TechQA.

WCF Routing with Message Signing Results in Encryption Error

174 views Asked by At

I'm experiencing a problem when trying to introduce WCF-Routing into a project containing two target service endpoints which have message security enabled. (Signing only - No encryption) I've set two simple Action based filters which direct to one service or the other.

Calling the RoutingService from my client presents the following error message in the trace logs:

The 'Body', 'http://www.w3.org/2003/05/soap-envelope' required message part was not encrypted.

I've set ProtectionLevel.Sign on the service interface so i'm struggling to understand why this is a problem.

[ServiceContract(Namespace = "http://helloservice.adam.com/services/v1.0", ProtectionLevel = ProtectionLevel.Sign)]
public interface IHelloAService
{
    [OperationContract(Action = "http://helloservice.adam.com/services/v1.0/helloa", ProtectionLevel = ProtectionLevel.Sign)]
    string SayHello(string name);
}

Any help that anyone can provide would be much appreciated.

WCF Service Project Config

Services

<services>
  <service name="System.ServiceModel.Routing.RoutingService" behaviorConfiguration="RoutingSecureBehavior" >

    <endpoint binding="customBinding" bindingConfiguration="HTTPSCustomBinding" 
              contract="System.ServiceModel.Routing.ISimplexDatagramRouter" 
              name="RoutingServiceEndpoint" />

  </service>

  <service name="WCF.Services.HelloAService" behaviorConfiguration="SecureServiceBehavior">
    <endpoint binding="customBinding" bindingConfiguration="HTTPSCustomBinding" 
              contract="WCF.Services.IHelloAService" />
  </service>

  <service name="WCF.Services.HelloBService" behaviorConfiguration="SecureServiceBehavior">
    <endpoint binding="customBinding" bindingConfiguration="HTTPSCustomBinding"   
              contract="WCF.Services.IHelloBService" />
  </service>

</services>

Bindings

  <customBinding>
    <binding name="HTTPSCustomBinding">
      <textMessageEncoding messageVersion="Soap12WSAddressing10" writeEncoding="utf-8" />
      <security allowSerializedSigningTokenOnReply="true"
                authenticationMode="MutualCertificateDuplex"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                messageProtectionOrder="SignBeforeEncrypt" />
      <httpsTransport/>
    </binding>
  </customBinding>

Service Behaviors

  <serviceBehaviors>

    <behavior name="SecureServiceBehavior">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
        </clientCertificate>
        <serviceCertificate findValue="service.adam.com" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
      </serviceCredentials>
      <serviceThrottling maxConcurrentCalls="50" maxConcurrentInstances="50" />
    </behavior>

    <behavior name="RoutingSecureBehavior">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
        </clientCertificate>
        <serviceCertificate findValue="service.adam.com" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" />
      </serviceCredentials>
      <serviceThrottling maxConcurrentCalls="50" maxConcurrentInstances="50" />
      <routing filterTableName="MyFilterTable" routeOnHeadersOnly="True" />
    </behavior>

  </serviceBehaviors>

Filters

<routing>
  <filters>

    <filter name="HelloAAction" filterType="Action" filterData="http://helloservice.adam.com/services/v1.0/helloa" />
    <filter name="HelloBAction" filterType="Action" filterData="http://helloservice.adam.com/services/v1.0/hellob" />

  </filters>

  <filterTables>
    <filterTable name="MyFilterTable">
      <add filterName="HelloAAction" endpointName="HelloA" priority="100" />
      <add filterName="HelloBAction" endpointName="HelloB" priority="100" />
    </filterTable>
  </filterTables>

</routing>

Service Side Clients

<client>

  <endpoint name="HelloA" binding="customBinding" bindingConfiguration="HTTPSCustomBinding" behaviorConfiguration="Internal_SecureClientBehavior" contract="*" />
  <endpoint name="HelloB" binding="customBinding" bindingConfiguration="HTTPSCustomBinding" behaviorConfiguration="Internal_SecureClientBehavior" contract="*" />

</client>

Endpoint Behaviors

  <endpointBehaviors>

    <behavior name="Internal_SecureClientBehavior">
      <clientCredentials>
        <clientCertificate findValue="service.adam.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
        <serviceCertificate>
          <authentication revocationMode="NoCheck" certificateValidationMode="ChainTrust" />
          <defaultCertificate findValue="service.adam.com" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
        </serviceCertificate>
      </clientCredentials>
    </behavior>

  </endpointBehaviors>

WCF Client Project Config

Client Side Clients

<client>    
  <endpoint name="ServiceProxy"
            address="https://services.adam.com/ServiceProxy.svc"
            binding="customBinding" bindingConfiguration="HTTPSCustomBinding"
            behaviorConfiguration="SecureClientBehavior"
            contract="WCF.Services.IHelloAService">
    <identity>
      <dns value="service.adam.com" />
    </identity>
  </endpoint>
</client>

Bindings

  <customBinding>
    <binding name="HTTPSCustomBinding">
      <textMessageEncoding messageVersion="Default" writeEncoding="utf-8" />

      <security allowSerializedSigningTokenOnReply="true" authenticationMode="MutualCertificateDuplex"
                messageProtectionOrder="SignBeforeEncrypt"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" />
      <httpsTransport maxReceivedMessageSize="2147483647" maxBufferSize="2147483647"
                      maxPendingAccepts="1" />
    </binding>
  </customBinding>

Behaviors

  <endpointBehaviors>
    <behavior name="SecureClientBehavior">
      <clientCredentials>
        <clientCertificate findValue="client.adam.com" x509FindType="FindBySubjectName"
                           storeLocation="LocalMachine" storeName="My" />
        <serviceCertificate>
          <authentication revocationMode="NoCheck" certificateValidationMode="ChainTrust" />
          <defaultCertificate findValue="service.adam.com" x509FindType="FindBySubjectName"
                              storeLocation="LocalMachine" storeName="My" />
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
wcf wcf-security wcf-routing
Original Q&A
0

There are 0 answers

Related Questions in WCF

Related Questions in WCF-SECURITY

Related Questions in WCF-ROUTING

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions