配置的肥皂演员/角色“”的 WS-Security 消息中没有签名! (来自客户)
我按如下方式进行绑定
//Get certificate in bytes[]
X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
localCert = new X509Certificate2(cert.File, "mypassword");
store.Add(localCert);
certFriendlyName = localCert.FriendlyName;
//set binding
SecurityBindingElement security = new TransportSecurityBindingElement();
X509SecurityTokenParameters item = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient);
security.EndpointSupportingTokenParameters.SignedEncrypted.Add(item);
security.IncludeTimestamp = false;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
HttpsTransportBindingElement transport = new HttpsTransportBindingElement();
transport.RequireClientCertificate = true;
System.ServiceModel.Channels.Binding currentBinding = new CustomBinding(security, encoding, transport);
EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("mydns");
EndpointAddress ea = new EndpointAddress(new Uri("MyURI"), identity);
service.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My , X509FindType.FindBySubjectName, certFriendlyName);
service.ClientCredentials.ServiceCertificate.SetDefaultCertificate(System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
System.Security.Cryptography.X509Certificates.StoreName.My,
System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
certFriendlyName);
,下面是提供的 WSDL 中的安全策略
<wsp:Policy Name="GAPolicy" wsu:Id="policy.ga" xmlns:wsaws="http://www.w3.org/2005/08/addressing">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy Name="NPPIPolicy" wsu:Id="policy.nppi"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- Force the use of WS-Addressing -->
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
<!-- Require a signature on the body of the message -->
<wsp:SignedParts>
<wsp:Body />
</wsp:SignedParts>
<!-- X.509 Certs in header -->
<wsp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" />
</wsp:Policy>
</sp:RecipientToken>
<!-- Supported encryption algorithms -->
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256 />
<sp:TripleDes />
<sp:TripleDesSha256 />
<sp:TripleDesSha256Rsa15 />
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Do not impose an order of layout -->
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</wsp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy Name="PCIPolicy" wsu:Id="policy.pci"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- Force the use of WS-Addressing -->
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
<!-- Require a signature on the body of the message -->
<wsp:SignedParts>
<wsp:Body />
</wsp:SignedParts>
<!-- X.509 Certs in header -->
<wsp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" />
</wsp:Policy>
</sp:RecipientToken>
<!-- Supported encryption algorithms -->
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256 />
<sp:TripleDes />
<sp:TripleDesSha256 />
<sp:TripleDesSha256Rsa15 />
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Do not impose an order of layout -->
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</wsp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
使用此我遇到“System.ServiceModel.FaultException:配置的肥皂演员/角色“”的 WS-Security 消息中没有签名!(来自客户)”
I'm binding as follows
//Get certificate in bytes[]
X509Store store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadWrite);
localCert = new X509Certificate2(cert.File, "mypassword");
store.Add(localCert);
certFriendlyName = localCert.FriendlyName;
//set binding
SecurityBindingElement security = new TransportSecurityBindingElement();
X509SecurityTokenParameters item = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.Any, SecurityTokenInclusionMode.AlwaysToRecipient);
security.EndpointSupportingTokenParameters.SignedEncrypted.Add(item);
security.IncludeTimestamp = false;
security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
TextMessageEncodingBindingElement encoding = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
HttpsTransportBindingElement transport = new HttpsTransportBindingElement();
transport.RequireClientCertificate = true;
System.ServiceModel.Channels.Binding currentBinding = new CustomBinding(security, encoding, transport);
EndpointIdentity identity = EndpointIdentity.CreateDnsIdentity("mydns");
EndpointAddress ea = new EndpointAddress(new Uri("MyURI"), identity);
service.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.My , X509FindType.FindBySubjectName, certFriendlyName);
service.ClientCredentials.ServiceCertificate.SetDefaultCertificate(System.Security.Cryptography.X509Certificates.StoreLocation.CurrentUser,
System.Security.Cryptography.X509Certificates.StoreName.My,
System.Security.Cryptography.X509Certificates.X509FindType.FindBySubjectName,
certFriendlyName);
and below is the security policy from the provided WSDL
<wsp:Policy Name="GAPolicy" wsu:Id="policy.ga" xmlns:wsaws="http://www.w3.org/2005/08/addressing">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy Name="NPPIPolicy" wsu:Id="policy.nppi"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- Force the use of WS-Addressing -->
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
<!-- Require a signature on the body of the message -->
<wsp:SignedParts>
<wsp:Body />
</wsp:SignedParts>
<!-- X.509 Certs in header -->
<wsp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" />
</wsp:Policy>
</sp:RecipientToken>
<!-- Supported encryption algorithms -->
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256 />
<sp:TripleDes />
<sp:TripleDesSha256 />
<sp:TripleDesSha256Rsa15 />
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Do not impose an order of layout -->
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</wsp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy Name="PCIPolicy" wsu:Id="policy.pci"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:ExactlyOne>
<wsp:All>
<!-- Force the use of WS-Addressing -->
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl" />
<!-- Require a signature on the body of the message -->
<wsp:SignedParts>
<wsp:Body />
</wsp:SignedParts>
<!-- X.509 Certs in header -->
<wsp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorSignatureToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:InitiatorSignatureToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never" />
</wsp:Policy>
</sp:RecipientToken>
<!-- Supported encryption algorithms -->
<sp:AlgorithmSuite>
<wsp:Policy>
<wsp:ExactlyOne>
<sp:Basic256 />
<sp:TripleDes />
<sp:TripleDesSha256 />
<sp:TripleDesSha256Rsa15 />
</wsp:ExactlyOne>
</wsp:Policy>
</sp:AlgorithmSuite>
<!-- Do not impose an order of layout -->
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
</wsp:Policy>
</wsp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Using this I'm running into "System.ServiceModel.FaultException: No signature in the WS-Security message for the configured soap actor/role ""! (from client)"
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
直接使用CustomBinding。通过引入 WsHttpBinding 并将其安全性设置为期望客户端证书,您正在配置完全不同的安全模式。我写了一个 有关此问题的文章(由于您已经在 MSDN 上找到了该问题)。从文章中描述的绑定开始,或者根据您的需要进行修改。所描述的绑定使用相互 HTTPS(HTTPS 的客户端证书)以及每个请求消息中的支持证书。
Use CustomBinding directly. By introducing WsHttpBinding and setting its security to expect client certificate you are configuring completely different security mode. I wrote an article about this issue (as a result of the question on MSDN you've already found). Start with the binding described in the article or modify it according to your needs. The described binding uses mutual HTTPS (client certificate for HTTPS) with supporting certificate in each request message.