WSSE (with digest) in WCF\.Net\C# - An easy way?

Question

Disclaimer: .Net N00b

I've been beating my head against the wall for a couple of days now trying to get the security work with this external vendors web service to no avail. It turns out that they use WSSE digest security, which, in short, adds something like this to the SOAP header:

<wsse:UsernameToken wsu:Id="Example-1"> 
   <wsse:Username> ... </wsse:Username> 
   <wsse:Password Type="..."> ... </wsse:Password> 
   <wsse:Nonce EncodingType="..."> ... </wsse:Nonce> 
   <wsu:Created> ... </wsu:Created> 
</wsse:UsernameToken> 

I started out by adding the service reference, and through many, many blog posts, stackoverflow questions fiddling with the app.config and the code. I just couldn't seem to get it right. Maybe it isn't easily possible? Maybe I just don't know Visual Studio 2010 and .Net that well, I'm not sure.

Here is what I stopped with in my app.config:

<system.serviceModel>
    <bindings>
        <basicHttpBinding>
            <binding name="ServiceHttpBinding" closeTimeout="00:01:00"
                openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                useDefaultWebProxy="true">
                <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                    maxBytesPerRead="4096" maxNameTableCharCount="16384" />
              <security mode="TransportWithMessageCredential" />
            </binding>
        </basicHttpBinding>
    </bindings>
    <client>
      <endpoint address="https://vendorurl"
          binding="basicHttpBinding" bindingConfiguration="ServiceHttpBinding"
          contract="ContractName"
          name="ServiceHttpPort">
      </endpoint>
    </client>
</system.serviceModel>

And the C#:

    var someService = new ServiceClient();

    someService.ClientCredentials.UserName.UserName = "username";
    someService.ClientCredentials.UserName.Password = "passwordgobbletygook/somemorebase64stuff=";

    #region Begin Magic
    var elements = someService.Endpoint.Binding.CreateBindingElements();

    var securityBindingElement = elements.Find<SecurityBindingElement>();
    securityBindingElement.IncludeTimestamp = false;

    someService.Endpoint.Binding = new CustomBinding(elements);
    #endregion

    var response = someService.webMethod(param1, param2, param3, param4);

    Console.WriteLine(response);

The funny thing is, in the vendors spec, I found that they encourage the use of WSSJ, so I tried it out (in java) and I GOT IT TO WORK IN 2 HOURS

Here is what that looks like:

public class Test implements CallbackHandler {

    /**
     * @param args
     */
    public static void main( final String[] args ) throws Throwable {
        SomeService_Service someService_Service = new SomeService_Service();
        SomeService someService = someService_Service.getSomeServiceHttpPort();

        BindingProvider bindingProvider = (BindingProvider)someService;
        Map< String, Object > requestContext = bindingProvider.getRequestContext();
        requestContext.put( BindingProvider.ENDPOINT_ADDRESS_PROPERTY, "https://vendorurl" );

        Client client = ClientProxy.getClient( someService );
        Endpoint endpoint = client.getEndpoint();

        Map< String, Object > outProps = new HashMap< String, Object >();
        outProps.put( WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN );
        outProps.put( WSHandlerConstants.USER, "username" );
        outProps.put( WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_DIGEST );
        outProps.put( WSHandlerConstants.PW_CALLBACK_REF, new Test() );

        WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor( outProps );
        endpoint.getOutInterceptors().add( wssOut );

        System.out.println( someService.webMethod(param1, param2, param3, param4) );
    }

    public void handle( final Callback[] callbacks ) throws IOException, UnsupportedCallbackException {
        WSPasswordCallback pc = (WSPasswordCallback)callbacks[ 0 ];

        // set the password for our message.
        pc.setPassword( "passwordgobbletygook/somemorebase64stuff=" );
    }
}

Has anyone out there in stackoverflow land got this to work in .Net\\C#? Is there something obvious I'm missing here?

Answer 1

We've run into this problem before when trying to connect a .NET based component to a JAVA based SOAP service. Our solution doesn't involve any XML construction and is IMHO a bit cleaner than anything else I've seen.

The downside is that you need to download and include an older optional .NET DLL to make it work. The upside is that the code is quite clean and fits naturally into WCF.

The basic implementation looks something like this:

using (OperationContextScope scope = new OperationContextScope(client.InnerChannel))
{
    //Class from WSE 3.0
    UsernameToken token = new UsernameToken("MY_USERNAME", "MY_PASSWORD", PasswordOption.SendHashed);

    //Add Auth to SOAP Header
    MessageHeader header
      = MessageHeader.CreateHeader(
      "Security",
      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
      token.GetXml(new XmlDocument())
    );

    OperationContext.Current.OutgoingMessageHeaders.Add(header);

    //Build Request
    OrgWS.OrganizationDetailsRequest request = new OrgWS.OrganizationDetailsRequest()
    {
        ID = 1
    };

    //Send Request
    OrgWS.OrganizationDetail[] response = client.getOrganizationDetail(request);

    //Do something with response
}

A full explanation can be found here: http://cxdeveloper.com/article/implementing-ws-security-digest-password-nonce-net-40-wcf

Answer 2

Andy's answer is spot on! Spent most of the say on this, there is a lot out there but this is the ONLY answer that worked for me. Perfect for adding nonce with passwordDigest in SOAP wsse headers. Agree with Nick V, this answer should get more recognition.

BasicHttpBinding myBinding = new BasicHttpBinding();
myBinding.Security.Mode = BasicHttpSecurityMode.Transport;
myBinding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;

EndpointAddress ea = new EndpointAddress("****");
WebServiceServiceClient cc = new WebServiceServiceClient(myBinding, ea);

cc.Open();

using (OperationContextScope scope = new OperationContextScope(cc.InnerChannel))
{
    //Class from WSE 3.0
    UsernameToken token = new UsernameToken("userid", "password", PasswordOption.SendHashed);

    //Add Auth to SOAP Header
    MessageHeader header
      = MessageHeader.CreateHeader(
      "Security",
      "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
      token.GetXml(new XmlDocument())
    );

    OperationContext.Current.OutgoingMessageHeaders.Add(header);

    try
    {
        //call SOAP methos
    }
    catch (Exception ex)
    {
        //catch any errors
    }
}