How to sign custom SOAP header?

I would like to write an intermediary that injects and signes its custom
SOAP header with its own certificate. With WSE we could do that becuase WSE
provides lower level API-s to create new security headers (if we need)
assign new actors to it and inject into this header whatever we want (for
example signature generated for a new custom header). WCF does not seem to
allow even to create custom headers programmatically on a run time not to
mention to sign it (or encrypt). Interestingly enough using WSE 2.0 we could
ask it to sign custom header(s) even declaratively (using policy cache file
expressed in WS-Policy format). With WCF I do not even know how I can do it
programmaticlly. Any comments, suggestions? Am I missing something in WCF
model?

Thank you,
Andrew

Hi Andrew,

Do you really want an intermediary to sign and/or encrypt custom headers, or
have it done from the client itself?

While in WSE it was possible to write an intermediary and have it create a
new security header (with a new actor), this is unfortunately not possible in
WCF since processing multiple security headers is not supported. However, it
is possible have an intermediary act as a forwarder of soap messages (by not
adding anything).

If your client wanted to sign and/or encrypt custom soap headers, WCF
actually offers a fairly simple way to do so, by using a MessageContract

[MessageContract]
public class CustomType
{
[MessageHeader(ProtectionLevel = ProtectionLevel.Sign)]
string name;

[MessageHeader(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
string secret;

....
}

and then using it in your ServiceContract by having:

void HelloWorld(CustomType data);

WCF will automatically sign the first header, and sign+encrypt the second
header for you depending on the authentication mode that is chosen.

Does the above suffice? If not, then I'd love to learn more about your
scenario.

Thanks,
Sidd - MSFT

"Andrew Slivker" wrote:

> I would like to write an intermediary that injects and signes its custom
> SOAP header with its own certificate. With WSE we could do that becuase WSE
> provides lower level API-s to create new security headers (if we need)
> assign new actors to it and inject into this header whatever we want (for
> example signature generated for a new custom header). WCF does not seem to
> allow even to create custom headers programmatically on a run time not to
> mention to sign it (or encrypt). Interestingly enough using WSE 2.0 we could
> ask it to sign custom header(s) even declaratively (using policy cache file
> expressed in WS-Policy format). With WCF I do not even know how I can do it
> programmaticlly. Any comments, suggestions? Am I missing something in WCF
> model?
>
> Thank you,
> Andrew
>
>
>
>

Hi Sidd,



We are developing Web Services management infrastructures including "smart"
intermediaries. Until WCF (using WSE 2.0 and WSE 3.0) everything was fine
and clear. With WCF (even though we like a lot about it) we have more
questions then answers mostly because there are no lower level APIs anymore
to manipulate SOAP messages. (ex: inject new security headers with different
actors, or make technology stack to do some work for you, for ex in WSE we
could call ProcessMessage on a standalone Pipeline instance that is given a
SoapEnvelope message). A simple example when you would want to be able to do
it can be found in the article published a while ago in MSDN:

http://msdn.microsoft.com/webservice...resoapnode.asp.

I am sure you are familiar both with the article and his author, William Tay
(aka "Softwaremaker"). This article presents just a tip of an iceberg in Web
Services Management space when it comes to implementations based on .NET
platform. I would love to continue our discussion and take it offline. I
would appreciate if you contact me via my email directly.





Thank you,

Andrew Slivker



"Sidd Shenoy - MSFT" <Sidd Shenoy - MSFT@discussions.microsoft.com> wrote in
message news:B6C03606-B6E1-4A27-845A-9130F77430E7@microsoft.com...
> Hi Andrew,
>
> Do you really want an intermediary to sign and/or encrypt custom headers,
> or
> have it done from the client itself?
>
> While in WSE it was possible to write an intermediary and have it create a
> new security header (with a new actor), this is unfortunately not possible
> in
> WCF since processing multiple security headers is not supported. However,
> it
> is possible have an intermediary act as a forwarder of soap messages (by
> not
> adding anything).
>
> If your client wanted to sign and/or encrypt custom soap headers, WCF
> actually offers a fairly simple way to do so, by using a MessageContract
>
> [MessageContract]
> public class CustomType
> {
> [MessageHeader(ProtectionLevel = ProtectionLevel.Sign)]
> string name;
>
> [MessageHeader(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
> string secret;
>
> ....
> }
>
> and then using it in your ServiceContract by having:
>
> void HelloWorld(CustomType data);
>
> WCF will automatically sign the first header, and sign+encrypt the second
> header for you depending on the authentication mode that is chosen.
>
> Does the above suffice? If not, then I'd love to learn more about your
> scenario.
>
> Thanks,
> Sidd - MSFT
>
> "Andrew Slivker" wrote:
>
>> I would like to write an intermediary that injects and signes its custom
>> SOAP header with its own certificate. With WSE we could do that becuase
>> WSE
>> provides lower level API-s to create new security headers (if we need)
>> assign new actors to it and inject into this header whatever we want (for
>> example signature generated for a new custom header). WCF does not seem
>> to
>> allow even to create custom headers programmatically on a run time not to
>> mention to sign it (or encrypt). Interestingly enough using WSE 2.0 we
>> could
>> ask it to sign custom header(s) even declaratively (using policy cache
>> file
>> expressed in WS-Policy format). With WCF I do not even know how I can do
>> it
>> programmaticlly. Any comments, suggestions? Am I missing something in WCF
>> model?
>>
>> Thank you,
>> Andrew
>>
>>
>>
>>