1. 首頁
  2. 問答
  3. WCF客戶端與消費的WS-Security

WCF客戶端與消費的WS-Security

2013-06-24 91 views
0

ASMX服務,我有一個需要簽署使用WS-Security與證書(私鑰)所有的SOAP請求ASMX Web服務(SOAP 1.1)。WCF客戶端與消費的WS-Security

當ASMX服務收到請求時,它會使用證書的公鑰驗證它。 操作完成後,發送回客戶端的響應將不會被簽名!

那就是安全性要求......

我創建通過「添加服務引用」代理和客戶端的app.config:

<?xml version="1.0" encoding="utf-8"?> 
<configuration> 
    <system.serviceModel> 
    <client> 
     <endpoint 
     name="endpoint1" 
     address="http://1.1.1.1/Test.asmx" 
     binding="wsHttpBinding" 
     bindingConfiguration="WSHttpBinding_ITest" 
     behaviorConfiguration="TestBehavior" 
     contract="ITest" > 
     </endpoint> 
    </client> 

    <bindings> 
     <wsHttpBinding> 
     <binding name="WSHttpBinding_ITest"> 
      <security mode="Message"> 
      <message clientCredentialType="Certificate" /> 
      </security> 
     </binding> 
     </wsHttpBinding> 
    </bindings> 

    <behaviors> 
     <endpointBehaviors> 
     <behavior name="TestBehavior"> 
      <clientCredentials> 
      <clientCertificate storeLocation="LocalMachine" storeName="My" 
           x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxx" /> 

      </clientCredentials> 
     </behavior> 
     </endpointBehaviors> 
    </behaviors> 
    </system.serviceModel> 
</configuration>

據我所描述的場景:

  1. 我使用正確的綁定?

  2. clientCredentialType值應爲 '證書' 或 '無'?

  3. 需要標籤'serviceCertificate'?

    4.我的方案的正確配置是什麼?

如果您知道一些適用於我的場景的有用鏈接,請提供它們。

感謝提前:)




編輯#1:

請求

<?xml version="1.0" encoding="utf-8"?> 
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" 
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
    <soap:Header> 
     <wsa:Action wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">XXXXXXXXXXX</wsa:Action> 
     <wsa:MessageID wsu:Id="Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">YYYYYYYYYY</wsa:MessageID> 
     <wsa:ReplyTo wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54"> 
      <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address> 
     </wsa:ReplyTo> 
     <wsa:To wsu:Id="Id-17c40943-cs53-4a8e-9e83-ef374e40ab70"> 
      <wsa:Address>http://.../TestOperation</wsa:Address> 
     </wsa:To> 
     <wsse:Security soap:mustUnderstand="1" > 
      <wsu:Timestamp wsu:Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685"> 
       <wsu:Created wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">2002-08-22T00:26:15Z</wsu:Created> 
       <wsu:Expires wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">2002-08-22T00:31:15Z</wsu:Expires> 
      </wsu:Timestamp> 
      <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
             EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
             xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
             wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC...kE9</wsse:BinarySecurityToken> 
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
       <SignedInfo> 
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /> 
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
        <Reference URI="#Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>wRUq.........</DigestValue> 
        </Reference> 
        <Reference URI="#Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>8gIo.........</DigestValue> 
        </Reference> 
        <Reference URI="#Id-10c46143-cb53-4a8e-9e83-ef374e40aa54"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>zx4h.........</DigestValue> 
        </Reference> 
        <Reference URI="#Id-17c40943-cs53-4a8e-9e83-ef374e40ab70"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>UjdN.........</DigestValue> 
        </Reference> 
        <Reference URI="#Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>34ff.........</DigestValue> 
        </Reference> 
        <Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b""> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>ss67.........</DigestValue> 
        </Reference> 
       </SignedInfo> 
       <SignatureValue>tBSsaZi........</SignatureValue> 
       <KeyInfo> 
        <wsse:SecurityTokenReference> 
         <wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" 
             ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> 
        </wsse:SecurityTokenReference> 
       </KeyInfo> 
      </Signature> 
     </wsse:Security> 
    </soap:Header> 
    <soap:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b"> 
     ... 
    </soap:Body> 
</soap:Envelope>

Respose:

<?xml version="1.0" encoding="utf-8"?> 
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
    xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" 
    xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
    <soap:Header> 
    <wsa:Action>http://.../TestOperationResponse</wsa:Action> 
    <wsa:MessageID>YYYYYYYYYY</wsa:MessageID> 
    <wsa:RelatesTo>WWWWWWWWWW</wsa:RelatesTo> 
    <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To> 
    <wsse:Security> 
     <wsu:Timestamp wsu:Id="Timestamp-c0kjk2d4-o83d-4fa5-abfa-bd485afdjj80"> 
     <wsu:Created>2002-08-22T00:26:15Z</wsu:Created> 
     <wsu:Expires>2002-08-22T00:31:15Z</wsu:Expires> 
     </wsu:Timestamp> 
    </wsse:Security> 
    </soap:Header> 
    <soap:Body> 
    <Response> 
     ... 
    </Response> 
    </soap:Body> 
</soap:Envelope>




EDIT#2:

所生成的請求:

<?xml version="1.0" encoding="utf-8"?> 
<soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" 
    xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> 
    <soap:Header> 
     <a:Action soap:mustUnderstand="1" u:Id="_2">XXXXXXXXXXX</a:Action> 
     <a:MessageID u:Id="_3">YYYYYYYYYY</a:MessageID> 
     <a:ReplyTo u:Id="_4"> 
      <a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address> 
     </a:ReplyTo> 
     <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uID...</VsDebuggerCausalityData> 
     <a:To soap:mustUnderstand="1" u:Id="_5"> 
      <a:Address>http://1.1.1.1/Test.asmx</a:Address> 
     </a:To> 
     <o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
      <u:Timestamp u:Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1"> 
       <u:Created>2002-08-22T00:26:15Z</u:Created> 
       <u:Expires>2002-08-22T00:31:15Z</u:Expires> 
      </u:Timestamp> 
      <o:BinarySecurityToken u:Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2" 
            ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
            EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICeDCC...kE9</o:BinarySecurityToken> 
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
       <SignedInfo> 
        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
        <Reference URI="#_1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>wRUq.........</DigestValue> 
        </Reference> 
        <Reference URI="#_2"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>8gIo.........</DigestValue> 
        </Reference> 
        <Reference URI="#_3"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>zx4h.........</DigestValue> 
        </Reference> 
        <Reference URI="#_4"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>UjdN.........</DigestValue> 
        </Reference> 
        <Reference URI="#_5"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>34ff.........</DigestValue> 
        </Reference> 
        <Reference URI="#uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1"> 
         <Transforms> 
          <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
         </Transforms> 
         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> 
         <DigestValue>ss67.........</DigestValue> 
        </Reference> 
       </SignedInfo> 
       <SignatureValue>tBSsaZi........</SignatureValue> 
       <KeyInfo> 
        <o:SecurityTokenReference> 
         <o:Reference URI="#uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2" 
             ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" /> 
        </o:SecurityTokenReference> 
       </KeyInfo> 
      </Signature> 
     </o:Security> 
    </soap:Header> 
    <soap:Body u:Id="_1"> 
     ... 
    </soap:Body> 
</soap:Envelope>

與此請求的問題是:

  1. 編號格式如下:id =「ID-3beeb885-16a4 -4b65-b14c-0cfe6ad26800" (ASMX代理)VS標識= 「_ 2」(WCF代理)
  2. 「VsDebuggerCausalit yData'標籤的存在。我如何擺脫它?
  3. 時間戳標識格式如下:id = 「時間戳的c0cc2cd4-cb77-4fa5-abfa-bd485afd1685」(ASMX代理)VS標識= 「的uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1」(WCF代理)
  4. Timestamp中的'Created'和'Expires'標記沒有Id屬性。
  5. 的BinarySecurityToken編號格式如下:id = 「SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d」(ASMX代理)VS標識= 「的uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2」(WCF代理)


我拿到的時候我做的ASMX服務的調用故障:

<?xml version="1.0" encoding="utf-8"?> 
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing""> 
    <soap:Header> 
    <wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action> 
    <wsa:MessageID>YYYYYYYYYY</wsa:MessageID> 
    <wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To> 
    </soap:Header> 
    <soap:Body> 
    <soap:Fault> 
     <faultcode>soap:Server</faultcode> 
     <faultstring> 
      System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.ApplicationException: WSE2012: X509TokenProvider is unable to provide an X.509 token. There are multiple certificates store that match the find value of 'xxx'. 
      at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType) 
      at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken() 
      at Microsoft.Web.Services3.Design.MutualCertificate10Assertion.ServiceInputFilter..ctor(MutualCertificate10Assertion assertion) 
      at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateServiceInputFilter(FilterCreationContext context) 
      at Microsoft.Web.Services3.Design.Policy.CreateServicePipeline(PipelineCreationContext context) 
      at Microsoft.Web.Services3.PolicyAttribute.Microsoft.Web.Services3.IPipelineProvider.CreateServicePipeline(PipelineCreationContext context) 
      at Microsoft.Web.Services3.Pipeline.TryCreate(Type type, Boolean forClient) 
      at Microsoft.Web.Services3.WseProtocol.CreateProtocolPipeline() 
      at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message) 
      at System.Web.Services.Protocols.SoapServerProtocol.Initialize() 
      at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing) 
      --- End of inner exception stack trace --- 
      --- End of inner exception stack trace --- 
     </faultstring> 
     <faultfactor>http://1.1.1.1/Test.asmx</faultfactor> 
    </soap:Fault> 
    </soap:Body> 
</soap:Envelope>

我認爲這個問題是在服務器上,因爲「XXX」 findValue與服務器相關聯而不是與我的客戶證書。 我該如何解決這個問題?

來源

2013-06-24 Sash

+0

請提供示例工作肥皂請求和響應 –

+0

它不起作用... :( – Sash

+0

asmx服務不適用於任何客戶端?嘗試首先建立一個工作.net 2 web服務(不是wcf)客戶端或使用soapui獲取工作樣本 –

回答

1

試試這個結合:

  <customBinding> 
       <binding name="NewBinding0"> 
        <textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" /> 
        <security authenticationMode="MutualCertificate"> 
         <secureConversationBootstrap /> 
        </security> 
        <httpTransport /> 
       </binding> 
      </customBinding>

,您將需要在WCF代理定義客戶端和服務器證書,如果你不知道服務器證書只是定義一個虛擬之一。你還需要更改保護級別爲您的代理,使其不加密的身體:

[System.ServiceModel.ServiceContractAttribute(ConfigurationName="ServiceReference1.SimpleServiceSoap", ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]

This post摘要您可能會遇到一些其他問題。

來源

2013-06-24 15:12:44

+0

非常感謝! ASMX服務不使用證書來簽署對其客戶端的響應 那麼,你是什麼當你寫「只定義一個虛擬一個」? – Sash

+1

在WCF代理,您可以配置客戶端和服務器證書的意思。你沒有服務器證書,但在當前的設置WCF將需要的東西就擺在它(它不會被使用),所以只需配置相同的證書證書作爲客戶證書(或任何其他證書 - 不會被使用)。您在您的客戶端代理上配置此服務器,而不是與服務器 –

+0

謝謝。我遇到了Confusion 8,正如您在文章中所述... 更改代理的保護級別無濟於事。 我知道我可以更改合同的保護級別,但我當然無法訪問它。 – Sash

相關問題

 相關問題