WCF : WS-Security Hell

dotnetLastly, I had to build a client to consume a web service. This task seems a bit trivial at first, but the service required an authentication mechanism based on WS-Security. Nothing really complex, the only requirement was to send a username and a password in plain text.

As usual when I build this kind of application, I used Visual Studio wizard to create the proxy to the web service, and after some tweaking in the app.config file, my application was ready to consume this web service !

Unfortunately, there is a security behavior in WCF that prevent from using plain text message based authentication over unsecure transport : i.e. you cannot send a clear password if you are using HTTP as the transport layer instead of HTTPS. That would have been nice of Microsoft to give us a way to override this mechanism easily, but they didn”t (and they didn”t bother to add an explicit error message in the thrown exception…)

So, if you want to send a plain-text username and password using WCF, the only way I found was to stuff the corresponding soap header when sending the request.

Here is my code, use it at your own risks…

public class SecurityBehavior : MessageHeader, IClientMessageInspector, IEndpointBehavior
{
     private string m_sUserName;
     private string m_sPassword;
     public override string Name        
     {            
        get { return "wsse:Security"; }
     }
 
     public override string Namespace        
     {            
        get { return ""; }
     }          
 
     public string UserName        
     {            
        get { return m_sUserName; }
        set { m_sUserName = value; }        
     }          
 
     public string Password        
     {            
        get { return m_sPassword; }            
        set { m_sPassword = value; }        
     }          
 
     public void AfterReceiveReply(ref System.ServiceModel.Channels.Message reply, object correlationState)        
     {                      
 
     }          
 
     public object BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)        
     {              
        request.Headers.Add(this);
        return null;
     }          
 
     public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)        
     {                      
 
     }          
 
     public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime)        
     {            
        clientRuntime.MessageInspectors.Add((IClientMessageInspector)this);
     }          
 
     public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher)        
     {          
 
     }          
 
     public void Validate(ServiceEndpoint endpoint)        
     {          
 
     }          
 
     protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)        
     {            
        writer.WriteAttributeString("xmlns", "wsse", null, "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        writer.WriteStartElement("wsse:UsernameToken");
        writer.WriteElementString("wsse:Username", m_sUserName);
        writer.WriteStartElement("wsse:Password");
        writer.WriteAttributeString("Type", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText");
        writer.WriteValue(m_sPassword);                          
        writer.WriteEndElement(); //wsse:Password            
        writer.WriteEndElement(); //wsse:UsernameToken        
     }              
}
Jean-Pierre Thomasset
Development team leader V3D
Professional web developer and software engineer since 2002. With more than ten years of experience and a solid background in several aspects of IT, I am technically proficient and can handle all kind of software or web projects. I also enjoy learning new things, not limited to computer technologies, which allows me to constantly improve myself.

Specialties:

Expert in .NET development and Web application (C#, ASP.Net, HTML, CSS, Javascript).
Proficient in PHP
Database modeling (SQL Server, MySQL)
Other languages & libraries : Java, C++, AngularJS, jQuery