I'm trying to consuming a client's web service using WCF. The client's web service is done over HTTPS, and I can consume it fine with the following Binding:
<bindings>
<basicHttpBinding>
<binding name="PurchaseOrderSoap" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
However, our security team have told me I need to use Message or TransportWithMessageCredential security, because Fortify 360 complains that Transport security is too weak.
When I try Meesage I get this error:
System.InvalidOperationException: BasicHttp binding requires that
BasicHttpBinding.Security.Message.ClientCredentialType be equivalent to the
BasicHttpMessageCredentialType.Certificate credential type for secure messages. Select
Transport or TransportWithMessageCredential security for UserName credentials.
And with TransportWithMessageCredential I get the following error:
System.InvalidOperationException: The username is not provided. Specify username in
ClientCredentials.
I've not got a username/password (I can connect to it fine in my browser), so my question is:
Can I use Message or TransportWithMessageCredentials when consuming an existing HTTPS web service (without the publisher making any changes)? If so, what changes do I need to make to my configuration?
Edited to clarify question.
If you cannot get the third party vendor to add an endpoint to their service that supports message security then you are stuck. It seems they currently only support basicHttpBinding with transport level security.
Transport security is not "less" secure than message level security. Message level security means the contents of the soap message are encrypted. This allows you to either store or relay a message in a clear text way and still be assured no one can peek at the message. If all you are doing is communicating between your system and the vendor over the internet then transport and message level security are equally secure.