WCF 在响应中使用内联安全令牌调用 WSE 2.0 WS-Security 服务 - “找不到令牌验证器”
我在 .NET 1.1 和 WSE 2.0 中有一个 Web 服务,它使用带有 x509 证书的 WS-Security 进行签名和加密。我正在尝试配置 WCF 客户端来连接此服务,事实证明这比我预期的更具挑战性。
通过使用自定义绑定,我已经解决了大部分版本控制问题,但我仍然坚持最后一点。 Web 服务在响应 SOAP 信封中包含两个 BinarySecurityToken 元素 — 一个用于加密证书,一个用于签名证书。
问题似乎是 WCF 被第二个令牌卡住了。这是错误消息:
“找不到“System.IdentityModel.Tokens.X509SecurityToken”令牌类型的令牌身份验证器。根据当前安全设置,无法接受该类型的令牌。”
我在 MSDN 上找到了 此对话 描述了我遇到的确切问题;但不幸的是,它没有提供一个好的解决方案。创建一个消息编码器来将信封破解成 WCF 可以处理的东西对我来说似乎是错误的。 WSE 2.0 可以很好地处理内联安全令牌——必须有一种方法强制 WCF 也这样做。
虽然我确实拥有原始 WSE 2.0 服务的完整源代码,但目前无法选择更改其处理安全性的方式。
这是我当前使用的安全绑定元素:
Dim lSBE As New System.ServiceModel.Channels.AsymmetricSecurityBindingElement()
Dim lInitiatorTokenParameters As New System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
lInitiatorTokenParameters.InclusionMode = System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode.AlwaysToRecipient
lInitiatorTokenParameters.X509ReferenceStyle = System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType.RawDataKeyIdentifier
lInitiatorTokenParameters.RequireDerivedKeys = False
lSBE.InitiatorTokenParameters = lInitiatorTokenParameters
Dim lRecipientTokenParameters As New System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
lRecipientTokenParameters.InclusionMode = System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode.AlwaysToRecipient
lRecipientTokenParameters.X509ReferenceStyle = System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType.RawDataKeyIdentifier
lRecipientTokenParameters.RequireDerivedKeys = False
lSBE.RecipientTokenParameters = lRecipientTokenParameters
lSBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
lSBE.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15
lSBE.SetKeyDerivation(False)
lSBE.IncludeTimestamp = True
lSBE.AllowSerializedSigningTokenOnReply = True
lSBE.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt
I have a web service in .NET 1.1 and WSE 2.0 that uses WS-Security with x509 certificates for both signature and encryption. I'm trying to configure a WCF client to connect with this service, and it's proving more challenging than I had expected.
I've gotten past most of my versioning issues by using a custom binding, but I'm stuck on one last point. The web service includes two BinarySecurityToken elements in the response SOAP envelope -- one for the encrypting certificate, one for the signing certificate.
The problem seems to be that WCF is choking on the second token. This is the error message:
"Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings."
I found this conversation on MSDN which describes the exact problem I'm having; but unfortunately, it doesn't provide a good resolution. Creating a message encoder to hack the envelope into something WCF can handle seems wrong to me. WSE 2.0 could handle inline security tokens fine -- there must be a way to force WCF to do the same.
While I do have the complete source for the original WSE 2.0 service, changing the way it handles security isn't an option at this point.
Here's the security binding element I'm currently using:
Dim lSBE As New System.ServiceModel.Channels.AsymmetricSecurityBindingElement()
Dim lInitiatorTokenParameters As New System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
lInitiatorTokenParameters.InclusionMode = System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode.AlwaysToRecipient
lInitiatorTokenParameters.X509ReferenceStyle = System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType.RawDataKeyIdentifier
lInitiatorTokenParameters.RequireDerivedKeys = False
lSBE.InitiatorTokenParameters = lInitiatorTokenParameters
Dim lRecipientTokenParameters As New System.ServiceModel.Security.Tokens.X509SecurityTokenParameters
lRecipientTokenParameters.InclusionMode = System.ServiceModel.Security.Tokens.SecurityTokenInclusionMode.AlwaysToRecipient
lRecipientTokenParameters.X509ReferenceStyle = System.ServiceModel.Security.Tokens.X509KeyIdentifierClauseType.RawDataKeyIdentifier
lRecipientTokenParameters.RequireDerivedKeys = False
lSBE.RecipientTokenParameters = lRecipientTokenParameters
lSBE.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
lSBE.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15
lSBE.SetKeyDerivation(False)
lSBE.IncludeTimestamp = True
lSBE.AllowSerializedSigningTokenOnReply = True
lSBE.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论