Monday, May 24, 2010

Using OASIS Username Token profile in WCF

WCF is set to follow the OASIS Web Services security standards (http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-UsernameTokenProfile.pdf). However, it adds some restrictions to the implementation of the standard that renders useless the interoperability with other in-place systems that follow the standards.

Problem is that OASIS has two different password types #PasswordText and #PasswordDigest. WCF only supports the former arguing, correctly, that the later is not secure enough and can be easily broken by a hacker with a dictionary attack.

The UserName token is implemented as a tag in the header that consist in the following (see the OASIS standard for more detailed information):
<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
<wsse:UsernameToken xmlns:wsu='http://docs.oasis-…-1.0.xsd'> 
<wsse:Username>vortex</wsse:Username> 
<wsse:Password Type='http://docs.oasis-…#PasswordText'> 
ajadex12345 
</wsse:Password> 
</wsse:UsernameToken> 
</Security>

and when using #PasswordDigest it could look like this:

<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
<wsse:UsernameToken xmlns:wsu='http://docs.oasis-…-1.0.xsd'> 
<wsse:Username>vortex</wsse:Username> 
<wsse:Password Type='http://docs.oasis-…#PasswordText'> 
ajadex12345 
</wsse:Password> 
<wsse:Nonce EncodingType='http://docs.oasis-#Base64Binary'> 
P92CaT6ncSUnjYUiado6Yh1= 
</wsse:Nonce> 
<wsu:Created>2010-05-17T23:05:07.944Z</wsu:Created> 
</wsse:UsernameToken> 
</Security>

In order to communicate with an existing Web Service that uses #PasswordDigest and requires the additional parameters of Nonce and Created in the Security Header we need to use the extensibility features of WCF because the current implementation will not generate this header.

We have two options here: implement a Custom Security Token (http://msdn.microsoft.com/en-us/library/ms731872.aspx and http://msdn.microsoft.com/en-us/library/ms751517.aspx) or intercept the request and attach the Security Header. I had no luck with the first option and couldn’t find a proper example on Internet. With the second choice however, I was able to get things working as I made an implementation attaching the Security Header. That I would be writing in the next post.
Posted by at
Labels:

3 comments:

  1. AnonymousAugust 9, 2010 at 3:32 AM

    I don't see a "next" post yet. I'm very interested in your solution. Please show us how you solved this! Thanks :)

    ReplyDelete
  2. AnonymousAugust 27, 2010 at 5:57 PM

    Did you take a look at this url: http://blogs.msdn.com/b/aszego/archive/2010/06/24/usernametoken-profile-vs-wcf.aspx

    ReplyDelete
  3. Tech PlannerNovember 10, 2010 at 2:08 PM

    Sorry, I didn't see your comments until now. Here's the "next" post (http://isyourcode.blogspot.com/2010/08/attaching-oasis-username-tokens-headers.html).

    ReplyDelete

Subscribe to: Post Comments (Atom)