Hi every one,
I am facing a problem in the security part of WCF.
The problem is: Partial encryption is not working for the message payload. It either encrypts the payload completely or keeps unencrypted the whole payload when I change the ProtectionLevel at the MessageContract and MessageBodyMember Attributes.
Ie, the partial encryption does not work, where I want the root tag of the payload(Message Body Element) unencrypted and the rest, ie, the child elements of the root tag to be encrypted. This behaviour is required for the enpoint-mapping of the spring webservices, at the server.
This is a Dot Net client program of Web Service developed in Java(Contract First WebService Developed in Spring WS). It uses mutual certificates for security.
I am using a custom binding, of messageSecurityVersion, WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10.
I am not sure if it is related to the WS-Addressing support for this binding.
Here is my app.config
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
<section name="DISClientLibTest.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
</sectionGroup>
</configSections>
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="messages"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\logs\messages.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="DISEndPointBehaviour">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="Root"
x509FindType="FindBySubjectName" findValue="d-i-s-partner"/>
<serviceCertificate>
<defaultCertificate storeLocation="LocalMachine" storeName="Root"
x509FindType="FindBySubjectName" findValue="dis"/>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="DISMutualCertificateDuplexBinding">
<!--<security authenticationMode="MutualCertificateDuplex"-->
<security authenticationMode="MutualCertificate"
includeTimestamp="false"
requireDerivedKeys="false"
keyEntropyMode="ClientEntropy"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"/>
<textMessageEncoding messageVersion="Soap11WSAddressing10"/>
<httpTransport manualAddressing="false"/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding"
bindingConfiguration="DISMutualCertificateDuplexBinding"
contract="DaDeskDataExchange"
name="DaDeskDataExchangeSoap11_DaDeskDataExchange"
address="http://192.168.0.27:8080/disweb/1.0/spring-ws/"
behaviorConfiguration="DISEndPointBehaviour">
<identity>
<dns value="dis"/>
</identity>
<headers>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-6"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>50001</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">bmkWaU4qDZK7B/DPXqoHysN4LaQ=</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dvSBmtESEOGb96pQIZJZWw==</wsse:Nonce>
<wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
</wsse:UsernameToken>
</headers>
</endpoint>
</client>
<diagnostics>
<messageLogging logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtTransportLevel="true"
logMessagesAtServiceLevel="true"/>
</diagnostics>
</system.serviceModel>
</configuration>
Here is the proxy class(only the relevant part) generated by svcutil
[System.CodeDom.Compiler.GeneratedCodeAttribute("svcutil", "4.0.30319.1")]
[System.SerializableAttribute()]
[System.Diagnostics.DebuggerStepThroughAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://www.dadesk.com/dis/schema")]
// This is added for bypassing encryption
[System.ServiceModel.MessageContract(ProtectionLevel = System.Net.Security.ProtectionLevel.None)]
public partial class getActualInvoiceOutputRequest
{
// This is added for bypassing encryption
[System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
private string interfaceUniqueReferenceField;
// This is added for bypassing encryption
[System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
private string invoiceIdField;
// This is added for bypassing encryption
[System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
private string daEventField;
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute(Order = 0)]
public string interfaceUniqueReference
{
get
{
return this.interfaceUniqueReferenceField;
}
set
{
this.interfaceUniqueReferenceField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute(Order = 1)]
public string invoiceId
{
get
{
return this.invoiceIdField;
}
set
{
this.invoiceIdField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute(Order = 2)]
public string daEvent
{
get
{
return this.daEventField;
}
set
{
this.daEventField = value;
}
}
}
The expected SOAP Request
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-1BC7C7CC8C1DC237A312742702475786"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIIBoTCCAQqgAwIBAgIES+Jf0jANDA2MjEwNlowFTETMBEGA1UEAxMKZGlzcGFydG5lcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiSzYcGY6SZvtyX/HzIT9zgzlf1/stzTo2WN2/zikebOY+K8pOfc8IU2vxsDp+b4Jc/KSMzZIocPejHhyRXKKuf36TckHclkgkqhkiG9w0BAQUFAAOBgQAepQ1pXeyveQCPRQSnjcJKnXBbLiPql+UeScmaqXBqBOrUGFRe8AX4PEh28qmomwWfdJ7abV1yShFvnAcZBP5gM6KrS1fZ2lCQu7sLyk8YW3zBLqs1Bm6bf4GTfywd2+mURJZuTwx/vqe2d5xNsfD9BOEJ6hlxzdzKlZR111O4IQ==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-7">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>O+wONgrnKflVXuIf/QqMIVPHICg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cPLtiHI8a3Ay7lCau0wosF7pakNPaOkFdmjC8osUqkUUECjQvSPCoVyWZldPxheWIEEM1qUAR7X2
1cOFNn2YUfTu9c3ElEgfRycDUTpcvF5hs37Er+ssR3QBKQ9Jmd76MHcc8LW12KNGGWZn/grUMhnR
uuOzSrfAtOHYK22wPvE=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1BC7C7CC8C1DC237A312742702475787">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-1BC7C7CC8C1DC237A312742702475788"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#CertId-1BC7C7CC8C1DC237A312742702475786"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-6"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>115394</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">bmkWaU4qDZK7B/DPXqoHysN4LaQ=</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dvSBmtESEOGb96pQIZJZWw==</wsse:Nonce>
<wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-8">
<!---- I need the root tag un-encrypted-->
<getActualInvoiceOutputRequest xmlns="http://www.dadesk.com/dis/schema">
<!---- I need the content encrypted-->
<interfaceUniqueReference>aasd</interfaceUniqueReference>
<invoiceId>-1</invoiceId>
<daEvent>1</daEvent>
</getActualInvoiceOutputRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
In the above SOAP message, inside the body, I need the contents of getActualInvoiceOutputRequest to be encrypted, and do not want getActualInvoiceOutputRequest to be encrypted. Right now, the whole body content is rendered encrypted.
I followed the guidelines given in the following MSDN web page http://msdn.microsoft.com/en-us/library/aa347692.aspx
It warns about the WS-Addressing Dependency. It has a statement, [For example, the BasicHttpBinding class does not support the specification, or if you create a custom binding that does not support WS-Addressing.].
I am suspecting that area, the WS-Addressing support for my custom binding. Can some one help on this ?
Thanks, Shameer