NServiceBus:消息级加密
我要求所有消息的内容必须以某种方式加密。对于实际的加密,我可能可以利用内置的 X.509 加密。
但是,我想知道进行消息级加密的最佳方法是什么,而无需修改消息本身(因此没有 WireEncryptedString)。我可以看到,正在开发的最新版本将以 IMutateOutgoingMessages、IMutateIncomingMessages 和 IMapOutgoingTransportMessages 的形式对此提供更多支持。尤其是最后一个很有趣,因为它传递了一个 Stream,我将能够对其进行整体加密(对吗?)。我在此处看到了这种方法,他正确地提到没有IMapIncomingTransportMessages,那么我如何在不修改 NServiceBus 代码的情况下解密接收端的加密消息,或者这是目前唯一的选择,直到它得到充实?
然而,这是 NServiceBus 的未来版本,我认为现在在生产场景中使用它不是一个好主意。在 2.0 中我该如何去做呢?对我来说,最好的方法似乎是编写一个自定义的EncryptedSerializer,它在IMessageSerializer中传递,基本上只是包装Serialize和反序列化该 方法。IMessageSerializer 的
我目前拥有的:
public class EncryptedSerializer : IMessageSerializer
{
[Inject]
public MessageSerializer Serializer { get; set; }
public IMessage[] Deserialize(System.IO.Stream stream)
{
// decrypt magic happens here
return Serializer.Deserialize(stream);
}
public void Serialize(IMessage[] messages, System.IO.Stream stream)
{
Serializer.Serialize(messages, stream);
// encrypt magic happens here
}
}
但我不知道如何设置 NServiceBus 配置,它在正确配置/注入的 XmlSerializer 中传递。我查看了 .XmlSerializer() 扩展方法并尝试复制该方法,但没有成功。理想情况下,我希望只有一个 IMessageSerializer 而不是具体的 XML 序列化程序,但这不太重要。
我从这里使用 Ninject 和用于 NServiceBus 的 Ninject 对象构建器:gist.github.com/326321。但我不确定这是否重要。
I have the requirement that the content of all messages must be encrypted in some way. For the actual encryption, I can probably leverage the built in X.509 encryption.
However, I'm wondering what the best way to do message level encryption is, without having to modify the messages themselves (so no WireEncryptedString). I can see that the latest version in development will offer some more support for this in the form of IMutateOutgoingMessages, IMutateIncomingMessages and IMapOutgoingTransportMessages. Especially the last one is interesting as it gets passed a Stream that I'll be able to encrypt in its entirety (right?). I've seen this approach used here and he correctly mentions that there is no IMapIncomingTransportMessages, so how would I go about decrypting the encrypted message on the receiving side without modifying NServiceBus code, or is that currently the only option until that gets fleshed out?
However, that's the future version of NServiceBus and I don't think it's a good idea to use that in a production scenario right now. How would I go about doing this in 2.0? To me, the best way seems to be to write a custom EncryptedSerializer that gets passed in IMessageSerializer and basically just wraps the Serialize and Deserialize methods of that IMessageSerializer.
What I currently have:
public class EncryptedSerializer : IMessageSerializer
{
[Inject]
public MessageSerializer Serializer { get; set; }
public IMessage[] Deserialize(System.IO.Stream stream)
{
// decrypt magic happens here
return Serializer.Deserialize(stream);
}
public void Serialize(IMessage[] messages, System.IO.Stream stream)
{
Serializer.Serialize(messages, stream);
// encrypt magic happens here
}
}
But I can't figure out how to setup the NServiceBus configuration that it gets passed in an XmlSerializer that is correctly configured/injected as well. I've looked at the .XmlSerializer() extension method and tried to replicate that, but with no luck. And ideally, I would want to have just a IMessageSerializer instead of the concrete XML serializer, but that's of lesser concern.
I use Ninject and the Ninject object builder for NServiceBus from here: gist.github.com/326321. But I'm not sure if that's important.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您愿意放弃将另一个消息序列化器注入到您自己的序列化器中,而只是包装具体的 XML 序列化器,那么会更容易。您还需要公开其他属性(XML 序列化程序上的属性),然后传递这些属性。
我知道这并不是特别优雅,这就是为什么我们在下一个版本中改进可扩展性故事,以允许您插入加密而无需摆弄序列化器。
话虽如此,您可能不需要在所有端点之间进行加密,而只需要在 LAN 外部通信的端点之间进行加密。对于这些情况,您可以使用 NServiceBus 附带的网关进程,该进程支持基于 HTTP 的通信,然后可以将其配置为通过 HTTPS。该解决方案需要较少的编码,但会涉及部署中的另一个过程。
If you're willing to give up having another message serializer injected into your own serializer and just wrap the concrete XML serializer, it would be easier. You'd also need to expose additional properties (the ones on the XML serializer) and then pass those through.
I know that this isn't particularly elegant and that's why we're improving the extensibility story in the next version to allow you to plug in encryption without fiddling with the serializer.
All that being said, it's likely that you don't need encryption between all endpoints, but rather only between those communicating outside the LAN. For those cases, you can use the Gateway process that comes with NServiceBus which enables HTTP-based communication which can then be configured to go over HTTPS. This solution would require less coding but would involve another process in your deployment.