A third party in charge of developing Java based webservice came back to us with requirement that message header needs to look like this:
<soapenv:Header>
<wsse:Security>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-1"/>
</xenc:ReferenceList>
<wsse:UsernameToken>
<wsse:Username>[snip]</wsse:Username>
<xenc:EncryptedData Id="EncDataId-1" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:KeyName>[snip]</ds:KeyName>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>[snip]</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
Given my very surfacish understanding of this security voodoo magic I am having trouble figuring out how configure my client to produce such header. Right now my code looks like this:
client.ClientCredentials.UserName.UserName = "[snip]";
client.ClientCredentials.UserName.Password = "[snip]";
and the header:
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken u:Id="uuid-e906a1ca-aa63-474c-b4ac-cf9b90ab2435-1">
<o:Username>[snip]</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">[snip]</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
and binding:
<binding name="SMSSoap11">
<security mode="TransportWithMessageCredential" />
</binding>
WCF will not produce this output for you. You will have to write your own token for this and maybe even more. WCF supports only username token with plain password out-of-the-box and your code example even doesn’t look like any part of username token specification. If the goal is to use encrypted password with WS-Security then the security header seems incomplete.
You should ask Java developers what are security requirements in terms of WS-SecurityPolicy?