WSE2.0 SP3 and Interop on UsernameToken

One of the most common problems folks run into when using WSE2.0 together with other WS-Security toolkits is interop on UsernameToken.

Consider a simple scenario:

UsernameToken sent over HTTPS. UsernameToken is used for client authentication, HTTPS is used for message protection. Beneficial for the internet deployments, supersedes HTTP Basic Auth over HTTPS, as incorporates token in the message, allows to flow the token end to end, allows for multiple tokens.

WSE2.0 supports all three forms of sending password inside UsernameToken: None, Hashed, Text. I recommend to always use Text and protect the password using other means (transport or message-level encryption) to maximize interop.

In order to configure WSE 2.0 SP3 to consume UsernameToken from products like WebSphere or WebLogic, one needs to disable WSE replayDetection feature, i.e. add the following to your config:

 <microsoft.web.services2>
 ...
       <security>
           ...
         <securityTokenManager                      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"              qname="wsse:UsernameToken">
            <replayDetection enabled="false"/>
         </securityTokenManager>
          ...
       </security>
     ...
</microsoft.web.services2>