如何将 WCF 配置为仅签署时间戳标头
我正在尝试配置我的 WCF 客户端以创建包含 WS-Addressing、WS-Security 和 TLS 的 SOAP 1.1 请求。
安全要求是消息包含用户名令牌、时间戳,并且时间戳是使用包含的 BinarySecurityToken 进行签名的。
我已使用以下链接中的示例来创建我的 WCF 客户端绑定。我稍微修改了示例(见下文),以便使用 HTTPS 作为传输机制,并且 MessageSecurity 基于 UsernameOverTransport。
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
// the message security binding element will be configured to require 2 tokens:
// 1) A username-password encrypted with the service token
// 2) A client certificate used to sign the message
// Instantiate a binding element that will require the username/password token in the message (encrypted with the server cert)
TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
// Create supporting token parameters for the client X509 certificate.
X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters();
// Specify that the supporting token is passed in message send by the client to the service
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
// Turn off derived keys
clientX509SupportingTokenParameters.RequireDerivedKeys = false;
// Augment the binding element to require the client's X509 certificate as an endorsing token in the message
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters);
// Create a CustomBinding based on the constructed security binding element.
return new CustomBinding(messageSecurity, httpsTransport);
该客户端生成的 SOAP 消息非常接近满足我正在调用的服务的要求,唯一的问题是 wsa:To 地址以及时间戳地址都已签名。
有没有办法准确指定哪些 WCF 标头已签名?因为我需要限制客户端仅签署时间戳标头。
I am trying to configure my WCF client to create a SOAP 1.1 request that includes WS-Addressing, WS-Security and TLS.
The security requirements are that the message includes a Username Token, TimeStamp and that the TimeStamp is signed using an included BinarySecurityToken.
I have used the example from the following link to create my WCF client binding. I have slightly modified the the example (see below) so that HTTPS is used as the transport mechanism and the MessageSecurity is based on UsernameOverTransport.
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
// the message security binding element will be configured to require 2 tokens:
// 1) A username-password encrypted with the service token
// 2) A client certificate used to sign the message
// Instantiate a binding element that will require the username/password token in the message (encrypted with the server cert)
TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
// Create supporting token parameters for the client X509 certificate.
X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters();
// Specify that the supporting token is passed in message send by the client to the service
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
// Turn off derived keys
clientX509SupportingTokenParameters.RequireDerivedKeys = false;
// Augment the binding element to require the client's X509 certificate as an endorsing token in the message
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters);
// Create a CustomBinding based on the constructed security binding element.
return new CustomBinding(messageSecurity, httpsTransport);
The SOAP messages that are generated by this client are very close to meeting the requirements of the service I am calling, the only issue is that the wsa:To address is being signed as well as the TimeStamp address.
Is there a way to specify exactly which WCF headers are signed? As I need to restrict the client only sign the TimeStamp header.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用自定义消息标头,您可以执行以下操作:
但我不认为这适合您的情况,因为您尝试签署由自定义绑定插入的肥皂标头。要修改这些标头,您可能需要实现 IClientMessageInspector 接口 和将自定义行为添加到客户端配置以对时间戳标头进行签名。不确定如何访问证书来进行签名,但是这可能会给你一个很好的帮助开始。
With custom message headers you can do this:
But I don't believe that will work with your situation since your attempting to sign a soap header that is inserted by your custom binding. To modify these headers you'll likely need to implement the IClientMessageInspector interface and add a custom behavior to the client configuration to sign the TimeStamp header. Not sure how you would access the certificate to do the signing but this may give you a good start.
我知道这是一个老问题,但我已经被问过几次了。
我设法通过将 messageVersion 指定为 Soap11 而不是 Soap11WSAddressing10 来实现此目的,然后手动添加 WS-Addressing 标头,从而避免了手动实现签名机制的需要。
I know it's an old question but I've been asked about this a couple of times.
I managed to achieve this by specifying the messageVersion as Soap11 instead of Soap11WSAddressing10 and then manually adding the WS-Addresing headers afterwards which avoided the need to manually implement the signing mechanism.