我可以禁用請求安全令牌響應的加密並僅管理簽名嗎?在Windows Identity Foundation中禁用加密
我創建了一個基於WIF SDK的演示擴展Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService的自定義STS,並且我無法設置不使用加密的設置。
我可以禁用請求安全令牌響應的加密並僅管理簽名嗎?在Windows Identity Foundation中禁用加密
我創建了一個基於WIF SDK的演示擴展Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService的自定義STS,並且我無法設置不使用加密的設置。
我剛在Visual Studio中運行「添加STS參考」嚮導,選擇創建新STS的選項。該工具生成的模板確實增加令牌的加密支持,但如果沒有證書提供,thne它被禁用:(我將所有默認評論)
protected override Scope GetScope(IClaimsPrincipal principal, RequestSecurityToken request)
{
ValidateAppliesTo(request.AppliesTo);
//
// Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
// and is located in the Personal certificate store of the Local Computer. Before going into production,
// ensure that you change this certificate to a valid CA-issued certificate as appropriate.
//
Scope scope = new Scope(request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials);
string encryptingCertificateName = WebConfigurationManager.AppSettings[ "EncryptingCertificateName" ];
if (!string.IsNullOrEmpty(encryptingCertificateName))
{
// Important note on setting the encrypting credentials.
// In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
// You can examine the 'request' to obtain information to determine the certificate to use.
scope.EncryptingCredentials = new X509EncryptingCredentials(CertificateUtil.GetCertificate(StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName));
}
else
{
// If there is no encryption certificate specified, the STS will not perform encryption.
// This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.
scope.TokenEncryptionRequired = false;
}
// Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed.
// In this template, we have chosen to set this to the AppliesToAddress.
scope.ReplyToAddress = scope.AppliesToAddress;
return scope;
}
我創建了一個CustomSecurityHandler並覆蓋其GetEncryptingCredentials方法類似下面的行返回空值和它的作品:
public class MyCustomSecurityTokenHandler : Saml11SecurityTokenHandler
{
public MyCustomSecurityTokenHandler(): base() {}
protected override EncryptingCredentials GetEncryptingCredentials(SecurityTokenDescriptor tokenDescriptor)
{
return null;
}
}
然後在SecurityTokenService類我重寫GetSecurityTokenHandler返回自定義類創建前:
protected override SecurityTokenHandler GetSecurityTokenHandler(string requestedTokenType)
{
MyCustomSecurityTokenHandler tokenHandler = new MyCustomSecurityTokenHandler();
return tokenHandler;
}
我以爲加密被默認禁用? – 2011-04-03 22:45:55
不,斷言使用配置的加密憑證進行默認加密。如果我不提供有關證書的信息,則拋出異常。 – elfebien 2011-04-04 14:32:06