tags:

views:

54

answers:

2
Q: 

Multiple Protection Levels does not work in WCF

Hi every one,

I am facing a problem in the security part of WCF.

The problem is: Partial encryption is not working for the message payload. It either encrypts the payload completely or keeps unencrypted the whole payload when I change the ProtectionLevel at the MessageContract and MessageBodyMember Attributes.

Ie, the partial encryption does not work, where I want the root tag of the payload(Message Body Element) unencrypted and the rest, ie, the child elements of the root tag to be encrypted. This behaviour is required for the enpoint-mapping of the spring webservices, at the server.

This is a Dot Net client program of Web Service developed in Java(Contract First WebService Developed in Spring WS). It uses mutual certificates for security.

I am using a custom binding, of messageSecurityVersion, WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10.

I am not sure if it is related to the WS-Addressing support for this binding.

Here is my app.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
      <section name="DISClientLibTest.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
    </sectionGroup>
  </configSections>

  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel.MessageLogging">
        <listeners>
          <add name="messages"
          type="System.Diagnostics.XmlWriterTraceListener"
          initializeData="c:\logs\messages.svclog" />
        </listeners>
      </source>
    </sources>
  </system.diagnostics>

  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DISEndPointBehaviour">
          <clientCredentials>
            <clientCertificate storeLocation="LocalMachine" storeName="Root" 
                               x509FindType="FindBySubjectName" findValue="d-i-s-partner"/>
            <serviceCertificate>
              <defaultCertificate storeLocation="LocalMachine" storeName="Root"
                                  x509FindType="FindBySubjectName" findValue="dis"/>
              <authentication certificateValidationMode="PeerOrChainTrust"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>

      </endpointBehaviors>
    </behaviors>

    <bindings>
      <customBinding>
        <binding name="DISMutualCertificateDuplexBinding">
          <!--<security authenticationMode="MutualCertificateDuplex"-->
          <security authenticationMode="MutualCertificate"
                    includeTimestamp="false"
                    requireDerivedKeys="false"
                    keyEntropyMode="ClientEntropy"
                    messageProtectionOrder="EncryptBeforeSign"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"/>
          <textMessageEncoding messageVersion="Soap11WSAddressing10"/>
          <httpTransport manualAddressing="false"/>
        </binding>
      </customBinding>

    </bindings>
    <client>
      <endpoint binding="customBinding" 
                bindingConfiguration="DISMutualCertificateDuplexBinding"
                contract="DaDeskDataExchange" 
                name="DaDeskDataExchangeSoap11_DaDeskDataExchange"
                address="http://192.168.0.27:8080/disweb/1.0/spring-ws/"
                behaviorConfiguration="DISEndPointBehaviour">
        <identity>
          <dns value="dis"/>
        </identity>
        <headers>
          <wsse:UsernameToken
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            wsu:Id="UsernameToken-6"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
            <wsse:Username>50001</wsse:Username>
            <wsse:Password
              Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;bmkWaU4qDZK7B/DPXqoHysN4LaQ=&lt;/wsse:Password&gt;
            <wsse:Nonce
              EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;dvSBmtESEOGb96pQIZJZWw==&lt;/wsse:Nonce&gt;
            <wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
          </wsse:UsernameToken>
        </headers>
      </endpoint>
    </client>
    <diagnostics>
      <messageLogging logEntireMessage="true" 
                      logMalformedMessages="true" 
                      logMessagesAtTransportLevel="true" 
                      logMessagesAtServiceLevel="true"/>
    </diagnostics>

  </system.serviceModel>
</configuration>

Here is the proxy class(only the relevant part) generated by svcutil

[System.CodeDom.Compiler.GeneratedCodeAttribute("svcutil", "4.0.30319.1")]
[System.SerializableAttribute()]
[System.Diagnostics.DebuggerStepThroughAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://www.dadesk.com/dis/schema")]
// This is added for bypassing encryption
[System.ServiceModel.MessageContract(ProtectionLevel = System.Net.Security.ProtectionLevel.None)]
public partial class getActualInvoiceOutputRequest
{

    // This is added for bypassing encryption
    [System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
    private string interfaceUniqueReferenceField;

    // This is added for bypassing encryption
    [System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
    private string invoiceIdField;

    // This is added for bypassing encryption
    [System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
    private string daEventField;

    /// <remarks/>
    [System.Xml.Serialization.XmlElementAttribute(Order = 0)]
    public string interfaceUniqueReference
    {
        get
        {
            return this.interfaceUniqueReferenceField;
        }
        set
        {
            this.interfaceUniqueReferenceField = value;
        }
    }

    /// <remarks/>
    [System.Xml.Serialization.XmlElementAttribute(Order = 1)]
    public string invoiceId
    {
        get
        {
            return this.invoiceIdField;
        }
        set
        {
            this.invoiceIdField = value;
        }
    }

    /// <remarks/>
    [System.Xml.Serialization.XmlElementAttribute(Order = 2)]
    public string daEvent
    {
        get
        {
            return this.daEventField;
        }
        set
        {
            this.daEventField = value;
        }
    }
}

The expected SOAP Request

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"&gt;
 <SOAP-ENV:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
   <wsse:BinarySecurityToken
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    wsu:Id="CertId-1BC7C7CC8C1DC237A312742702475786"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;MIIBoTCCAQqgAwIBAgIES+Jf0jANDA2MjEwNlowFTETMBEGA1UEAxMKZGlzcGFydG5lcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiSzYcGY6SZvtyX/HzIT9zgzlf1/stzTo2WN2/zikebOY+K8pOfc8IU2vxsDp+b4Jc/KSMzZIocPejHhyRXKKuf36TckHclkgkqhkiG9w0BAQUFAAOBgQAepQ1pXeyveQCPRQSnjcJKnXBbLiPql+UeScmaqXBqBOrUGFRe8AX4PEh28qmomwWfdJ7abV1yShFvnAcZBP5gM6KrS1fZ2lCQu7sLyk8YW3zBLqs1Bm6bf4GTfywd2+mURJZuTwx/vqe2d5xNsfD9BOEJ6hlxzdzKlZR111O4IQ==
   </wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    Id="Signature-7">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod
      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
     <ds:Reference URI="#id-8">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <ds:DigestValue>O+wONgrnKflVXuIf/QqMIVPHICg=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
     cPLtiHI8a3Ay7lCau0wosF7pakNPaOkFdmjC8osUqkUUECjQvSPCoVyWZldPxheWIEEM1qUAR7X2
     1cOFNn2YUfTu9c3ElEgfRycDUTpcvF5hs37Er+ssR3QBKQ9Jmd76MHcc8LW12KNGGWZn/grUMhnR
     uuOzSrfAtOHYK22wPvE=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-1BC7C7CC8C1DC237A312742702475787">
     <wsse:SecurityTokenReference
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      wsu:Id="STRId-1BC7C7CC8C1DC237A312742702475788"
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
      <wsse:Reference URI="#CertId-1BC7C7CC8C1DC237A312742702475786"
       ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsse:UsernameToken
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsu:Id="UsernameToken-6"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
    <wsse:Username>115394</wsse:Username>
    <wsse:Password
     Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;bmkWaU4qDZK7B/DPXqoHysN4LaQ=&lt;/wsse:Password&gt;
    <wsse:Nonce
     EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;dvSBmtESEOGb96pQIZJZWw==&lt;/wsse:Nonce&gt;
    <wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
   </wsse:UsernameToken>
  </wsse:Security>
 </SOAP-ENV:Header>
 <SOAP-ENV:Body
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  wsu:Id="id-8">
              <!---- I need the root tag un-encrypted-->
  <getActualInvoiceOutputRequest xmlns="http://www.dadesk.com/dis/schema"&gt;
              <!---- I need the content encrypted-->
   <interfaceUniqueReference>aasd</interfaceUniqueReference>
   <invoiceId>-1</invoiceId>
   <daEvent>1</daEvent>
  </getActualInvoiceOutputRequest>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

In the above SOAP message, inside the body, I need the contents of getActualInvoiceOutputRequest to be encrypted, and do not want getActualInvoiceOutputRequest to be encrypted. Right now, the whole body content is rendered encrypted.

I followed the guidelines given in the following MSDN web page http://msdn.microsoft.com/en-us/library/aa347692.aspx

It warns about the WS-Addressing Dependency. It has a statement, [For example, the BasicHttpBinding class does not support the specification, or if you create a custom binding that does not support WS-Addressing.].

I am suspecting that area, the WS-Addressing support for my custom binding. Can some one help on this ?

Thanks, Shameer

A: 

Your custom binding specifies WS-Addressing but expected SOAP request doesn't use it. I'm affraid this is the part where interoperability is broken. Do you have WSDL for the service which describes security settings? Do you also have example of SOAP request which uses encryption?

Ladislav Mrnka  2010-08-18 09:03:41
Unfortunately, the wsdl does not describe the security settings. It can be accessed here..http://83.111.89.230/disweb/1.0/spring-ws/DaDeskDataExchange/dataexchange.wsdl.It is a public IP.
Shameer Kunjumohamed  2010-08-18 11:12:27
And do you have example of valid request and response? Btw. check my post: http://stackoverflow.com/questions/3457378/web-service-interoperability-broken-by-developers-incompetence
Ladislav Mrnka  2010-08-18 11:24:03
How can I add a big block of XMl here ? It doesnt allow me to add more than 600 chars. Can you advice ?
Shameer Kunjumohamed  2010-08-18 11:56:19
A: 

Here is the example SOAP request which uses proper level of encryption, which is the expected SOAP request, generated by a java client.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"&gt;
<SOAP-ENV:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
SOAP-ENV:mustUnderstand="1">
<xenc:EncryptedKey Id="EncKeyId-B521E60EB6640CC36812821275442335"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"&gt;
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=dis</ds:X509IssuerName>
<ds:X509SerialNumber>1273126865</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>uVuKFUAyy7NvyMJuFgqB27nZ/uf1YCQLOjQJrOJN+iAiUGYBcIFYThpr+D2UK5l80HzWL8KUbbg8YcurjwOzuLM+DvuXbnsP3niFlFNipB0FTmnojD5t5J7xinRzfRzSVpSxxa/czOdFZTwyPclnUNFWEsWML8npQNOX2gir3Lk=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-4" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-B521E60EB6640CC36812821275439461"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;MIIBoTCCAQqgAwIBAgIES+Jf0jANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpkaXNwYXJ0bmVyMB4XDTEwMDUwNjA2MjEwNloXDTM3MDkyMDA2MjEwNlowFTETMBEGA1UEAxMKZGlzcGFydG5lcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiSzYcGY6SZvtyX/HzIT9zgzlf1/stzTo2WN2/zikebOY+K8pOfc8IU2vxsDp+b4Jc/KSMzZIocPejHhyRXKKuf36TckHclkZCpIil24gHZdARUQXRrm0izFwMkACEeHoTv6/35FjSiQpntBxbaTLmGZ4U93Pjuko2jlBheiFeq0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAepQ1pXeyveQCPRQSnjcJKnXBbLiPql+UeScmaqXBqBOrUGFRe8AX4PEh28qmomwWfdJ7abV1yShFvnAcZBP5gM6KrS1fZ2lCQu7sLyk8YW3zBLqs1Bm6bf4GTfywd2+mURJZuTwx/vqe2d5xNsfD9BOEJ6hlxzdzKlZR111O4IQ==&lt;/wsse:BinarySecurityToken&gt;
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>cYtMaQuuiVAho+6m8lj66ZPLFJc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ccAZE+FRn2ads52Ma5FsoYPx8P3SBYqjRYSctTNUmcsDQEhHowOoTyhkW5IElo9r/GaGWL0EBfmC
SyNBh/qtKA4YHxjradG2Mk2Bxv/aRGuxaCllYTTr1kr37vC1fYiWVI2QrjbGOvp0i/5RgLanl40k
gkDxle9CxegVDdZkijI=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-B521E60EB6640CC36812821275439532">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-B521E60EB6640CC36812821275439553"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<wsse:Reference URI="#CertId-B521E60EB6640CC36812821275439461"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<wsse:Username>119136</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;R3WWGSkNtmPztaSUbiyAWOcpwTM=&lt;/wsse:Password&gt;
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;pkJh0dN0yE8iIRe49T1bwg==&lt;/wsse:Nonce&gt;
<wsu:Created>2010-08-18T10:32:23.937Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-3">
<getActualInvoiceOutputRequest xmlns="http://www.dadesk.com/dis/schema"&gt;
<xenc:EncryptedData Id="EncDataId-4"
Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"&gt;
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<wsse:Reference URI="#EncKeyId-B521E60EB6640CC36812821275442335"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Qg9GlqcRgEi6EJACo/RxVYbUTdX2fnHUdrmdsXolHPFcigsuTMMwj0ST5DIXuh3C4nB738Acd8ez
hKyZdDR2skNYIWHKGzM8wuT3wrjbZGAnXl78PtzjfNSyldmwm1cm4JxW2YH0QvtUq5e2exVOnkVT
ojBtvxYSjQl2F/pK0uawD/m3RFFyqB3/lOWShYSLqW+H5h0d96FxIyVPb27z+mGK0xRXO9sh51ES
4wHozKnQvSMBbokOPaHLMgyNBqkRvDX5bNvsvnpyjBT8trlaSQYE6l+zyqSIj8apu+HxpLM8g73f
MPeGyzn28I078ZVe6vOzVPhXsSLMEUwtEHWjHIe49h6uGGLg2xd5pehbXxqDbw2/a1UipBOOjz4v
5UYVoFtw7OjfONbPrrhqEkyg8zV2S4SPH6ItGKYLuiLNGV7XEXgc4dhyZ+qV/byJ/tqxuP2eNF6+
a2pp+jEQ8z0QCLZSnWicrbz3sbRHzM2CyZk=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</getActualInvoiceOutputRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

And my Dotnet client currently generates the following request

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_3"></a:Action>
<a:MessageID u:Id="_4">urn:uuid:cbfc787e-d759-41b6-a919-9aba6fbd4fe6</a:MessageID>
<a:ReplyTo u:Id="_5">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous&lt;/a:Address&gt;
</a:ReplyTo>
<a:To s:mustUnderstand="1" u:Id="_6">http://192.168.0.27:8080/disweb/1.0/spring-ws/&lt;/a:To&gt;
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"&gt;
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;&lt;/DigestMethod&gt;
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=dis</X509IssuerName>
<X509SerialNumber>1273126865</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>YYorbYHYP+AmYDttzFQ4BtlnmvQPZVbIZqy/VD5eQendMmhZXXEKNiv32BVAqBDwmmiXzHjjaPkWOfA4Q0iRG6XNvFzmxo6G2hc3WJ+6ZDW/8RFaCjEjtGNp9LezuDrIBjdfMXZOR63H809mB4wtDwamg6eIxn64UmXfwybbNw4=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/CanonicalizationMethod&gt;
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"&gt;&lt;/SignatureMethod&gt;
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>LGEAlgVrR38d/JwppXPW4KvY/K0=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>a8T/6AHa4bBGUI0zRJY5m1I0kYo=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>hv0eRU3IzGVmeDHlGzlHyzVChkM=</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>k69pykploFPkXhw5ogDHcjcJUI0=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>wnN99C6DCmP7MaOlTJxf10Urf/k=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>e2kDwoGU0XrmkUqO1rpkKSwYDMe327XN0hTLSQtutm04BX7+JjxbO5EbmmgX3F/hdKFjUk5rDdWxu1AC1LRlAhwiZKqzhnMx05ixuGoAxmlTLnL+ItdLTomOaOHkf7b7KNZouZDuCNeE/VdiQBOEmCYw2XfoukZxvIqyA03YffY=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-127196be-7cc5-47ce-abd2-90d000c4fa2b-2"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
<e:DataReference URI="#_1"></e:DataReference>
</e:ReferenceList>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"&gt;&lt;/e:EncryptionMethod&gt;
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>rPnwZV8JzRPPf7jAR6HCNRTvELt5caZbyyBzs1icNP+5HPmKxzPfROs8aq4Soi5+HfOpAsanW6IdA3o9m466WOM4jVorN7dx+8VCygsKfp79JtniFfH3Us9YlJsjgxljCM5QvH84ZkXc/+TJy+zVwpTm0t3mEB8h83gDA0ZOYkCXG8ksZhOwvj4aaLpDoBI+e/4usJ2XsW2oi2xF8sCFzV20X4S/IJlTyUHqeQcW5N8evXF0A8K64FfnoFARCe/Bkq2kmbclNRBmCZE+sJNTNxkYVlA6QufCPASgZJg35fwDveHTcQb19IqccGC51khQWV8L4gIhnJ2RSRzgsDjuzO8wGYTjoSBvm18hfHMywqdEyUCYX9bFEGcaBFMevD9mIu/B/ksh6nqkp30NGctReupdTFyrNcUn9Zqu/xlwU/uJws4LIk4G7ggjF4IrqjOu</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Shameer Kunjumohamed  2010-08-18 12:03:23
I tryed to use your message contracts in test WCF service and I wasn't able to make it work even if I used WS-Addressing. It always encrypts whole body. I suggest place the same question on MSDN forum and if you can contact MS support. MSDN: http://social.msdn.microsoft.com/Forums/en-US/wcf/threads
Ladislav Mrnka  2010-08-18 22:20:04
Thanks very much for your efforts. I will post in MSDN forums soon.
Shameer Kunjumohamed  2010-08-19 06:15:04

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords