【问题标题】:Soap body is not encrypted when X509 security implemented on WCF service在 WCF 服务上实施 X509 安全性时,肥皂体未加密
【发布时间】:2010-08-01 17:36:44
【问题描述】:

我为我的雇主的一个项目实施了 WCF 服务和客户端应用程序,目前由于肥皂体元素而面临严重问题。问题是肥皂正文没有被加密,只有标题被加密。无论如何,我提到了肥皂请求、webconfigs 和我创建证书的方式供您参考......

WCF 服务器配置 ......................

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding" >
      <security>
        <message clientCredentialType="Certificate" establishSecurityContext ="true"  />
      </security>
    </binding>
  </wsHttpBinding>
  <customBinding>
    <binding name="CustomBinding">        
      <textMessageEncoding messageVersion="Soap11" />
      <security authenticationMode="MutualCertificate"  requireDerivedKeys="false"
      includeTimestamp="true" keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign"        messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
      requireSecurityContextCancellation="false">            
        <secureConversationBootstrap />

      </security>
      <httpTransport />

    </binding>
  </customBinding>
</bindings>
<services>
  <service name="mysvc.MySvc" behaviorConfiguration="mysvc.Service1Behavior">
    <endpoint address="" binding="customBinding" bindingConfiguration ="CustomBinding"  contract="mysvc.IMySvc"  />        
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
     <host>
        <baseAddresses>
             <add baseAddress ="http://localhost:8888/" />
        </baseAddresses>
     </host>
  </service>
</services>
<behaviors>
  <endpointBehaviors>
    <behavior name="inspectorBehavior">
       <consoleOutputBehavior />
    </behavior>
  </endpointBehaviors>

  <serviceBehaviors>
    <behavior name="mysvc.Service1Behavior">
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>

      <serviceCredentials>

        <serviceCertificate findValue="WCfServerCert"
        storeLocation="LocalMachine" 
        storeName="My"
        x509FindType="FindBySubjectName" />

        <clientCertificate>              
          <authentication certificateValidationMode="None" />                       
        </clientCertificate>

      </serviceCredentials>

    </behavior>
  </serviceBehaviors>
</behaviors>  

WCF 客户端配置 .....................

<system.serviceModel>
    <bindings>
        <customBinding>
            <binding name="CustomBinding_IMySvc">
                <security defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"
                    requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
                    keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                    requireSignatureConfirmation="false">
                    <localClientSettings cacheCookies="true" detectReplays="true"
                        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
                        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                    <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                </security>
                <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                    messageVersion="Soap11" writeEncoding="utf-8">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                </textMessageEncoding>
                <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                    maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                    realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                    useDefaultWebProxy="true" />
            </binding>
        </customBinding>
    </bindings>
    <client>
      <endpoint address="http://localhost:8888/" binding="customBinding" behaviorConfiguration ="CustomBehavior"
          bindingConfiguration="CustomBinding_IMySvc" contract="WCFProxy.IMySvc"
          name="CustomBinding_IMySvc" >

        <identity >
          <dns value ="WCfServerCert"/>
        </identity>

      </endpoint>
    </client>
  <behaviors>
    <endpointBehaviors>
      <behavior name="CustomBehavior">
        <clientCredentials>
          <clientCertificate findValue="WCfClientCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
          <serviceCertificate>
            <defaultCertificate findValue="WCfServerCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <authentication certificateValidationMode="None"/>
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors >
</system.serviceModel>

证书创建命令 ....................

makecert -n "CN=WCFServer" -r -sv WCFServer.pvk WCFServer.cer

makecert -n "CN=WCFClient" -r -sv WCFClient.pvk WCFClient.cer

makecert -sk WCFServerCert -iv d:\WCFServer.pvk -n "CN=WCFServerCert " -ic d:\WCFServer.cer -sr LocalMachine -ss My -sky exchange pe

makecert -sk WCFClientCert -iv d:\WCFClient.pvk -n "CN=WCFClientCert " -ic d:\WCFClient.cer -sr LocalMachine -ss My -sky exchange pe

【问题讨论】:

    标签: wcf security x509certificate


    【解决方案1】:

    这发生在我身上。我用来生成 Web 服务的工具(Web 服务软件工厂)总是为服务和操作设置保护级别,并将它们设置为 ProtectionLevel.None。最终结果是我的 svcutil 配置文件将包含自定义绑定而不是简单的 wsHttpBinding。

    为了解决未加密的 SOAP 正文问题,我将操作和服务本身的所有 ProtectionLevel 属性更改为 EncryptAndSign。现在 svcutil 输出具有所需的 wsHttpBinding(自定义绑定已消失)。使用 fiddler 进行测试显示主体已加密。

    我也可以删除保护级别属性——对于 wsHttpBinding,它具有相同的效果。但是由于此代码是使用工具生成的,因此每次生成代码时都必须这样做。

    我希望这可以帮助某人。这让我难过了一阵子。

    【讨论】:

      【解决方案2】:

      您是在谈论请求还是回复正文?在任何情况下,至少,看起来您的服务的绑定配置正在将 元素中的 mode 属性设置为 Message(即):

        <wsHttpBinding>
          <binding name="wsHttpEndpointBinding" >
            <security mode="Message">
              <message clientCredentialType="Certificate" establishSecurityContext ="true"  />
            </security>
          </binding>
        </wsHttpBinding>
      

      【讨论】:

      • 服务使用的是 customBinding 而不是 wsHttpBinding。
      猜你喜欢
      • 2013-09-22
      • 2018-04-12
      • 1970-01-01
      • 2012-05-01
      • 1970-01-01
      • 2014-01-11
      • 2017-01-16
      • 2014-01-08
      • 1970-01-01
      相关资源
      最近更新 更多