Getting WCF to accept unsigned 'To' Header

2020-05-03 12:42发布

I have a WCF web service that is using WSHttpBinding. The security is TransportWithMessageCredential. I have a client connecting to me that is sending a Soap message with the To element in the header unsigned. My service doesn't like this and is throwing System.ServiceModel.Security.MessageSecurityException with the message "The message received over Transport security has unsigned 'To' header". I haven't been able to find the signing of the element specified specifically in the WS-Security spec but I have seen it recommended to prevent redirect attacks.

So does anyone know if there is anyway for me to configure my web service not to check for the To element to be signed? Also the other side of the issue but I cannot change how this client is connecting to me.

1条回答
Anthone
2楼-- · 2020-05-03 13:04

We've had the same issue, and contacted Microsoft support about it. They released a hotfix for this. See the KB article at

https://support.microsoft.com/en-us/kb/2974335

查看更多
登录 后发表回答