On Wednesday 25 August 2010 12:31:15 am Dennis Sosnoski wrote: > On 08/25/2010 06:31 AM, Daniel Kulp wrote: > After more investigation, it looks like what's happening is that the > UsernameToken *is* being sent, but in encrypted form. I'm not sure if > that's correct or not. > > I have the UsernameToken in the policy as a SupportingToken. WS-SP says > this about that: > > /The supporting tokens can be added to any SOAP message and do not > require any protection (signature or encryption) to be applied to the > message before they are added. More specifically there is no requirement > on "message signature" being present before the supporting tokens are > added. However it is RECOMMENDED to employ underlying protection > mechanism to ensure that the supporting tokens are cryptographically > bound to the message during the transmission./ > > So does this mean that if encryption is possible the stack should > automatically encrypt the token anyway? I don't know. Any opinions? > > In any case, it's nothing to do with attachment points - I get the same > result when I only use a single combined policy.
It's kind of a interoperability thing with .NET. .NET really doesn't accept an unsecured UsernameToken if there is ANY way that the UsernameToken can be secured. In this case, with the exact same policy, if we sent it to .NET un- encrypted, .NET would reject it. Since the passwords and stuff are pretty insecure in a UsernameToken, MS requires the extra encryption to secure it. An https connection is fine or it requires it to be a fully encrypted token. -- Daniel Kulp [email protected] http://dankulp.com/blog
