So recently we exposed a service to a Java client. Our service utilizes transport security along with username/password validation.
When attempting to call our service the client was receiving an exception about security headers. Further research indicated that WCF expects a timestamp to be included in the SOAP header passed from client. If this is not present (or variance is greater than 5 minutes) it will throw an exception.
We also found that Java clients do not pass the timestamp WCF is expected. The only workaround we found was to implement the CustomBinding and set IncludeTimestamp to false. This allowed the client to successfully call the service.
Today while looking up best practices for security with WCF I see the following on MSDN:
Set SecurityBindingElement.IncludeTimestamp to True on Custom Bindings
When you create a custom binding, you must set IncludeTimestamp to true. Otherwise, if IncludeTimestamp is set to false, and the client is using an asymmetric key-based token such as an X509 certificate, the message will not be signed.
So, my question is what is the best practice when exposing WCF (and eventually Web API) services to the outside world while utilizing SSL (Transport) to non-.NET clients???
