从 .Net 调用 Java Web 服务的安全策略错误

【问题标题】:Security Policy Error Calling Java Web Service From .Net从 .Net 调用 Java Web 服务的安全策略错误
【发布时间】:2013-09-18 11:48:55
【问题描述】:

我正在尝试使用 .Net 通过 Http 而不是 Https 调用 Java Web 服务。我从 Web 服务团队得到的唯一提示是在 SOAP 消息或端点设置中传递凭据。

我创建了一个简单的控制台应用程序并添加了对 Web 服务的服务引用。以下是生成的绑定(我看到有关于无法识别策略的警告,但无法弄清楚它的含义或是否相关):

<customBinding>
    <binding name="CurrencyInformationServiceSoapBinding">
        <!--    WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://www.openuri.org/':    -->
        <!--    <wsdl:binding name='CurrencyInformationServiceSoapBinding'>    -->
        <!--        <ns1:SupportingTokens xmlns:ns1="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512">..</ns1:SupportingTokens>    -->
        <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
            messageVersion="Soap11" writeEncoding="utf-8">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
        </textMessageEncoding>
      <!--<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true"/>-->  
      <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
            maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
            bypassProxyOnLocal="false" decompressionEnabled="true" hostNameComparisonMode="StrongWildcard"
            keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
            realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
            useDefaultWebProxy="true" />
    </binding>
</customBinding>

这是我的试验:

路径 #1:
------------
使用以下代码:

CurrencyInformationServiceClient client = new CurrencyInformationServiceClient();  
foreignCurrencyDTO[] results = client.getAllForeignCurrencies();

或在 Windows 属性中提供凭据

CurrencyInformationServiceClient client = new CurrencyInformationServiceClient();  
client.ClientCredentials.Windows.ClientCredential = new System.Net.NetworkCredential("crmuser", "welcome1");  
foreignCurrencyDTO[] results = client.getAllForeignCurrencies();

或在 UserName 属性中提供凭据

CurrencyInformationServiceClient client = new CurrencyInformationServiceClient();  
client.ClientCredentials.UserName.UserName = "someuser";  
client.ClientCredentials.UserName.Password = "somepassword";  
foreignCurrencyDTO[] results = client.getAllForeignCurrencies();

导致

 System.ServiceModel.FaultException: Error on verifying message against security policy Error code:1000

轨迹#2:
------------
根据我看到的一条评论,我尝试在绑定中添加以下标记,并通过在 ClientCredentials 的 UserName 属性中传递凭据来调用 Web 服务

<security authenticationMode="UserNameOverTransport" allowInsecureTransport="true"/>

但结果是

System.ServiceModel.Security.MessageSecurityException: Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.

足迹#3:
------------
我尝试使用 WSHttpBinding 而不是 VS 生成的 CustomBinding 如下:

WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
EndpointAddress ea = new EndpointAddress("http://someurl/CurrencyInformationService.jws");
CurrencyInformationServiceClient client = new CurrencyInformationServiceClient(binding, ea);
client.ClientCredentials.UserName.UserName = "someuser";
client.ClientCredentials.UserName.Password = "somepassword";
foreignCurrencyDTO[] results = client.getAllForeignCurrencies();

但结果是

System.ServiceModel.ProtocolException: Content Type application/soap+xml; charset=utf-8 was not supported by service http://someurl/CurrencyInformationService.jws.  The client andservice bindings may be mismatched. ---> System.Net.WebException: The remote server returned an error: (415) Unsupported Media Type.

更新:
------------
我收到了供应商的工作请求,并在soapUI中进行了尝试,它给出了正确的响应。

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <soap:Header>
                <wsse:Security soap:mustUnderstand="1">
                        <wsse:UsernameToken wsu:Id="SecurityToken-35598fb7-5aa2-4623-b07b-3277c6578beb" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                <wsse:Username>someuser</wsse:Username>
                                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">somepassword</wsse:Password>
                        </wsse:UsernameToken>
                </wsse:Security>
        </soap:Header>
        <soap:Body>
                <getAllForeignCurrencies xmlns="http://www.openuri.org/">
                </getAllForeignCurrencies>
        </soap:Body>
</soap:Envelope>

谁能给我一个提示如何生成这样的 SOAP 请求?

【问题讨论】:

  • 您需要向服务供应商索取有效的 SOAP 消息样本。然后你可以配置 WCF 来支持它。
  • @YaronNaveh 我添加了一个有效的 SOAP 请求。您能否指导我配置应用程序以从 .Net 生成相同的请求

标签: java wcf web-services c#-4.0


【解决方案1】:

我在使用 .Net 使用 java web 服务时遇到了同样的问题,这个线程在一定程度上帮助我能够使用 web 服务。

但是,不知何故,我偶然发现了这篇文章,它对我来说是最终的解决方案:http://weblog.west-wind.com/posts/2012/Nov/24/WCF-WSSecurity-and-WSE-Nonce-Authentication

以下设置对我来说效果很好:

<?xml version="1.0"?>
<configuration>
  <system.serviceModel>
    <bindings>
      <customBinding>
        <binding name="CustomSoapBinding">
          <security includeTimestamp="false"
                    authenticationMode="UserNameOverTransport"
                    defaultAlgorithmSuite="Basic256"
                    requireDerivedKeys="false"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
          </security>
          <textMessageEncoding messageVersion="Soap11"></textMessageEncoding>
          <httpsTransport maxReceivedMessageSize="2000000000"/>
        </binding>
      </customBinding>
    </bindings>
    <client>
      <endpoint address="https://notrealurl.com:443/services/RealTimeOnline"
                binding="customBinding"
                bindingConfiguration="CustomSoapBinding"
                contract="RealTimeOnline.RealTimeOnline"
                name="RealTimeOnline" />
    </client>
  </system.serviceModel>
  <startup>
    <supportedRuntime version="v4.0"
                      sku=".NETFramework,Version=v4.0"/>
  </startup>
</configuration>

【讨论】:

    【解决方案2】:

    如果您使用 SSL,请使用:

    <basicHttpBinding>
                <binding name="NewBinding0">
                    <security mode="TransportWithMessageCredential" />
                </binding>
</basicHttpBinding>

    如果没有 SSL,则使用 CUB

    【讨论】:

    • 嗨 Yaron,我使用了 CUB,我可以在 fiddler 中看到正确的请求和响应。我还使用了提琴手捕获的请求并在soapUI中尝试过,我得到了正确的响应。但是在 .Net 应用程序中,我得到“安全处理器无法在消息中找到安全标头 ...”。关于如何忽略它的任何想法。
    • 似乎解决方案是在客户端配置中添加 但我收到异常“无法识别的元素'安全'”。有什么建议吗?
    • 它是否接受不带 allowInsecureTransport 的安全元素?使用 .net 4.5
    • .Net 4.5 也有同样的问题。如果我在 myClearUsernameBinding 中添加 或只是 我会收到相同的错误“无法识别元素'安全'。”
    • CUB 不支持 OOTB,但您可以在此处的代码中添加它github.com/yaronn/ClearUsernameBinding/blob/… 我们在某个变量中创建 SecurityBindingElement 并在其上设置 allowInsecureTransport。但是我认为此设置与您无关 - 似乎服务器返回了一些错误,所以这对您没有帮助。您需要打开 WCF 跟踪或检查您的内部异常
    猜你喜欢
    • 2011-02-28
    • 1970-01-01
    • 1970-01-01
    • 2014-07-03
    • 1970-01-01
    • 2011-04-24
    • 1970-01-01
    • 2012-04-07
    • 2018-10-09
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode