;/a:Address&gt;
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">http://localhost:9999/Service1.svc&lt;/a:To&gt;
  </s:Header>
  <s:Body>
    <t:RequestSecurityToken Context="uuid-7c240c06-c14b-42af-82dd-10f44f423928-1" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"&gt;
      <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct&lt;/t:TokenType&gt;
      <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue&lt;/t:RequestType&gt;
      <t:KeySize>256</t:KeySize>
      <t:BinaryExchange ValueType="http://schemas.xmlsoap.org/ws/2005/02/trust/spnego" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;YGsGBisGAQUFAqBhMF+gJDAiBgorBgEEAYI3AgIKBgkqhkiC9xIBAgIGCSqGSIb3EgECAqI3BDVOVExNU1NQAAEAAAC3shjiBgAGAC8AAAAHAAcAKAAAAAUBKAoAAAAPU0cyMjA1Nk1BVE1VVA==&lt;/t:BinaryExchange&gt;
    </t:RequestSecurityToken>
  </s:Body>
</s:Envelope>

Darin Dimitrov 2009-10-28 14:04:34

excellent - so in the body under "request security token" would you also see the username + password or ?

Toran Billups 2009-10-28 14:12:48

I'm not sure what an RequestSecurityToken has to do with this question about UsernameTokens...?

Drew Marsh 2009-10-28 23:01:06

This is only the first part (request) of the WS-Trust handshake used to establish a security context. You can read in more details about it here: http://specs.xmlsoap.org/ws/2005/02/trust/ws-trust.pdf

Darin Dimitrov 2009-10-29 07:31:10

Answer 3

+1 A:

By setting the UserNameCredentials you are in fact leveraging the Username Token Profile. This causes the token to be added to the message as a SOAP header. The SOAP header will look something like this:

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
    <env:Header>
        <wsse:UsernameToken>
            <wsse:Username>jdoe</wsse:Username>
            <wsse:Password>passw0rd</wsse:Password>
            <wsse:Nonce><!-- optional nonce here --></wsse:Nonce>
        </wsse:UsernameToken>
    </env:Header>
    <env:Body>
        <!-- body here -->
    </env:Body>
</env:Envelope>

Now, I'm not exactly sure why you're mentioning WSDL. The token wouldn't appear in the WSDL, though the WSDL should contain the proper WS-Policy annontations on the operation. This would let consumers of the WSDL discover that they actually need to send in the UsernamePasswordToken to the request.

Finally, someone brought up RequestSecurityToken (RST), but there shouldn't (need to) be an RST involed if you're just using simple UsernameToken authentication. The only time an RST needs to be involved is if you're doing a token exchange with a Secure Token Server (STS) using WS-Trust.

Drew Marsh 2009-10-28 23:00:08

ansaurus

tags:

views:

answers:

WCF Message Credential Implementation Details

related questions