【问题标题】:wcf wss1.1 BindarySecurityToken UsernameToken configuration for clientwcf wss1.1 BindarySecurityToken 客户端的用户名令牌配置
【发布时间】:2015-01-28 22:07:14
【问题描述】:

我想用证书签署消息并包含用户名/密码。我可以让 WCF 做其中任何一个,但不能同时做这两个。

我正在尝试设置客户端以连接到使用 x509 证书和使用 WCF 的用户名/密码的 SOAP 服务 (WS-Security 2004)。

我有服务器和客户端的证书以及服务端点的 SSL URI (https://)。客户端消息需要签名:

<wsse:BinarySecurityToken 
   EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" 
   ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
   wsu:Id="CertId-1317568">
MIICejCCAeOgAwIBAgIRAKxcIy5wGNq2XWsruqtiXY4wDQYJKoZIhvcNAQEF
...
</wsse:BinarySecurityToken>

而且头部还需要包含UsernameToken:

<wsse:UsernameToken>
   <wsse:Username>VendorName0001</wsse:Username>
   <wsse:Password 
      Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
      password
   </wsse:Password>
</wsse:UsernameToken>

我尝试了Rick Strahl's solution,但我不需要 NONCE,我仍然需要 x509 签名。

我的代码(我知道这不太正确),因为 BasicHttpSecurityMode.TransportWithMessageCredential 似乎覆盖了消息的用户名设置。

var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;

var uri = "https://company.com/service.svc";
var client = new ServiceNamespace.ServiceWrapperClient(binding, new EndpointAddress(uri));
client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password = "password";

client.ClientCredentials.ClientCertificate.SetCertificate(
    StoreLocation.LocalMachine,
    StoreName.My,
    X509FindType.FindByThumbprint,
    "1946c826c9bfb0b25b437da763a7c637eb19f963");

client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
    StoreLocation.LocalMachine,
    StoreName.TrustedPublisher,
    X509FindType.FindBySubjectName,
    "TEST subject name");

【问题讨论】:

  • 看起来客户端应该在这里引用“binding”而不是“wsbinding”:var client = new ServiceNamespace.ServiceWrapperClient(wsbinding, new EndpointAddress(uri));
  • 谢谢。我消除了这种干扰。

标签: wcf soap x509certificate ws-security


【解决方案1】:

这对我有用:

更新网络参考上的基类

//public partial class FooServiceWrapper : System.Web.Services.Protocols.SoapHttpClientProtocol {
public partial class FooServiceWrapper : Microsoft.Web.Services3.WebServicesClientProtocol {

使用 Soap Context Security 添加我需要的令牌

client.Url = ServiceUrl;
client.SoapVersion = System.Web.Services.Protocols.SoapProtocolVersion.Soap11;
client.RequestSoapContext.Security.Tokens.Add(
            new UsernameToken("username", "password", PasswordOption.SendPlainText));
client.RequestSoapContext.Security.MustUnderstand = false;

var certToken = new X509SecurityToken(new X509Certificate2(clientCert));
client.RequestSoapContext.Security.Tokens.Add(certToken);
client.RequestSoapContext.Security.Elements.Add(new MessageSignature(certToken));

【讨论】:

    猜你喜欢
    • 2011-12-23
    • 2011-05-03
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2015-05-23
    • 2012-02-07
    • 2021-06-27
    相关资源
    最近更新 更多