WCF 证书自定义验证 - 向客户端发送异常消息
我有一个简单的 WCF 服务,配置了传输安全性和证书客户端凭据。 我将一个自定义证书验证器插入其中,并抛出一个FaultException。 我的问题是 esception 消息未到达客户端:我只收到 MessageSecurityException,没有任何错误... 如果我将我的服务转入 net.tcp(自托管),我会收到 CommunicationExcetion,也没有故障。
这是我的 web.config 的一部分:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding" messageEncoding="Text">
<reliableSession enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="SecureService.Server.ChunkStreamService">
<endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" behaviorConfiguration="myBehavior" name="wsHttpEndPoint" contract="SecureService.Server.IChunkStreamService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="myBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication customCertificateValidatorType="SecureService.Server.CPSValidator, SecureService.Server" certificateValidationMode="Custom" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
和我的验证器:
public class CPSValidator : System.IdentityModel.Selectors.X509CertificateValidator
{
public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
throw new FaultException("Certificate is not from a trusted issuer");
}
}
有什么想法吗?
预先感谢您的任何帮助!
I have a simple WCF service configured for with transport security and Certificate client credentials.
I plug a custom certificate validator to it, and throws a FaultException.
My probkemn is the esception message does not reach the client : i only receive a MessageSecurityException without any Fault...
If i turn my service in net.tcp (self-hosted), i the receive a CommunicationExcetion, with no Fault either.
Here is a part of my web.config :
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding" messageEncoding="Text">
<reliableSession enabled="false" />
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="SecureService.Server.ChunkStreamService">
<endpoint binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" behaviorConfiguration="myBehavior" name="wsHttpEndPoint" contract="SecureService.Server.IChunkStreamService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="myBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="false" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication customCertificateValidatorType="SecureService.Server.CPSValidator, SecureService.Server" certificateValidationMode="Custom" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
and my Validator :
public class CPSValidator : System.IdentityModel.Selectors.X509CertificateValidator
{
public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
throw new FaultException("Certificate is not from a trusted issuer");
}
}
Any idea ?
Thanks in advance for any help !
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
据我所知,您在验证器中抛出的任何异常都不会到达客户端。客户端总是收到 MessageSecurityException。只有在服务级别(在服务实现中)发生并映射到故障契约的异常才会正确发送到客户端。
问候
巴勃罗.
As far as I know, any exception that you throw in a validator never reaches the client. The client always receives a MessageSecurityException. Only the exceptions that happens at service level (in the service implementation) and are mapped to a FaultContract are correctly sent to the client.
Regards
Pablo.
正如 Yahia 和 Pablo 回答的那样,证书验证不会在服务级别发生。因此,FaultException 无法到达客户端。但这只是因为我使用的是传输安全模式。为了将消息发送回客户端,我必须将安全模式从 Transport 更改为 TransportWithMessageCredentials,如下所示:
这样,证书验证是在服务级别完成的,以便可以通过错误异常将错误消息发送到客户端。
As Yahia and Pablo answered, certificate validation does not happens at service level. Therefore, FaultException cannot reach the client. But this is true only because i am using the transport security mode. In order to send message back to the client i had to change my security mode from Transport to TransportWithMessageCredentials, like this :
This way, the certificate validation is done at service level, so that an error message can be sent to the client throught a faultException.
您是否尝试过在服务器上打开 WCF 诊断以在调用到达服务本身之前捕获 WCF 管道中的问题?
Have you tried turning on WCF diagnostics on the server to catch issues in the WCF pipeline prior to the call getting to the service itself?