Home/ Questions/Q 451673
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-12T21:59:32+00:00

I’m looking for some technical detail on where the actual username + password (credentials)

  • 0

I’m looking for some technical detail on where the actual username + password (credentials) are being stored during the message exchange using a WCF binding like the below.

<bindings>
    <wsHttpBinding>
        <binding name="wsHttp">
            <security mode="TransportWithMessageCredential">
                <transport/>
                <message clientCredentialType="UserName" 
                         negotiateServiceCredential="false" 
                         establishSecurityContext="true" />
            </security>
        </binding>
    </wsHttpBinding>
</bindings>

Then inside the client application I call this service passing a valid set of creds like so 

using (SupplierServiceClient client = new SupplierServiceClient()) {
            client.ClientCredentials.UserName.UserName = "admin";
            client.ClientCredentials.UserName.Password = "password";

            SupplierList = client.GetSupplierCollection();
}

At first I assumed that WCF was taking this data and putting it into the SOAP header but it doesn’t appear that way from the WSDL … any help?

Edit:

The below is what the security configuration for the client looks like in production

<security mode="TransportWithMessageCredential">
    <transport clientCredentialType="None" />
    <message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    By setting the UserNameCredentials you are in fact leveraging the Username Token Profile. This causes the token to be added to the message as a SOAP header. The SOAP header will look something like this:

    <env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <env:Header>
        <wsse:UsernameToken>
            <wsse:Username>jdoe</wsse:Username>
            <wsse:Password>passw0rd</wsse:Password>
            <wsse:Nonce><!-- optional nonce here --></wsse:Nonce>
        </wsse:UsernameToken>
    </env:Header>
    <env:Body>
        <!-- body here -->
    </env:Body>
</env:Envelope>

    Now, I’m not exactly sure why you’re mentioning WSDL. The token wouldn’t appear in the WSDL, though the WSDL should contain the proper WS-Policy annontations on the operation. This would let consumers of the WSDL discover that they actually need to send in the UsernamePasswordToken to the request.

    Finally, someone brought up RequestSecurityToken (RST), but there shouldn’t (need to) be an RST involed if you’re just using simple UsernameToken authentication. The only time an RST needs to be involved is if you’re doing a token exchange with a Secure Token Server (STS) using WS-Trust.

    • 0