在WCF服务上实现X509安全性时,不对加密体进行加密
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了在WCF服务上实现X509安全性时,不对加密体进行加密相关的知识,希望对你有一定的参考价值。
我为我的雇主实施了一个WCF服务和一个客户端应用程序,目前由于soap body元素而面临严重问题。问题是soap body没有加密,只有标头被加密。无论如何,肥皂请求,webconfigs以及我创建证书的方式都会提到你的参考......
WCF服务器配置......................
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding" >
<security>
<message clientCredentialType="Certificate" establishSecurityContext ="true" />
</security>
</binding>
</wsHttpBinding>
<customBinding>
<binding name="CustomBinding">
<textMessageEncoding messageVersion="Soap11" />
<security authenticationMode="MutualCertificate" requireDerivedKeys="false"
includeTimestamp="true" keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="false">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
</bindings>
<services>
<service name="mysvc.MySvc" behaviorConfiguration="mysvc.Service1Behavior">
<endpoint address="" binding="customBinding" bindingConfiguration ="CustomBinding" contract="mysvc.IMySvc" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<host>
<baseAddresses>
<add baseAddress ="http://localhost:8888/" />
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<endpointBehaviors>
<behavior name="inspectorBehavior">
<consoleOutputBehavior />
</behavior>
</endpointBehaviors>
<serviceBehaviors>
<behavior name="mysvc.Service1Behavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="false"/>
<serviceCredentials>
<serviceCertificate findValue="WCfServerCert"
storeLocation="LocalMachine"
storeName="My"
x509FindType="FindBySubjectName" />
<clientCertificate>
<authentication certificateValidationMode="None" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
WCF客户端配置.....................
<system.serviceModel>
<bindings>
<customBinding>
<binding name="CustomBinding_IMySvc">
<security defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"
requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSignatureConfirmation="false">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128"
maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
<secureConversationBootstrap />
</security>
<textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
messageVersion="Soap11" writeEncoding="utf-8">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</textMessageEncoding>
<httpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
useDefaultWebProxy="true" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://localhost:8888/" binding="customBinding" behaviorConfiguration ="CustomBehavior"
bindingConfiguration="CustomBinding_IMySvc" contract="WCFProxy.IMySvc"
name="CustomBinding_IMySvc" >
<identity >
<dns value ="WCfServerCert"/>
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior name="CustomBehavior">
<clientCredentials>
<clientCertificate findValue="WCfClientCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
<serviceCertificate>
<defaultCertificate findValue="WCfServerCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
<authentication certificateValidationMode="None"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors >
</system.serviceModel>
CERTIFICATE创建命令...............................
makecert -n“CN = WCFServer”-r -sv WCFServer.pvk WCFServer.cer
makecert -n“CN = WCFClient”-r -sv WCFClient.pvk WCFClient.cer
makecert -sk WCFServerCert -in d: WCFServer.pvk -n“CN = WCFServerCert”-i d: WCFServer.cer -sr LocalMachine -ss My -sky exchange on on
makecert -en WCFClientCert -iv d: WCFClient.pvk -n“CN = WCFClientCert”-i d: WCFClient.cer -sr LocalMachine -ss My -sky exchange on on
这发生在我身上。我用来生成我的Web服务的工具(Web服务软件工厂)总是设置服务和操作的保护级别,并将它们设置为ProtectionLevel.None。最终的结果是我的svcutil配置文件将包含自定义绑定而不是简单的wsHttpBinding。
为了解决未加密的SOAP主体问题,我在操作和服务本身上将所有ProtectionLevel属性更改为EncryptAndSign。现在svcutil输出具有所需的wsHttpBinding(自定义绑定已消失)。使用fiddler测试显示正文已加密。
我本可以删除保护级别属性 - 对于wsHttpBinding,它具有相同的效果。但是由于这个代码是使用工具生成的,所以每次生成代码时我都必须这样做。
我希望这可以帮助别人。这个让我难过了一会儿。
你在谈论请求或回复机构吗?在任何情况下,至少看起来你的服务的绑定配置是将<security>元素中的mode属性设置为Message(即):
<wsHttpBinding>
<binding name="wsHttpEndpointBinding" >
<security mode="Message">
<message clientCredentialType="Certificate" establishSecurityContext ="true" />
</security>
</binding>
</wsHttpBinding>
以上是关于在WCF服务上实现X509安全性时,不对加密体进行加密的主要内容,如果未能解决你的问题,请参考以下文章
如何在 Azure 应用服务中将 X509Certificate2 与 WCF 一起使用