EncodingType attribute in nonce

Question

EncodingType attribute in nonce

Bala Gubba 1

Hello Everyone,

We have an asp.net web application (.Net 4.6) that needs to consume few services which are exposed through an enterprise integration platform. The enterprise platform requires all clients to send the security header that matches the basic security profile username token specification:

http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-UsernameTokenProfile-v1.1.1-os.html

http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html#Nonce/@EncodingType_Attribute_Mandatory

To consume these web services, our asp.net web application created a proxy class by importing the wsdl. And then on the proxy class, we add the user credentials...as an example it is shown below:

proxyStatusClient.RequestSoapContext.Security.Tokens.Add(token);
proxyStatusClient.SetClientCredential<UsernameToken>(token);

This generates the soap header to have the user credentials along with the nonce element however nonce element does not have the encodingtype attribute which is mandatory for the enterprise platform.

<wsse:Username>test</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">test</wsse:Password>

        <wsse:Nonce>rqgwyErTk7l5l7t1DqhdK</wsse:Nonce>

        <wsu:Created>2013-05-31T17:49:07.888Z</wsu:Created>

Since encodingtype attribute is missing on Nonce, platform rejects the request.

We could obviously fix the issue by modifying the security header before sending the request to the platform, however we would like to avoid tampering the headers which are generated by .Net.

Any ideas why this is happening and what should be done at configuration level to allow .Net generate the nonce element with encodingtype attribute?

Thanks
Bala

Yijing Sun-MSFT 7,106 Reputation points

2022-03-02T07:15:07.313+00:00

Hi @Bala Gubba ,
The EncodingType flag is according to the WSSE Username and Token Security Spec 1.1. However,.NET does not meet that spec.
Best regards,
Yijing Sun
Bala Gubba 1 Reputation point

2022-03-02T07:19:55.71+00:00

Thanks Yijing for your prompt response. Are there any plans for .Net to support this?

Really appreciate this update because the services owner is not willing to change their services or use a workaround from their side.
Yijing Sun-MSFT 7,106 Reputation points

2022-03-03T03:51:36.363+00:00

Hi @Bala Gubba ,
Is there a possible that you don't use nonce? In the specification of UsernameToken WSS document its written that Nonce and Created are not required.Is it possible that you can complete the configuration on the server?
Best regards,
Yijing Sun
Bala Gubba 1 Reputation point

2022-03-03T11:15:40.403+00:00

Hi Yijing,

Unfortunately no changes are allowed on the server and this is the main requirement from the service provider that username token with nonce is required.

Thanks
Bala
Yijing Sun-MSFT 7,106 Reputation points

2022-03-04T03:41:16.24+00:00

Hi @Bala Gubba ,
As far as I know, WCF doesn't have support for the Digest Nonce as part of WS-Security, and so as far as I can tell there's no way to do it just with configuration settings. Unless you create custom clientCredentials.
Best regards,
Yijing Sun
Bala Gubba 1 Reputation point

2022-03-04T11:09:30.467+00:00

Hi Yijing,

We are not using WCF....we are creating the proxy classes by importing the wsdl and then use the proxy class directly. Proxy class is deriving from WebServicesClientProtocol.

Thanks
Bala

1 answer

Your answer

Yijing Sun-MSFT 7,106 Reputation points

2022-03-02T07:15:07.313+00:00

Hi @Bala Gubba ,
The EncodingType flag is according to the WSSE Username and Token Security Spec 1.1. However,.NET does not meet that spec.
Best regards,
Yijing Sun
Bala Gubba 1 Reputation point

2022-03-02T07:19:55.71+00:00

Thanks Yijing for your prompt response. Are there any plans for .Net to support this?

Really appreciate this update because the services owner is not willing to change their services or use a workaround from their side.
Yijing Sun-MSFT 7,106 Reputation points

2022-03-03T03:51:36.363+00:00

Hi @Bala Gubba ,
Is there a possible that you don't use nonce? In the specification of UsernameToken WSS document its written that Nonce and Created are not required.Is it possible that you can complete the configuration on the server?
Best regards,
Yijing Sun
Bala Gubba 1 Reputation point

2022-03-03T11:15:40.403+00:00

Hi Yijing,

Unfortunately no changes are allowed on the server and this is the main requirement from the service provider that username token with nonce is required.

Thanks
Bala
Yijing Sun-MSFT 7,106 Reputation points

2022-03-04T03:41:16.24+00:00

Hi @Bala Gubba ,
As far as I know, WCF doesn't have support for the Digest Nonce as part of WS-Security, and so as far as I can tell there's no way to do it just with configuration settings. Unless you create custom clientCredentials.
Best regards,
Yijing Sun
Bala Gubba 1 Reputation point

2022-03-04T11:09:30.467+00:00

Hi Yijing,

We are not using WCF....we are creating the proxy classes by importing the wsdl and then use the proxy class directly. Proxy class is deriving from WebServicesClientProtocol.

Thanks
Bala

Answer 1

AgaveJoe 30,491

I'm a little confused by your initial post. I'm guessing you used Visual Studio's service reference utility or the ServiceModel Metadata Utility Tool to generate a SOAP client in code. This process generates a partial class and you get to extend the partial class however you like without touching the generated code.

If you know what's wrong and you know how to fix the problem then simply fix the problem.

Share via

EncodingType attribute in nonce

1 answer

Your answer