I have a deadline that is about to whoosh by having underestimated how tricky this would turn out to be.
- SOAP 1.1
- WS-Security for timestamp and signing
- signature has to be single signature made from 2 elements: body + timestamp
- Asymmetric Algorithm: SHA1
- Key algorithm: RSA
- sent over SSL
- client has to authenticate to server via cert with well known CN=
- Server is not .NET but Weblogic, with policies that cannot be changed.
Basically, a secure (SSL) based transport, with signing to protect against tampering as well as replay.
Seemed like a good choice at first as it has WS-Security built in.After setting up a
behavior that defines client and server certs setting binding/
Unfortunately wsHttpBinding creates a signature from too many elements in the message (Body, Action, RelatesTo, Timestamp).
There is no apparent way of controlling what gets selected as an element of the signature.
For example: as the ws-Security headers (Timestamp, etc.) are not part of the proxy Request message class definition, and are added/injected somewhere down the line, and are no
View Complete Post