views:

54

answers:

2

Hi every one,

I am facing a problem in the security part of WCF.

The problem is: Partial encryption is not working for the message payload. It either encrypts the payload completely or keeps unencrypted the whole payload when I change the ProtectionLevel at the MessageContract and MessageBodyMember Attributes.

Ie, the partial encryption does not work, where I want the root tag of the payload(Message Body Element) unencrypted and the rest, ie, the child elements of the root tag to be encrypted. This behaviour is required for the enpoint-mapping of the spring webservices, at the server.

This is a Dot Net client program of Web Service developed in Java(Contract First WebService Developed in Spring WS). It uses mutual certificates for security.

I am using a custom binding, of messageSecurityVersion, WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10.

I am not sure if it is related to the WS-Addressing support for this binding.

Here is my app.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
      <section name="DISClientLibTest.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
    </sectionGroup>
  </configSections>

  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel.MessageLogging">
        <listeners>
          <add name="messages"
          type="System.Diagnostics.XmlWriterTraceListener"
          initializeData="c:\logs\messages.svclog" />
        </listeners>
      </source>
    </sources>
  </system.diagnostics>

  <system.serviceModel>
    <behaviors>
      <endpointBehaviors>
        <behavior name="DISEndPointBehaviour">
          <clientCredentials>
            <clientCertificate storeLocation="LocalMachine" storeName="Root" 
                               x509FindType="FindBySubjectName" findValue="d-i-s-partner"/>
            <serviceCertificate>
              <defaultCertificate storeLocation="LocalMachine" storeName="Root"
                                  x509FindType="FindBySubjectName" findValue="dis"/>
              <authentication certificateValidationMode="PeerOrChainTrust"/>
            </serviceCertificate>
          </clientCredentials>
        </behavior>

      </endpointBehaviors>
    </behaviors>

    <bindings>
      <customBinding>
        <binding name="DISMutualCertificateDuplexBinding">
          <!--<security authenticationMode="MutualCertificateDuplex"-->
          <security authenticationMode="MutualCertificate"
                    includeTimestamp="false"
                    requireDerivedKeys="false"
                    keyEntropyMode="ClientEntropy"
                    messageProtectionOrder="EncryptBeforeSign"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"/>
          <textMessageEncoding messageVersion="Soap11WSAddressing10"/>
          <httpTransport manualAddressing="false"/>
        </binding>
      </customBinding>

    </bindings>
    <client>
      <endpoint binding="customBinding" 
                bindingConfiguration="DISMutualCertificateDuplexBinding"
                contract="DaDeskDataExchange" 
                name="DaDeskDataExchangeSoap11_DaDeskDataExchange"
                address="http://192.168.0.27:8080/disweb/1.0/spring-ws/"
                behaviorConfiguration="DISEndPointBehaviour">
        <identity>
          <dns value="dis"/>
        </identity>
        <headers>
          <wsse:UsernameToken
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
            wsu:Id="UsernameToken-6"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
            <wsse:Username>50001</wsse:Username>
            <wsse:Password
              Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;bmkWaU4qDZK7B/DPXqoHysN4LaQ=&lt;/wsse:Password&gt;
            <wsse:Nonce
              EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;dvSBmtESEOGb96pQIZJZWw==&lt;/wsse:Nonce&gt;
            <wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
          </wsse:UsernameToken>
        </headers>
      </endpoint>
    </client>
    <diagnostics>
      <messageLogging logEntireMessage="true" 
                      logMalformedMessages="true" 
                      logMessagesAtTransportLevel="true" 
                      logMessagesAtServiceLevel="true"/>
    </diagnostics>

  </system.serviceModel>
</configuration>

Here is the proxy class(only the relevant part) generated by svcutil

[System.CodeDom.Compiler.GeneratedCodeAttribute("svcutil", "4.0.30319.1")]
[System.SerializableAttribute()]
[System.Diagnostics.DebuggerStepThroughAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://www.dadesk.com/dis/schema")]
// This is added for bypassing encryption
[System.ServiceModel.MessageContract(ProtectionLevel = System.Net.Security.ProtectionLevel.None)]
public partial class getActualInvoiceOutputRequest
{

    // This is added for bypassing encryption
    [System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
    private string interfaceUniqueReferenceField;

    // This is added for bypassing encryption
    [System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
    private string invoiceIdField;

    // This is added for bypassing encryption
    [System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
    private string daEventField;

    /// <remarks/>
    [System.Xml.Serialization.XmlElementAttribute(Order = 0)]
    public string interfaceUniqueReference
    {
        get
        {
            return this.interfaceUniqueReferenceField;
        }
        set
        {
            this.interfaceUniqueReferenceField = value;
        }
    }

    /// <remarks/>
    [System.Xml.Serialization.XmlElementAttribute(Order = 1)]
    public string invoiceId
    {
        get
        {
            return this.invoiceIdField;
        }
        set
        {
            this.invoiceIdField = value;
        }
    }

    /// <remarks/>
    [System.Xml.Serialization.XmlElementAttribute(Order = 2)]
    public string daEvent
    {
        get
        {
            return this.daEventField;
        }
        set
        {
            this.daEventField = value;
        }
    }
}

The expected SOAP Request

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"&gt;
 <SOAP-ENV:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
   <wsse:BinarySecurityToken
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
    wsu:Id="CertId-1BC7C7CC8C1DC237A312742702475786"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;MIIBoTCCAQqgAwIBAgIES+Jf0jANDA2MjEwNlowFTETMBEGA1UEAxMKZGlzcGFydG5lcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiSzYcGY6SZvtyX/HzIT9zgzlf1/stzTo2WN2/zikebOY+K8pOfc8IU2vxsDp+b4Jc/KSMzZIocPejHhyRXKKuf36TckHclkgkqhkiG9w0BAQUFAAOBgQAepQ1pXeyveQCPRQSnjcJKnXBbLiPql+UeScmaqXBqBOrUGFRe8AX4PEh28qmomwWfdJ7abV1yShFvnAcZBP5gM6KrS1fZ2lCQu7sLyk8YW3zBLqs1Bm6bf4GTfywd2+mURJZuTwx/vqe2d5xNsfD9BOEJ6hlxzdzKlZR111O4IQ==
   </wsse:BinarySecurityToken>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
    Id="Signature-7">
    <ds:SignedInfo>
     <ds:CanonicalizationMethod
      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
     <ds:Reference URI="#id-8">
      <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <ds:DigestValue>O+wONgrnKflVXuIf/QqMIVPHICg=</ds:DigestValue>
     </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>
     cPLtiHI8a3Ay7lCau0wosF7pakNPaOkFdmjC8osUqkUUECjQvSPCoVyWZldPxheWIEEM1qUAR7X2
     1cOFNn2YUfTu9c3ElEgfRycDUTpcvF5hs37Er+ssR3QBKQ9Jmd76MHcc8LW12KNGGWZn/grUMhnR
     uuOzSrfAtOHYK22wPvE=
</ds:SignatureValue>
    <ds:KeyInfo Id="KeyId-1BC7C7CC8C1DC237A312742702475787">
     <wsse:SecurityTokenReference
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      wsu:Id="STRId-1BC7C7CC8C1DC237A312742702475788"
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
      <wsse:Reference URI="#CertId-1BC7C7CC8C1DC237A312742702475786"
       ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
     </wsse:SecurityTokenReference>
    </ds:KeyInfo>
   </ds:Signature>
   <wsse:UsernameToken
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    wsu:Id="UsernameToken-6"
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
    <wsse:Username>115394</wsse:Username>
    <wsse:Password
     Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;bmkWaU4qDZK7B/DPXqoHysN4LaQ=&lt;/wsse:Password&gt;
    <wsse:Nonce
     EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;dvSBmtESEOGb96pQIZJZWw==&lt;/wsse:Nonce&gt;
    <wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
   </wsse:UsernameToken>
  </wsse:Security>
 </SOAP-ENV:Header>
 <SOAP-ENV:Body
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  wsu:Id="id-8">
              <!---- I need the root tag un-encrypted-->
  <getActualInvoiceOutputRequest xmlns="http://www.dadesk.com/dis/schema"&gt;
              <!---- I need the content encrypted-->
   <interfaceUniqueReference>aasd</interfaceUniqueReference>
   <invoiceId>-1</invoiceId>
   <daEvent>1</daEvent>
  </getActualInvoiceOutputRequest>
 </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

In the above SOAP message, inside the body, I need the contents of getActualInvoiceOutputRequest to be encrypted, and do not want getActualInvoiceOutputRequest to be encrypted. Right now, the whole body content is rendered encrypted.

I followed the guidelines given in the following MSDN web page http://msdn.microsoft.com/en-us/library/aa347692.aspx

It warns about the WS-Addressing Dependency. It has a statement, [For example, the BasicHttpBinding class does not support the specification, or if you create a custom binding that does not support WS-Addressing.].

I am suspecting that area, the WS-Addressing support for my custom binding. Can some one help on this ?

Thanks, Shameer

A: 

Your custom binding specifies WS-Addressing but expected SOAP request doesn't use it. I'm affraid this is the part where interoperability is broken. Do you have WSDL for the service which describes security settings? Do you also have example of SOAP request which uses encryption?

Ladislav Mrnka
Unfortunately, the wsdl does not describe the security settings. It can be accessed here..http://83.111.89.230/disweb/1.0/spring-ws/DaDeskDataExchange/dataexchange.wsdl.It is a public IP.
Shameer Kunjumohamed
And do you have example of valid request and response? Btw. check my post: http://stackoverflow.com/questions/3457378/web-service-interoperability-broken-by-developers-incompetence
Ladislav Mrnka
How can I add a big block of XMl here ? It doesnt allow me to add more than 600 chars. Can you advice ?
Shameer Kunjumohamed
A: 

Here is the example SOAP request which uses proper level of encryption, which is the expected SOAP request, generated by a java client.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"&gt;
<SOAP-ENV:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
SOAP-ENV:mustUnderstand="1">
<xenc:EncryptedKey Id="EncKeyId-B521E60EB6640CC36812821275442335"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"&gt;
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=dis</ds:X509IssuerName>
<ds:X509SerialNumber>1273126865</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>uVuKFUAyy7NvyMJuFgqB27nZ/uf1YCQLOjQJrOJN+iAiUGYBcIFYThpr+D2UK5l80HzWL8KUbbg8YcurjwOzuLM+DvuXbnsP3niFlFNipB0FTmnojD5t5J7xinRzfRzSVpSxxa/czOdFZTwyPclnUNFWEsWML8npQNOX2gir3Lk=</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-4" />
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-B521E60EB6640CC36812821275439461"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;MIIBoTCCAQqgAwIBAgIES+Jf0jANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpkaXNwYXJ0bmVyMB4XDTEwMDUwNjA2MjEwNloXDTM3MDkyMDA2MjEwNlowFTETMBEGA1UEAxMKZGlzcGFydG5lcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiSzYcGY6SZvtyX/HzIT9zgzlf1/stzTo2WN2/zikebOY+K8pOfc8IU2vxsDp+b4Jc/KSMzZIocPejHhyRXKKuf36TckHclkZCpIil24gHZdARUQXRrm0izFwMkACEeHoTv6/35FjSiQpntBxbaTLmGZ4U93Pjuko2jlBheiFeq0CAwEAATANBgkqhkiG9w0BAQUFAAOBgQAepQ1pXeyveQCPRQSnjcJKnXBbLiPql+UeScmaqXBqBOrUGFRe8AX4PEh28qmomwWfdJ7abV1yShFvnAcZBP5gM6KrS1fZ2lCQu7sLyk8YW3zBLqs1Bm6bf4GTfywd2+mURJZuTwx/vqe2d5xNsfD9BOEJ6hlxzdzKlZR111O4IQ==&lt;/wsse:BinarySecurityToken&gt;
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>cYtMaQuuiVAho+6m8lj66ZPLFJc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
ccAZE+FRn2ads52Ma5FsoYPx8P3SBYqjRYSctTNUmcsDQEhHowOoTyhkW5IElo9r/GaGWL0EBfmC
SyNBh/qtKA4YHxjradG2Mk2Bxv/aRGuxaCllYTTr1kr37vC1fYiWVI2QrjbGOvp0i/5RgLanl40k
gkDxle9CxegVDdZkijI=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-B521E60EB6640CC36812821275439532">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-B521E60EB6640CC36812821275439553"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<wsse:Reference URI="#CertId-B521E60EB6640CC36812821275439461"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<wsse:Username>119136</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"&gt;R3WWGSkNtmPztaSUbiyAWOcpwTM=&lt;/wsse:Password&gt;
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"&gt;pkJh0dN0yE8iIRe49T1bwg==&lt;/wsse:Nonce&gt;
<wsu:Created>2010-08-18T10:32:23.937Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-3">
<getActualInvoiceOutputRequest xmlns="http://www.dadesk.com/dis/schema"&gt;
<xenc:EncryptedData Id="EncDataId-4"
Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"&gt;
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"&gt;
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<wsse:Reference URI="#EncKeyId-B521E60EB6640CC36812821275442335"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>Qg9GlqcRgEi6EJACo/RxVYbUTdX2fnHUdrmdsXolHPFcigsuTMMwj0ST5DIXuh3C4nB738Acd8ez
hKyZdDR2skNYIWHKGzM8wuT3wrjbZGAnXl78PtzjfNSyldmwm1cm4JxW2YH0QvtUq5e2exVOnkVT
ojBtvxYSjQl2F/pK0uawD/m3RFFyqB3/lOWShYSLqW+H5h0d96FxIyVPb27z+mGK0xRXO9sh51ES
4wHozKnQvSMBbokOPaHLMgyNBqkRvDX5bNvsvnpyjBT8trlaSQYE6l+zyqSIj8apu+HxpLM8g73f
MPeGyzn28I078ZVe6vOzVPhXsSLMEUwtEHWjHIe49h6uGGLg2xd5pehbXxqDbw2/a1UipBOOjz4v
5UYVoFtw7OjfONbPrrhqEkyg8zV2S4SPH6ItGKYLuiLNGV7XEXgc4dhyZ+qV/byJ/tqxuP2eNF6+
a2pp+jEQ8z0QCLZSnWicrbz3sbRHzM2CyZk=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</getActualInvoiceOutputRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

And my Dotnet client currently generates the following request

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"&gt;
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_3"></a:Action>
<a:MessageID u:Id="_4">urn:uuid:cbfc787e-d759-41b6-a919-9aba6fbd4fe6</a:MessageID>
<a:ReplyTo u:Id="_5">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous&lt;/a:Address&gt;
</a:ReplyTo>
<a:To s:mustUnderstand="1" u:Id="_6">http://192.168.0.27:8080/disweb/1.0/spring-ws/&lt;/a:To&gt;
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<o:BinarySecurityToken>
<!-- Removed-->
</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"&gt;
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;&lt;/DigestMethod&gt;
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
<o:SecurityTokenReference>
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=dis</X509IssuerName>
<X509SerialNumber>1273126865</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>YYorbYHYP+AmYDttzFQ4BtlnmvQPZVbIZqy/VD5eQendMmhZXXEKNiv32BVAqBDwmmiXzHjjaPkWOfA4Q0iRG6XNvFzmxo6G2hc3WJ+6ZDW/8RFaCjEjtGNp9LezuDrIBjdfMXZOR63H809mB4wtDwamg6eIxn64UmXfwybbNw4=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/CanonicalizationMethod&gt;
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"&gt;&lt;/SignatureMethod&gt;
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>LGEAlgVrR38d/JwppXPW4KvY/K0=</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>a8T/6AHa4bBGUI0zRJY5m1I0kYo=</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>hv0eRU3IzGVmeDHlGzlHyzVChkM=</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>k69pykploFPkXhw5ogDHcjcJUI0=</DigestValue>
</Reference>
<Reference URI="#_6">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"&gt;&lt;/Transform&gt;
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"&gt;&lt;/DigestMethod&gt;
<DigestValue>wnN99C6DCmP7MaOlTJxf10Urf/k=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>e2kDwoGU0XrmkUqO1rpkKSwYDMe327XN0hTLSQtutm04BX7+JjxbO5EbmmgX3F/hdKFjUk5rDdWxu1AC1LRlAhwiZKqzhnMx05ixuGoAxmlTLnL+ItdLTomOaOHkf7b7KNZouZDuCNeE/VdiQBOEmCYw2XfoukZxvIqyA03YffY=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-127196be-7cc5-47ce-abd2-90d000c4fa2b-2"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
<e:DataReference URI="#_1"></e:DataReference>
</e:ReferenceList>
</o:Security>
</s:Header>
<s:Body u:Id="_2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#"&gt;
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"&gt;&lt;/e:EncryptionMethod&gt;
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"&gt;
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"&gt;
<o:Reference URI="#_0"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>rPnwZV8JzRPPf7jAR6HCNRTvELt5caZbyyBzs1icNP+5HPmKxzPfROs8aq4Soi5+HfOpAsanW6IdA3o9m466WOM4jVorN7dx+8VCygsKfp79JtniFfH3Us9YlJsjgxljCM5QvH84ZkXc/+TJy+zVwpTm0t3mEB8h83gDA0ZOYkCXG8ksZhOwvj4aaLpDoBI+e/4usJ2XsW2oi2xF8sCFzV20X4S/IJlTyUHqeQcW5N8evXF0A8K64FfnoFARCe/Bkq2kmbclNRBmCZE+sJNTNxkYVlA6QufCPASgZJg35fwDveHTcQb19IqccGC51khQWV8L4gIhnJ2RSRzgsDjuzO8wGYTjoSBvm18hfHMywqdEyUCYX9bFEGcaBFMevD9mIu/B/ksh6nqkp30NGctReupdTFyrNcUn9Zqu/xlwU/uJws4LIk4G7ggjF4IrqjOu</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
Shameer Kunjumohamed
I tryed to use your message contracts in test WCF service and I wasn't able to make it work even if I used WS-Addressing. It always encrypts whole body. I suggest place the same question on MSDN forum and if you can contact MS support. MSDN: http://social.msdn.microsoft.com/Forums/en-US/wcf/threads
Ladislav Mrnka
Thanks very much for your efforts. I will post in MSDN forums soon.
Shameer Kunjumohamed