.NET Core 中可以同时使用用户名和签名进行身份验证的 Microsoft.Web.Services3 的替代品是啥?
Posted
技术标签:
【中文标题】.NET Core 中可以同时使用用户名和签名进行身份验证的 Microsoft.Web.Services3 的替代品是啥?【英文标题】:What is the replacement of Microsoft.Web.Services3 in .NET Core that can authenticate with both Username and Signature?.NET Core 中可以同时使用用户名和签名进行身份验证的 Microsoft.Web.Services3 的替代品是什么? 【发布时间】:2021-01-15 15:35:09 【问题描述】:我们目前正在将 SOAP 客户端移植到 .NET Core,但我们遇到了身份验证问题。根据我们的发现,这一切都归结为将UsernameToken 和Signature 添加到SOAP Header。在 .NET Framework 中,我们像这样进行身份验证:
WebServicesClientProtocol client;
X509SecurityToken token;
client.RequestSoapContext.Security.Tokens.Add(new UsernameToken("myusername", "mypassword", PasswordOption.SendPlainText);
client.RequestSoapContext.Security.Tokens.Add(token);
client.RequestSoapContext.Security.Elements.Add(new MessageSignature(token));
我们在 .NET Core 项目中添加了 WCF 连接服务,并尝试了客户端的不同配置。我们得到的最接近的是这样的:
// this adds UsernameToken only
var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
var client = new MyClient(binding, new EndpointAddress("https://myservice.com/foo");
client.ClientCredentials.UserName.UserName = "myusername";
client.ClientCredentials.UserName.Password = "mypassword";
---
// this adds Signature only
var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;
var client = new MyClient(binding, new EndpointAddress("https://myservice.com/foo"));
client.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "mycert");
不幸的是,将两者结合并不会同时添加 UsernameToken 和 Signature。我们尝试了许多其他的配置变体,但都没有成功。
我们的工作 SOAP 请求如下所示:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-867b67fc-b2c7-4ca3-bcbb-fdf74ae04baf">http://myservice.com/foo/services/my_request</wsa:Action>
<wsa:MessageID wsu:Id="Id-e8c0e394-e80f-453b-b5d6-10369c186b02">urn:uuid:1aad204d-a5f4-4b33-986c-56011dc27ade</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-790537dd-870a-45e0-9873-427684db6ea1">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-791bacd6-af9b-4c45-ad13-e7297a8c8ea2">https://myservice.com/foo/services/abcServices</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-6a6fb289-7878-413c-b88d-42f0522faa31">
<wsu:Created>2020-09-29T22:56:15Z</wsu:Created>
<wsu:Expires>2020-09-29T22:57:15Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-2cca8c34-352c-4301-8bb5-da46a8c70746">
<wsse:Username>myusername</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">mypassword</wsse:Password>
<wsse:Nonce>ikb=nqrsp+OH=jEMDl+a1fgC</wsse:Nonce>
<wsu:Created>2020-09-29T22:56:15Z</wsu:Created>
</wsse:UsernameToken>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-7068c9fb-9793-451e-b462-aedf192c57aa">DciPWRsnJhRAOZCeZAwGCV9OzzucIYwvgAVbX46MIQAZNGSgQBcNcEMDDylCc90RdwAV/9XwDB30mJgiV5M8o6ImCggQogABgp0XNTBJnrugnYIGIAj+QUZ0zZivg9Uu/0BxKScQqcGbK43AwEAgwjNPGQ+AXwBAQVMsgFA80OIsQ1IwIwzxGApSzX2A5gY0cVx9rjnMrv+9ctmoqELA91fAgVBcVkATBUTnwQZExrHfxzAwYxAL5jBrngrgK9A2YYDBFDCVrDajRrCdcHM5RQhIwPbBBWMQZTQCAtwuDBsOCkYJKwSbUjvx3Ypg7nTsskyJeP3DPYVtOxpUkEIRYwuisEwANlGMBzmWEbNxMRUQGL2R1/BPFCzXbC/RMMQAVAVlAFB4MwaXYwdopUdMSAzT4F00YswQLf6MMxWDWqlCFwQ98GdHE1K0MnS1weWa+FQ0DVXQVK/JwUukgHvfvplVBPScuWjQAEMMiTSEa94Y5ES5dNdafc5cKIbzbkJCGCsVxxAQl8guEdJQH0cWKC9gROZYqYYFVGjBPkmLi9QgaEpPdBToRtDgTacqty1XyBdhDY3ntJYyxMaAHDeI0KIdKvDBIMCsX2xA8bQ2O8pCdFwQ37GUy1bMfTul7+JQfyyFZknHuVxuiWvNUsoGo0sQn2H3NODdLjMpLgVp3P3MmNc9AuSBzQw3WAGzNR7FnB1fU4VaLzciAAHFiA1LMwbMoIH2FcB907QjFNy08c8BBDoSgdUIp+BxGKyHATeqmHHI7iRsX0BuNv1VuSfnrjAANIWoQNA97DAKnSId5IEG39SaSesXunHQUsCrAMvA9yjcSLjXAxUT7DD2iQgINBLuMmqCz1Y9zUQggC7/I5NUDXO94jAxUg1gVgZZHcbA53SMsA57VwCAUI6AslwA7pGHq2YwbwBTg0Mb+cnEZjA9SuGVeuDnHmVZxgUjWds5snOH+enkMA+BhTzNR7HGNM1AElK0BkfCrgwyqAq22kdc7DnUYGEISIaDm0NYIA1QwBf+J7dwXaBHLmcG7ANAClBXfAQQXAN0g2/zGgFYNKhcgK2HoggNlByd2T0md0Rje00BG9QZlY5DXFNEArT+BPw1TqHYGHEgJhupWG7tsDg/DjANqUVyVEWp4xVjOh9YDIuq8U0TqmD4HVNbbIi2rMTVhZACYoscERM5guBoW4b2u2CCArlFVw1MOELOETnJQKQGNWNaWNVVDjYTsCqMkbqwRU59ijlZIUzhKDFgk098vCDCIwUMhEdA0VYLJvhuNc0QRp9Lakposm9LTKPZAz7yiSF5gwGsjqMACBDwOQMSBEQAaMGN3HNYMFABJQDl1UAbCBZa5gbWwLNdHZhzaawoARcul0Cn6QPQT7BGZGdUcYAlFVMl6k1n3dB70JzcWMapJpZFlI6Bn3IB/RhGDMIQ3D3E/n9wbQZKMDEAbR3VB8WMGZ3lzuHTaUbo2wB5l8Z2I5kt2DsmG7+9DkEYCGCzFA1mGlnIRQmcLBwHJxMRNyPgt0r3XFbIg8+EgzmaFm0M9lbSUVmb5ExAL5++kWxjIzE2oco1kY8sdOtB8OBfQlMyPv9+rEZrz+EDCkxAAIAtkaDRAqwBHpnM7gZmlQObRtgkWhAEbHnQ0Uk9p6geUwqQFAW14vG9Jge/ALNNAdw0AFw0VXmRgCYpLVFFgQoYBWWYH4CBFGidBAAhlDK5/MAjcZMR7S3RRpwvYUNBEorAcNmw1BEv3AjNawWPoI0gANGAHxrAR7Qm6cDIGNoYBLzUCGDfdxASw5gt9wvaN0mPu+JMARO/VfAMd7GY0TGmdDgImtbIKWE6Nnw0bIFi1XCH9AIDHb06Q8ufOxuxM0vz5IBnQLXWyEMQsRiJOBga4Mn0CBhQtciAwQmiqCqxAEj3ywDau2xAEvnEIOoEoxwyWQDHjYrCmSGUUbfM1Pd3WRYgAhTzYwz9fMF3AH0DcapF/IQdILuPBXxIpIGbbgwaCaM+LB4mZo5lBAROlBQrjYiYLjAVBU2zwH70EW49PAoA4GEwEpBIimD4ErDVLDk909BS8QH2y5Bq/BQMYOMIzUvbQkPOjR8EKRA0A+Gkvl8gMRwWYT17RipgAFENrrdSYsYooM5CdQAxs3NJRQLoegJRDcCMKAjjTWC4/AErgoTR1YmDdBBANzcP5ZVFUKOBEA3fvmkBQWnxOjBEjiQzSggLv+m12YsAjx0RdCqwW5VgUw=IAgRGRPVLWBIBVdNP0wWtHBt7esoiosjDDLAxhftDgMY78oWkxMM8lxRm</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-157ede06-c0ff-4092-861c-74b7ed541bda">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>GMl851P/=af8OP8gf45n8xsL3fg/</DigestValue>
</Reference>
<Reference URI="#Id-ae995838-928a-452e-be22-633ca120855b">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>=VADYKMj8xOqZJZyReClqof3Ve3S</DigestValue>
</Reference>
<Reference URI="#Id-583f212c-afe0-4b2a-8f24-94a61ab01c11">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>OUa3ZYsm9=soUTrZ/51ko8YZ1UeX</DigestValue>
</Reference>
<Reference URI="#Id-3549607b-958f-4a73-887a-6e25c400368d">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>RCAWZo4o=R3wGfSUZhnA0VSxccEm</DigestValue>
</Reference>
<Reference URI="#Timestamp-814589a1-8fa8-4d05-bcb5-2cd5e59e4f95">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>nrSGxl2bQ6Ul2Wzgl27nb3ME8=p1</DigestValue>
</Reference>
<Reference URI="#Id-c4508205-7502-451a-b57c-ef3bae807828">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>IO5AN6rcQ7gmf+oyZ=YX+hcXamHa</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>wad2UgTSA/1JONW+s1gv/CVHJ85nwuRdakOx57Fpg+jS7R+LWHCAqXljtNS07OdFMHYrrpObgIIs5aSKXJfcdZy/bPuRkQKV=23GUMB3E90c2n42nHFn99ZqMGQJfHpukT71g1exbtlLwQgtCHq903ttBXEB/tkzvfKbQgbR+46gxRCjwlKiDvpUQBngcMOhyf8TZ6dgOWThIMZubJhzd7eXP5rLEl+L4qpOBosFJm6I5HcRSZaF/b/=4JT7U0KmCCLkEaUG+XdGmUyPcdLLGUpOhVh9P74rC7gBxnnyY9+djdu9qu7ibyRjGhngqjNOYu1wNI+Bi5ptK5vjgPwFa15H</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-61f81057-6b05-43c1-9b51-75a9a554f9f0" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-82864924-6cd8-44d4-955d-cd6ed8bf8067">
<myRequest xmlns="http://myservice.com/foo/params">
<foo>12345</foo>
<bar>baz</bar>
</myRequest>
</soap:Body>
</soap:Envelope>
感谢任何帮助!谢谢!
【问题讨论】:
【参考方案1】:Core不支持消息层的安全性,可以将消息层的安全性改为传输层或者使用.net框架:
更多关于核心WCF的信息,请参考这个链接:
https://github.com/dotnet/wcf/blob/master/release-notes/SupportedFeatures-v2.1.0.md
【讨论】:
感谢您的回复。 “将消息层的安全性更改为传输层”是什么意思?请注意,我们无法控制正在访问的 SOAP 服务。 WCF有两种安全模式,一种是message,一种是Transport,core不支持message安全模式,更多信息可以参考这个链接:docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/… 如果不能修改服务器的安全模式,只能使用.net框架,因为core不支持消息安全模式。以上是关于.NET Core 中可以同时使用用户名和签名进行身份验证的 Microsoft.Web.Services3 的替代品是啥?的主要内容,如果未能解决你的问题,请参考以下文章
如何在 ASP.NET Core 3 上同时使用 Azure AD 身份验证和身份?
发布 .NET Core 时如何解决 PFX 签名不支持错误
检查用户是不是在 ASP.NET Core 中使用基于令牌的身份验证登录
如何将 CSR 文本文件转换为 .NET Core/Standard CertificateRequest 以进行签名?