ws-security
User/Pass Authentication using RESTful WCF & Windows Forms
Well, I don’t have any experience with the REST capabilities of WCF, but I did wrestle a lot with understanding the implications of security choices in my WCF security question. As you’ve noticed, there’s a real lack of documentation on WCF out their on the Web, and my REST experience is limited, so take my … Read more
JAX-WS – Adding SOAP Headers
Data can be transferred in SOAP header (JaxWS) by using @WebParam(header = true): @WebMethod(operationName = “SendRequest”, action = “http://abcd.ru/”) @Oneway public void sendRequest( @WebParam(name = “Message”, targetNamespace = “http://abcd.ru/”, partName = “Message”) Data message, @WebParam(name = “ServiceHeader”, targetNamespace = “http://abcd.ru/”, header = true, partName = “ServiceHeader”) Header serviceHeader); If you want to generate a client … Read more
In WCF/WIF how to merge up claims from two different client’s custom sts’s tokens
Generally you will only want to utilize one token at each step. So if you need to merge up claims, you will want to do that at the claims transformation step of the second STS. So the flow would be authenticate with STS1, then authenticate with STS2 with the token from STS1. At that point … Read more
Prevent XXE Attack with JAXB
JAXB You can prevent the Xml eXternal Entity (XXE) attack by unmarshalling from an XMLStreamReader that has the IS_SUPPORTING_EXTERNAL_ENTITIES and/or XMLInputFactory.SUPPORT_DTD properties set to false. JAX-WS A JAX-WS implementation should take care of this for you. If it doesn’t I would recommend opening a bug against the specific implmententation. EXAMPLE Demo package xxe; import javax.xml.bind.*; … Read more
Correct way communicate WSSE Usernametoken for SOAP webservice
If you need to send UserName over HTTPS you can use standard approach (if your WSDL is correctly defined this should be created for you automatically by adding service reference): <bindings> <basicHttpBinding> <binding name=”secured”> <security mode=”TransportWithMessageCredential”> <message clientCredentialType=”UserName” /> </security> </binding> </basicHttpBinding> </bindings> <client> <endpoint name=”…” address=”https://…” contract=”…” binding=”basicHttpBinding” bindingConfiguration=”secured” /> </client> Ar you can … Read more