My favorite method of inspecting SOAP messages when I am working with WSE2.0 is Mike Taulty’s WSE 2.0 Tracing Utility. Mike had to update the tool to work with SP2. If you use this tool, and have updated to SP2, be sure to grab the new version here. You will need to modify your config files as well.

If you are using WSE2 and not using Mike’s utility, I highly recommend that you try it. The messages are so much more disoverable and readable than opening up the log files in notepad..

Posted from BLInk!

At Web Services Edge, someone asked me in the hallway about doing WSE2 Security without X509 certificates. Although there is, out of the box, support for Kerberos (which I still know nearly zip about) and you can write custom tokens as well, I think the question was really about how to do security well with login/pw —> UsernameTokens.

The answer is that you can, but with the caveat that logins/passwords are often (thanks to social engineering and use of passwords like “cat”) not the best way to go.

However, if you are hoping to do this with UsernameTokens, there are two important resources you should be aware of.

1) Keith Brown’s recent article on the Web Services dev center on Securing UsernameTokens with WSE 2.0

2) To solve another problem – doing SecureConversation with UsernameTokens – which still basically requires a web server x509 certificate – see William Stacy’s blog post which accomplished what a number of us have been trying to do for some time!