Skip to content

Security header removed when moving from TransferMode.Buffered to TransferMode.Streamed #4326

New issue
New issue
Closed
#4873
Closed
Security header removed when moving from TransferMode.Buffered to TransferMode.Streamed#4326
#4873
Assignees
mconnew
Labels
priority 1Stack ranked level of priority. P1
Milestone
 
7.0
@angas

Description

@angas
angas
opened on Aug 11, 2020

I've set up a dummy service with a self signed cert that is configured to require BasicHttpSecurityMode and TransportWithMessageCredential. When a client make a request using TransferMode.Buffered everything is ok and the request looks like this...

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<s:Header>
		<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<u:Timestamp u:Id="_0">
				<u:Created>2020-08-11T06:10:10.201Z</u:Created>
				<u:Expires>2020-08-11T06:15:10.201Z</u:Expires>
			</u:Timestamp>
			<o:UsernameToken u:Id="uuid-ac6e486b-fc3b-488a-842e-94b69e212296-1">
				<o:Username>test</o:Username>
				<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test123</o:Password>
			</o:UsernameToken>
		</o:Security>
	</s:Header>
	<s:Body>
		<DummyCall xmlns="http://tempuri.org/"/>
	</s:Body>
</s:Envelope>

but when swithing to TransferMode.Streamed the security header isn't included in the request...

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
	<s:Body>
		<DummyCall xmlns="http://tempuri.org/"/>
	</s:Body>
</s:Envelope>

and the respose error causes "System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party."

My simple .NET Core 3.1 clinet looks like this and uses version 4.7.* of System.ServiceModel libraries.

var binding = new BasicHttpBinding
{
    TransferMode = TransferMode.Buffered, // Streamed isn't ok!
    Security = new BasicHttpSecurity
    {
        Mode = BasicHttpSecurityMode.TransportWithMessageCredential,
        Message = new BasicHttpMessageSecurity {
            ClientCredentialType = BasicHttpMessageCredentialType.UserName 
        }
    }
};

var endpointAddress = new EndpointAddress("https://localhost:1234/Services/DummyService/");
var client = new DummyServiceClient(binding, endpointAddress);
client.ChannelFactory.Credentials.UserName.UserName = "test";
client.ChannelFactory.Credentials.UserName.Password = "test123";

// Dangerous CustomCertificateValidator code omitted

client.DummyCall();

Metadata

Metadata

Assignees

Labels

priority 1Stack ranked level of priority. P1

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions