Sending and Receiving SOAP Messages Using WSE SOAP Messaging
WSE 2.0 added SOAP Messaging, which allows Web services to communicate using transports other than just HTTP. WSE 3.0 allows you to use other transports, such as TCP with Web services created using ASP.NET. For information about using other protocols with Web services created using ASP.NET, see How to: Host an ASP.NET Web Service Outside of IIS.
WSE SOAP Messaging
WSE 2.0 provides support for communicating using transports other than just HTTP. Specifically, SOAP Messaging supports sending messages using either the TCP or HTTP protocols asynchronously, or in a request/response manner. And when the TCP transport protocol is used, the SOAP messages can be sent and received without using a Web server. A Web server, which only handles HTTP requests, operates based upon the HTTP specification that states for every HTTP request there is an HTTP response. This request/response model is not always necessary when sending messages; a SOAP message sender might need to send several messages and may not need or expect any return SOAP messages. The SOAP messaging in WSE accommodates this type of message exchange pattern, while still allowing developers to take advantage of the other features of WSE, such as the digital signature and encryption support. For more information about WSE SOAP messaging, see Sending and Receiving SOAP Messages Using WSE Messaging API.
Before you deploy an application that sends and receives SOAP messages using the TCP protocol, a security expert should perform a security analysis on the parts of the application that are potentially open to attack. WSE helps mitigate attacks by providing the following configuration elements:
- <allow> Element
- <allowRedirectedResponses> Element
- <connectionLimit> Element
- <deny> Element
- <executionTimeoutInSeconds> Element
- <hosts> Element
- <idleTimeoutInMilliSeconds> Element
- <limits> Element
- <maxMessageLength> Element
- <receiveTimeoutInMilliSeconds> Element
- <sendTimeoutInMilliSeconds> Element
The <allowRedirectedResponses> Element, <executionTimeoutInSeconds> Element, and <maxMessageLength> Element configuration elements can also be used to help mitigate attacks with SOAP messages sent with other protocols, such as HTTP and HTTPS.