当前位置：文江博客话题详情

在 Windows Identity Foundation 中禁用加密

发布于 2024-10-30 00:09:21 字数 154 浏览 4 评论 0原文

我可以禁用请求安全令牌响应的加密并仅管理签名吗？

我正在基于 WIF SDK 的演示创建一个扩展 Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService 的自定义 STS，但我无法管理不使用加密的设置。

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

软糯酥胸 2024-11-06 00:09:22

我刚刚在 Visual Studio 中运行“添加 STS 引用”向导，选择创建新 STS 的选项。该工具生成的模板确实添加了对令牌加密的支持，但如果未提供证书，则它会被禁用：（我保留了所有默认注释）

protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )
{
    ValidateAppliesTo( request.AppliesTo );

    //
    // Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
    // and is located in the Personal certificate store of the Local Computer. Before going into production,
    // ensure that you change this certificate to a valid CA-issued certificate as appropriate.
    //
    Scope scope = new Scope( request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials );

    string encryptingCertificateName = WebConfigurationManager.AppSettings[ "EncryptingCertificateName" ];
    if ( !string.IsNullOrEmpty( encryptingCertificateName ) )
    {
        // Important note on setting the encrypting credentials.
        // In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
        // You can examine the 'request' to obtain information to determine the certificate to use.
        scope.EncryptingCredentials = new X509EncryptingCredentials( CertificateUtil.GetCertificate( StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName ) );
    }
    else
    {
        // If there is no encryption certificate specified, the STS will not perform encryption.
        // This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.  
        scope.TokenEncryptionRequired = false;            
    }

    // Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed. 
    // In this template, we have chosen to set this to the AppliesToAddress.
    scope.ReplyToAddress = scope.AppliesToAddress;

    return scope;
}

I just ran the "Add STS Reference" wizard in Visual Studio, selecting the option to create a new STS. The template that the tool generated does add support for token encryption, but if no cert is supplied, thne it is disabled: (I left all the default comments)

protected override Scope GetScope( IClaimsPrincipal principal, RequestSecurityToken request )
{
    ValidateAppliesTo( request.AppliesTo );

    //
    // Note: The signing certificate used by default has a Distinguished name of "CN=STSTestCert",
    // and is located in the Personal certificate store of the Local Computer. Before going into production,
    // ensure that you change this certificate to a valid CA-issued certificate as appropriate.
    //
    Scope scope = new Scope( request.AppliesTo.Uri.OriginalString, SecurityTokenServiceConfiguration.SigningCredentials );

    string encryptingCertificateName = WebConfigurationManager.AppSettings[ "EncryptingCertificateName" ];
    if ( !string.IsNullOrEmpty( encryptingCertificateName ) )
    {
        // Important note on setting the encrypting credentials.
        // In a production deployment, you would need to select a certificate that is specific to the RP that is requesting the token.
        // You can examine the 'request' to obtain information to determine the certificate to use.
        scope.EncryptingCredentials = new X509EncryptingCredentials( CertificateUtil.GetCertificate( StoreName.My, StoreLocation.LocalMachine, encryptingCertificateName ) );
    }
    else
    {
        // If there is no encryption certificate specified, the STS will not perform encryption.
        // This will succeed for tokens that are created without keys (BearerTokens) or asymmetric keys.  
        scope.TokenEncryptionRequired = false;            
    }

    // Set the ReplyTo address for the WS-Federation passive protocol (wreply). This is the address to which responses will be directed. 
    // In this template, we have chosen to set this to the AppliesToAddress.
    scope.ReplyToAddress = scope.AppliesToAddress;

    return scope;
}

回复收藏 0 原文

自控 2024-11-06 00:09:22

我创建一个 CustomSecurityHandler 并重写它的 GetEncryptingCredentials 方法，返回 null 值，如下所示，它可以工作：

 public class MyCustomSecurityTokenHandler : Saml11SecurityTokenHandler
 {

    public MyCustomSecurityTokenHandler(): base() {}

    protected override EncryptingCredentials GetEncryptingCredentials(SecurityTokenDescriptor tokenDescriptor)
    {
        return null;
    }

 }

然后在 SecurityTokenService 类中，我重写 GetSecurityTokenHandler 返回之前创建的自定义类：

protected override SecurityTokenHandler GetSecurityTokenHandler(string requestedTokenType)
    {
        MyCustomSecurityTokenHandler tokenHandler = new MyCustomSecurityTokenHandler();

        return tokenHandler;
    }

I create a CustomSecurityHandler and override its GetEncryptingCredentials method returning null value like the following lines and it works:

 public class MyCustomSecurityTokenHandler : Saml11SecurityTokenHandler
 {

    public MyCustomSecurityTokenHandler(): base() {}

    protected override EncryptingCredentials GetEncryptingCredentials(SecurityTokenDescriptor tokenDescriptor)
    {
        return null;
    }

 }

then in the SecurityTokenService class i override the GetSecurityTokenHandler returning the custom class created before:

protected override SecurityTokenHandler GetSecurityTokenHandler(string requestedTokenType)
    {
        MyCustomSecurityTokenHandler tokenHandler = new MyCustomSecurityTokenHandler();

        return tokenHandler;
    }

回复收藏 0 原文

~没有更多了~