Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security header removed when moving from TransferMode.Buffered to TransferMode.Streamed #4326

Closed
angas opened this issue Aug 11, 2020 · 2 comments · Fixed by #4873
Closed

Security header removed when moving from TransferMode.Buffered to TransferMode.Streamed #4326

angas opened this issue Aug 11, 2020 · 2 comments · Fixed by #4873
Assignees
@mconnew
Labels
priority 1 Stack ranked level of priority. P1
Milestone
7.0

Comments

@angas
Copy link

angas commented Aug 11, 2020
edited by mconnew
Loading

I've set up a dummy service with a self signed cert that is configured to require BasicHttpSecurityMode and TransportWithMessageCredential. When a client make a request using TransferMode.Buffered everything is ok and the request looks like this...

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<s:Header>
		<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<u:Timestamp u:Id="_0">
				<u:Created>2020-08-11T06:10:10.201Z</u:Created>
				<u:Expires>2020-08-11T06:15:10.201Z</u:Expires>
			</u:Timestamp>
			<o:UsernameToken u:Id="uuid-ac6e486b-fc3b-488a-842e-94b69e212296-1">
				<o:Username>test</o:Username>
				<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test123</o:Password>
			</o:UsernameToken>
		</o:Security>
	</s:Header>
	<s:Body>
		<DummyCall xmlns="http://tempuri.org/"/>
	</s:Body>
</s:Envelope>

but when swithing to TransferMode.Streamed the security header isn't included in the request...

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
	<s:Body>
		<DummyCall xmlns="http://tempuri.org/"/>
	</s:Body>
</s:Envelope>

and the respose error causes "System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party."

My simple .NET Core 3.1 clinet looks like this and uses version 4.7.* of System.ServiceModel libraries.

var binding = new BasicHttpBinding
{
    TransferMode = TransferMode.Buffered, // Streamed isn't ok!
    Security = new BasicHttpSecurity
    {
        Mode = BasicHttpSecurityMode.TransportWithMessageCredential,
        Message = new BasicHttpMessageSecurity {
            ClientCredentialType = BasicHttpMessageCredentialType.UserName 
        }
    }
};

var endpointAddress = new EndpointAddress("https://localhost:1234/Services/DummyService/");
var client = new DummyServiceClient(binding, endpointAddress);
client.ChannelFactory.Credentials.UserName.UserName = "test";
client.ChannelFactory.Credentials.UserName.Password = "test123";

// Dangerous CustomCertificateValidator code omitted

client.DummyCall();
@HongGit HongGit added this to the 5.0 milestone Aug 11, 2020
@HongGit HongGit modified the milestones: 5.0, 7.0 Oct 21, 2021
@HongGit HongGit added the priority 1 Stack ranked level of priority. P1 label Nov 11, 2021
@mconnew mconnew mentioned this issue Aug 5, 2022
Merged
@mconnew
Copy link
Member

mconnew commented Aug 5, 2022

@angas, I found the problem and have a PR to fix the issue.

@angas
Copy link
Author

angas commented Aug 12, 2022

This is really good news. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mconnew mconnew

Labels
priority 1 Stack ranked level of priority. P1
Projects
None yet
Milestone
7.0
Development

Successfully merging a pull request may close this issue.

Fix TransportWithMessageCredentials with TransferMode.Streamed missing security header mconnew/wcf
3 participants
@angas @mconnew @HongGit