【发布时间】:2019-07-22 14:10:13
【问题描述】:
我有一个设置了自定义绑定和自定义证书验证器的 WCF 服务。
证书验证器定义如下。稍后会扩展,但目前只是做一个基本的验证。
public class MyX509CertificateValidator : X509CertificateValidator
{
private static readonly ILog Logger = LogManager.GetLogger(typeof(MyX509CertificateValidator));
public MyX509CertificateValidator()
{
Logger.Info("certval - Constructor ");
}
public override void Validate(X509Certificate2 certificate)
{
Logger.Info("certval - Validate(). Calling Cert.validate()");
bool verifyResult = certificate.Verify();
Logger.Info("verify result: " + verifyResult);
if (!verifyResult)
{
throw new SecurityTokenValidationException("cert had some bad juju");
}
}
}
我的 web.config 设置如下。目标是使用传输安全和使用会话。我希望在创建会话时验证一次证书。但是,我可以通过登录证书验证器看到,当使用现有的开放式 WCF 客户端代理时,客户端进行的每个服务调用都会进行验证。
我已验证我的 WCF 服务实例在每个会话中创建一次(在构造函数中的日志记录在每个会话中被调用一次)。但是,每次服务调用都会调用证书验证器。如何让证书验证器仅在会话开始时被调用?
鉴于它似乎正在使用会话,我假设证书验证将是会话完整的,并且每个会话仅调用一次。我仔细阅读了 MSDN 上的 WCF 配置文档,但没有看到进一步自定义可靠会话标签或任何与安全相关的内容来做我想做的事情的方法。
这是 web.config 和服务定义
[ServiceBehavior(AutomaticSessionShutdown = true,
InstanceContextMode = InstanceContextMode.PerSession, ConcurrencyMode = ConcurrencyMode.Multiple)]
public class WcfBasicService : IWcfBasicService
{
...
<system.serviceModel>
<bindings>
<customBinding>
<binding name="reliableSessionOverHttps">
<reliableSession/>
<security authenticationMode="CertificateOverTransport"/>
<httpsTransport />
</binding>
</customBinding>
</bindings>
<services>
<service name="WcfServiceLibrary1.WcfBasicService">
<endpoint address="" binding="customBinding" contract="WcfServiceLibrary1.IWcfBasicService" name="mainEndpoint"
bindingConfiguration="reliableSessionOverHttps">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="WcfServiceLibrary1.MyX509CertificateValidator, WcfServiceLibrary1" />
</clientCertificate>
</serviceCredentials>
<!-- To avoid disclosing metadata information,
set the values below to false before deployment -->
<serviceMetadata httpGetEnabled="True" httpsGetEnabled="True" />
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
【问题讨论】:
标签: wcf certificate custom-binding