How to: Set Up a Signature Confirmation
Signature confirmation is a mechanism for a message initiator to ensure that a received reply was generated in response to the sender's original message. Signature confirmation is defined in the WS-Security 1.1 specification. If an endpoint supports WS-Security 1.0, you cannot use signature confirmation.
The following procedures specify how to enable signature confirmation using an AsymmetricSecurityBindingElement. You can use the same procedure with a SymmetricSecurityBindingElement. The procedure builds upon the basic steps found in How to: Create a Custom Binding Using the SecurityBindingElement.
To enable signature confirmation in code
Create an instance of the BindingElementCollection class.
Create an instance of the SymmetricSecurityBindingElement class.
Set the RequireSignatureConfirmation to
true
.Add the security element to the binding collection.
Create a custom binding, as specified in How to: Create a Custom Binding Using the SecurityBindingElement.
To enable signature confirmation in configuration
Add a
<customBinding>
element to the<bindings>
section of the configuration file.Add a
<binding>
element and set the name attribute to an appropriate value.Add an appropriate encoding element. The following example adds a
<TextMessageEncoding>
element.Add a
<security>
child element and set therequireSignatureConfirmation
attribute totrue
.Optional. To enable signature confirmation during the bootstrap, add a <secureConversationBootstrap> child element and set the
requireSignatureConfirmation
attribute totrue
.Add an appropriate transport element. The following example adds an <httpTransport>:
<bindings> <customBinding> <binding name="SignatureConfirmationBinding"> <security requireSignatureConfirmation="true"> <secureConversationBootstrap requireSignatureConfirmation="true" /> </security> <textMessageEncoding /> <httpTransport /> </binding> </customBinding> </bindings>
Example
The following code creates an instance of the SymmetricSecurityBindingElement and sets the RequireSignatureConfirmation property to true
. Note that this example does not use the <secureConversationBootstrap>
element shown in the preceding example. This example demonstrates signature confirmation when using a Windows (Kerberos protocol) token. In this case, the signature of the client is returned in all responses from the service and is confirmed by the client.
private Binding CreateBinding()
{
BindingElementCollection bindings = new BindingElementCollection();
KerberosSecurityTokenParameters tokens = new KerberosSecurityTokenParameters();
SymmetricSecurityBindingElement security =
new SymmetricSecurityBindingElement(tokens);
// Require that every request and return be correlated.
security.RequireSignatureConfirmation = true;
bindings.Add(security);
TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement();
bindings.Add(encoding );
HttpTransportBindingElement transport = new HttpTransportBindingElement();
bindings.Add(transport);
CustomBinding myBinding = new CustomBinding(bindings);
return myBinding;
}
Private Function CreateBinding() As Binding
Dim bindings As New BindingElementCollection()
Dim tokens As New KerberosSecurityTokenParameters()
Dim security As New SymmetricSecurityBindingElement(tokens)
' Require that every request and return be correlated.
security.RequireSignatureConfirmation = True
bindings.Add(security)
Dim encoding As New TextMessageEncodingBindingElement()
bindings.Add(encoding)
Dim transport As New HttpTransportBindingElement()
bindings.Add(transport)
Dim myBinding As New CustomBinding(bindings)
Return myBinding
End Function