WCF: Observing Message ProtectionOrder


WCF: Observing Message ProtectionOrder

  

Objective 1:

Impact of Protection Order

 

Objective 2:

How to observe/confirm that my request is signed and encrypted from WCF traces.

 

Objective 3:

Utilize the knowledge of reading WCF traces and apply the same for troubleshooting the INTEROPE scenarios.

 

  

Understanding:

http://msdn.microsoft.com/en-us/library/system.servicemodel.security.messageprotectionorder.aspx

 

 

Scope:

Via Protection Order, messages are secured using SOAP message security only (security mode=”Message”).

Not available if we move to Transport Security (security mode=”TransportWithMessageCredentials”).

However possible if we design a custom binding with Dual Layer of encryption – http://blogs.msdn.com/b/saurabs/archive/2013/05/03/wcf-dual-layer-encryption-message-transport.aspx.

 

 

 Available options:

 

 

 

Default:

SignBeforeEncryptAndEncryptSignature

 

 

 

Scenario 1:

Ignore the MessageProtection Order, let it be default:

Service:

  

   

Client Request:

  

   

 

 

Assessment:

To understand the Protection level on a soap envelope layer, refer this blog – http://blogs.msdn.com/b/saurabs/archive/2012/05/15/wcf-interop-understanding-protection-level.aspx

 

 Conclusion:

1.       Request is Signed (with u:Id=”_0”) and Encrypted (with u:Id=”_1”)

2.       To read them from traces, back trace this ID and identify the respective sections.

 

 

Queries:

1.       I can’t find the Signature tag in Envelope, is my request signed .. ?

Yes, the request is signed but because of the default Protection order (SignBeforeEncryptAndEncryptSignature), the signature is Encrypted.

  

 

 

 

Scenario 2:

Let us try to play with default Protection Order so that we can

1.       Observe WCF traces with proper Signing.  

2.       Read the Signature Token

 

 Service:

 

 

 Client Request:

 

 

 

  

 

Assessment:

To understand the Protection level on a soap envelope layer, refer this blog – http://blogs.msdn.com/b/saurabs/archive/2012/05/15/wcf-interop-understanding-protection-level.aspx

 

 

Conclusion:

1.       Request is Signed (with u:Id=”_2”) and Encrypted (with u:Id=”_3”)

2.       To read them from traces, back trace this ID and identify the respective sections.

 

Queries:
I can’t find the Signature tag in Envelope, is my request signed .. ?

Yes, the request is signed but because of the default Protection order (SignBeforeEncryptAndEncryptSignature), the signature is Encrypted.

 

I hope this information helps us to review the WCF traces and identify the type of request being generated from client. The knowledge comes pretty handy in troubleshooting the INTEROP cases. 

Comments (0)