Single Shot Security Requires Request Reply

Why does message security stop working when the transport isn't HTTP?

There are two ways that messages can be secured using message security: single shot security (per message security) and conversations (multiple messages). The difference between these two modes is that a secure conversation has established an ongoing security context to use for exchanging messages. Single shot security doesn't have any security context because each message is secured individually.

The use of different security patterns impacts which messaging patterns you can choose to use with a web service. Providing message security for a service operation requires correlating the incoming and outgoing messages together. There is only one messaging pattern that is naturally correlated, and that is the request-reply messaging pattern. The request-reply messaging pattern is naturally correlated because each request message is associated with one and only one response message. One-way and duplex messaging patterns do not offer automatic correlation between request and response messages. When a security context exists, that security session can be used to correlate messages together even if the underlying messaging pattern doesn't support correlation.

You should be able to see now that the problem probably isn't that message security has stopped working. The problem is likely that the messaging pattern is no longer correlated and the service has no security context for the exchange. You need to establish a secure conversation to create the security context. The secure conversation can be bootstrapped with a single shot security mechanism. Afterwards, the application messages are transmitted using the secure conversation.

Next time: BeginInvoke Bugs

Comments

• Anonymous
  June 11, 2007
  It's midway through the final day of the conference so it's about time to give a summary of the week.