We have developed a WCF4 service with usernameToken authentication that is being consumed by a Java/Axis client (that we have no control over).
I can see that the body of the request coming in looks like this…
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wss:Security xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wss:UsernameToken>
<wss:Username>username</wss:Username>
<wss:Password>password</wss:Password>
</wss:UsernameToken>
</wss:Security>
</soapenv:Header>
<soapenv:Body>
{snipped}
</soapenv:Body>
</soapenv:Envelope>
and the response we are returning looks like this…
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-05-02T01:23:12.711Z</u:Created>
<u:Expires>2012-05-02T01:28:12.711Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
{snipped}
</s:Body>
</s:Envelope>
The problem is the s:mustUnderstand=”1″ attribute in the response. This is causing a “Must Understand check failed” error in the Java/Axis client.
Does anyone know how to configure WCF to remove this s:mustUnderstand attribute or at least set it to “0” instead of “1”?
The solution we came up with to overcome this interop problem was to change to a custom binding and specify the includeTimestamp=”false” attribute. By doing this the timestamps (Created and Expired) were not added into the response and therefore the whole security header dissapeared – including the mustUnderstand attribute which was causing all the problems.
So the response now simply looks like this…