使用SoapUI通过基本身份验证测试WCF

Question

I am new to web service. I want to write a simple WCF with username and password authentication. When using SoapUI for testing, if the security mode is set to none (without basic authentication), it can be called successfully. Once the security mode is set to message (with basic authentication), it cannot return the correct result. Both of them can be called successfully using C# client. I have applied many suggestions on StackOverflow but still cannot get the correct result.

• In the 'Request Properties' in SoapUI in section 'Wss-Password Type' just select option 'PasswordText'.
• negotiateServiceCredential="true"
• Check mark "Add default WSA To"
• In http setting check “add authentication information for outgoing result”

Is there any additional setting need to be done, like configure the certificate? I am looking forward to your help.

The setting details are listed below.

When security mode is set to message, the return result is

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
   <s:Header>
      <a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
   </s:Header>
   <s:Body>
      <s:Fault>
         <s:Code>
            <s:Value>s:Sender</s:Value>
            <s:Subcode>
               <s:Value xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value>
            </s:Subcode>
         </s:Code>
         <s:Reason>
            <s:Text xml:lang="zh-HK">An error occurred when verifying security for the message.</s:Text>
         </s:Reason>
      </s:Fault>
   </s:Body>
</s:Envelope>

The SoapUI log:

DEBUG:Attempt 1 to execute request DEBUG:Sending request: POST /ServiceHello.svc HTTP/1.1 DEBUG:Receiving response: HTTP/1.1 500 Internal Server Error DEBUG:Connection can be kept alive indefinitely INFO:Got response for [WSHttpBinding_IServiceHello.HelloWorld:Request 1] in 3ms (576 bytes)

Result for security mode=none

 <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
   <s:Header>
      <a:Action s:mustUnderstand="1">http://tempuri.org/IServiceHello/HelloWorldResponse</a:Action>
   </s:Header>
   <s:Body>
      <HelloWorldResponse xmlns="http://tempuri.org/">
         <HelloWorldResult>Hello World</HelloWorldResult>
      </HelloWorldResponse>
   </s:Body>
</s:Envelope>

And this is the web.config

<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5"/>
  </system.web>
  <system.serviceModel>
    <services>
      <service name="WCFTest.ServiceHello"
               behaviorConfiguration="WCFTest_Behavior">
        <endpoint 
          address="" 
          binding="wsHttpBinding" 
          contract="WCFTest.IServiceHello"
          bindingConfiguration="WCFTest_Config">
        </endpoint>

      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="WCFTest_Config">
<security mode="None">
<!—The only difference between two web service is the security mode, which is set to message in the authentication version -->            
            <message clientCredentialType="UserName" negotiateServiceCredential="false"
            establishSecurityContext="false" algorithmSuite="Default"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="WCFTest_Behavior">
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
          <serviceCredentials>
            <clientCertificate>
              <authentication certificateValidationMode="None"/>
            </clientCertificate>
            <userNameAuthentication userNamePasswordValidationMode="Custom"                  customUserNamePasswordValidatorType="WCFTest.App_Code.Authentication.CustomValidator,App_Code/Authentication"/>
            <serviceCertificate 
              findValue="myCertificate"
              storeLocation="LocalMachine"
              storeName="My"
              x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <protocolMapping>
        <add binding="basicHttpsBinding" scheme="https" />
    </protocolMapping>    
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true"/>
  </system.webServer>
</configuration>

Answer 1

Reviewing the configuration of your application, I assume the following: a) Your WCF service uses .NET Framework 4.5 or later. b) The service is hosted in IIS, with SSL security enabled. c) You want to use WsHttpBinding. d) Authentication is customized.

Therefore, I give you the following recommendations:

IIS publication:

a) SSL Security: Enable Require SSL and Client Certificate set it to Ignore. Which is how you are configuring it in the Web.config:

<clientCertificate>
    <authentication certificateValidationMode = "None" />
</ clientCertificate>

b) Authentication: Enable "Anonymous Authentication" and disable others.

Web.config:

<wsHttpBinding>
   <binding name = "WCFTest_Config">
      <security mode = "TransportWithMessageCredential">
         <transport clientCredentialType = "None" proxyCredentialType = "None" realm = "" />
         <message clientCredentialType = "UserName" />
      </security>
   </binding>
</wsHttpBinding>

and also

<protocolMapping>
   <add binding = "wsHttpBinding" scheme = "https" />
</protocolMapping>

Try it and good luck!