I have a WCF web service with WS-* security and I need to write a Java client for it using WSS4J API.
But, as it turns out WSS4J does not support the <SecurityContextToken> and <DerivedKeyToken> tags, which are specific to WS-SecureConversation.
is there a way to turn it off via code or better, via web.config?
UPDATE:
Service definition:
<service name="my.service"
behaviorConfiguration="SecureTransport">
<endpoint
address="mex"
binding="mexHttpBinding"
contract="IMetadataExchange" />
<endpoint
contract="my.interface"
binding="wsHttpBinding"
bindingConfiguration="UsernameAndPassword"/>
</service>
Behaviour and Bindings:
<behaviors>
<serviceBehaviors>
<behavior name="SecureTransport">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="example.API.Security.CustomUserNameValidator, APISecurity" />
<serviceCertificate findValue="CN=Example" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectDistinguishedName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="UsernameAndPassword">
<security mode="Message">
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
Just turn security context and probably also negotiation in your binding configuration:
<bindings>
<wsHttpBinding>
<binding name="UsernameAndPassword">
<security mode="Message">
<message clientCredentialType="UserName" establishSecurityContext="false"
negotiateServiceCredential="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>