A soap header may specify a "must understand" flag. This instructs any processing node to throw an exception if this header is not understood by it. Such a behavior is sometimes useful and sometimes very annoying, depending on the circumstances. Let's see how such header looks like in soap:
By default a Wcf service will validate all incoming mustUnderstand headers a client sends. If it does not understand them it will throw the famous 'Did not understand "MustUnderstand" header' exception. Typically you would instruct Wcf not to validate these headers like this:
But this kind of "hard codes" this behavior to the service. Wouldn't it be nice to decide at the configuration level if we want such a behavior or not?
All we need to do is define this class:
Then in the config register it:
And we can now configure our endpoint(s) with this behavior:
A few weeks ago I had to call a legacy wse2 service from a Wcf client. The service behavior was:
Request must be encrypted and signed at the message level
Request must contain a timestamp inside the security header
Response is neither encrypted nor signed
Response nevertheless contains a timestamp inside a security header
You might think that dismissing the signature requirement from the response would do good for interoperability - after all this is less work. However this time less was more. Turns out that Wcf loves symmetry and does not encourage messages in one direction to be signed and in the other direction to be clear. But hey! This complaint is so WCF 3.5. In 4.0 we got the goodie of EnableUnsecuredResponse:
When this setting is on Wcf should be ok with an unsigned response. But in my case even with this flag I was still getting this error:
The security header element ‘timestamp’ with ‘Timestamp-xxxx’ id must be signed.
As you remember the service returns an unsigned timestamp element. Turns out we have this chain of rules:
request contains a timestamp and has some signature requirement -->
the timestamp is always signed (even if we do not wish that) -->
the response must contain a signed timestamp unless EnableUnsecuredRespose in on. In that case timestamp is optional, but if present it must be signed.
So I had to find a way to remove the timestmap from the response. Since the service could not be changed I used my good old friend the custom encoder.
But even after that I got this error:
The 'body', 'http://schemas.xmlsoap.org/soap/envelope/', required message part was not signed.
So WCF was still looking for some ws-security goodies. To solve this I had to remove the security element all together from the response. Here is the snippet I added to the encoder:
Many times removing the security element at all exposes us to some risks like replay attacks or a man in the middle. However here we knew up front that the service does not use any interesting security features in the response so there was no regression.
EnableUnsecuredRespose will allow us not to have a security element in the response even if the request has it. But if the response contains a security element nevertheless, then wcf will take it seriously and if it does not comply with the expected requirements the interaction will fail.
Some time ago I introduced Wcf.js - a wcf-inspired client soap stack for node.js. However Wcf.js itself is a small wrapper on top of Ws.js - the ws-* implementation for node.js. You got it right: Your node.js apps can now access your core services using various ws-* standards. No more proxies for "protocol bridging", no more service rewrites.
My votes go to open source WCF. Like many of the .Net libraries WCF classes become sealed exactly where I want to change their behavior. This is especially true for all things security. Sometimes it is really important to tweak the way WCF signs a message or handles a signed one but today this requires to implement a very long chain of extensions.
The current predominant features also include support for REST in the routing service and web sockets support on earlier windows versions. So far the traditional request to simplify configuration and bindings is not too visible, possibly because the WCF simplificationfeatures have done a great deal here (or because people are more focused on Rest these days).