【发布时间】:2015-01-28 22:07:14
【问题描述】:
我想用证书签署消息并包含用户名/密码。我可以让 WCF 做其中任何一个,但不能同时做这两个。
我正在尝试设置客户端以连接到使用 x509 证书和使用 WCF 的用户名/密码的 SOAP 服务 (WS-Security 2004)。
我有服务器和客户端的证书以及服务端点的 SSL URI (https://)。客户端消息需要签名:
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-1317568">
MIICejCCAeOgAwIBAgIRAKxcIy5wGNq2XWsruqtiXY4wDQYJKoZIhvcNAQEF
...
</wsse:BinarySecurityToken>
而且头部还需要包含UsernameToken:
<wsse:UsernameToken>
<wsse:Username>VendorName0001</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
password
</wsse:Password>
</wsse:UsernameToken>
我尝试了Rick Strahl's solution,但我不需要 NONCE,我仍然需要 x509 签名。
我的代码(我知道这不太正确),因为 BasicHttpSecurityMode.TransportWithMessageCredential 似乎覆盖了消息的用户名设置。
var binding = new BasicHttpBinding(BasicHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.UserName;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Certificate;
var uri = "https://company.com/service.svc";
var client = new ServiceNamespace.ServiceWrapperClient(binding, new EndpointAddress(uri));
client.ClientCredentials.UserName.UserName = "username";
client.ClientCredentials.UserName.Password = "password";
client.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
"1946c826c9bfb0b25b437da763a7c637eb19f963");
client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
StoreLocation.LocalMachine,
StoreName.TrustedPublisher,
X509FindType.FindBySubjectName,
"TEST subject name");
【问题讨论】:
-
看起来客户端应该在这里引用“binding”而不是“wsbinding”:var client = new ServiceNamespace.ServiceWrapperClient(wsbinding, new EndpointAddress(uri));
-
谢谢。我消除了这种干扰。
标签: wcf soap x509certificate ws-security