让 WCF 接受未签名的“To”标头
我有一个使用 WSHttpBinding 的 WCF Web 服务。安全性是 TransportWithMessageCredential。我有一个连接到我的客户端正在发送一条 Soap 消息,其中标头中的 To 元素未签名。我的服务不喜欢这样,并抛出 System.ServiceModel.Security.MessageSecurityException 并显示消息“通过传输安全收到的消息具有未签名的‘To’标头”。我无法找到 WS-Security 规范中专门指定的元素的签名,但我看到建议使用它来防止重定向攻击。
那么有谁知道我是否可以配置我的 Web 服务不检查要签名的 To 元素?还有问题的另一面,但我无法更改此客户端与我的连接方式。
I have a WCF web service that is using WSHttpBinding. The security is TransportWithMessageCredential. I have a client connecting to me that is sending a Soap message with the To element in the header unsigned. My service doesn't like this and is throwing System.ServiceModel.Security.MessageSecurityException with the message "The message received over Transport security has unsigned 'To' header". I haven't been able to find the signing of the element specified specifically in the WS-Security spec but I have seen it recommended to prevent redirect attacks.
So does anyone know if there is anyway for me to configure my web service not to check for the To element to be signed? Also the other side of the issue but I cannot change how this client is connecting to me.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我们遇到了同样的问题,并联系了 Microsoft 支持人员。
他们为此发布了一个修补程序。
请参阅知识库文章
https://support.microsoft.com/en-us/kb/ 2974335
We've had the same issue, and contacted Microsoft support about it.
They released a hotfix for this.
See the KB article at
https://support.microsoft.com/en-us/kb/2974335