Fix to Disable Security on Responses

I've sufficiently recovered from running the last week-long series covering fixes for WCF to do another one. This week I'll again be covering fixes for WCF that may be hard to find and explaining the details behind each problem.

The first fix is a new feature added to allow secure message security requests to be used with unsecure responses. Ordinarily the security requirements of the requests and responses are expected to be the same. This is enforced by automatically generating a secure response for a receiver and automatically verifying the security of a response for an initiator.

After applying this fix a new property called EnableUnsecuredResponse is available on SecurityBindingElement. By setting EnableUnsecuredResponse to true, the generation and validation of security headers for response messages is correspondingly modified. Since the property is on a specific binding element, you'll need to convert your binding to be a custom binding if you're currently using a standard binding.

You can tell whether you're using message security by the presence of a SecurityBindingElement. This binding element and the need for the fix are otherwise not present.

This fix is available for download from KB article 971493.