使用HTTPS配置WCF服务
[英]Configurating WCF service with HTTPS
问题描述
I am developing a WCF service that has to be run on HTTPS with UserName credentials and have found the following configuration working in my test solution running on IIS; 
我正在开发一种WCF服务,该服务必须使用UserName凭据在HTTPS上运行,并且发现以下配置在IIS上运行的测试解决方案中有效;
Server config: 服务器配置:
<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
<customErrors mode="Off" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="Behavior1">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Service.UserNamePassValidator, Service" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="Binding1">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="Behavior1" name="Service.Service">
<host>
<baseAddresses>
<add baseAddress="https://localhost/" />
</baseAddresses>
</host>
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="Binding1" contract="Service.IService" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
</system.serviceModel>
</configuration>
Client config: 客户端配置:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_IService">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://localhost:44303/UsernamePasswordService.svc"
binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IService"
contract="ServiceReference1.IService" name="WSHttpBinding_IService" />
</client>
</system.serviceModel>
</configuration>
The client in my scenario is a winforms application. 在我的方案中,客户端是winforms应用程序。
I am very new to configurating this, and just wanted to confirm if this is a valid/good setup for HTTPS (SSL) with UserName credentials? 我对配置此功能非常陌生,只是想确认这是否是使用UserName凭据的HTTPS(SSL)的有效/良好设置?
Since I am using a self-signed certificate, I have to bypass the validation of the certificate on the client side and thus I dont feel like I can see clearly how this will work with a valid certificate. 由于我使用的是自签名证书,因此我必须绕过客户端上的证书验证,因此我不觉得自己可以清楚地了解如何使用有效的证书。
The way I imagined it would work is that the server passes a client certificate to the client when starting communication and then the client encrypts all the traffic it sends to the server with the client certificate. 我以为它可以工作的方式是,服务器在开始通信时将客户端证书传递给客户端,然后客户端使用客户端证书加密发送给服务器的所有流量。 This traffic is then decrypted with the server certificate on the server end. 然后,使用服务器端的服务器证书对该流量进行解密。
But is this the way it will work? 但这是这样工作的方式吗? The way it is configurated now, the certificate is specified on the IIS listening port only, so will it generate a certificate for the client based on the server certificate for each request? 现在的配置方式是,证书仅在IIS侦听端口上指定,因此,它将基于每个请求的服务器证书为客户端生成证书吗? Or will the traffic from the client go unencrypted? 还是来自客户端的流量会不加密?
I tried running fiddler on my requests and enabled decrypting HTTPS, and noticed I could read the username and password in plain text in the XML. 我尝试对请求运行fiddler并启用解密HTTPS,并发现我可以用XML的纯文本格式读取用户名和密码。 Is this because fiddler does some magic to read through my certificate encryption or is the message sent not encrypted at all? 这是因为提琴手做了一些魔术来读取我的证书加密,还是发送的消息根本没有被加密?
In that case, do I have to encrypt and decrypt the data myself? 在那种情况下,我必须自己加密和解密数据吗?
I do not want to have to install a certificate on the client. 我不想在客户端上安装证书。
1 个解决方案
解决方案1
0 已采纳 2013-12-20 11:50:20
The short answer to your first question is, in my opinion, yes - HTTPS (SSL) with UserName credentials can be a valid security configuration. 我认为,第一个问题的简短答案是-具有UserName凭据的HTTPS(SSL)可以是有效的安全配置。 Using the WSHttpBinding implements the WS-Security specification and provides interoperability with services that implement the WS-* specifications. 使用WSHttpBinding可以实现WS-Security规范,并提供与实现WS- *规范的服务的互操作性。
Reference: http://msdn.microsoft.com/en-us/library/ms731172(v=vs.110).aspx 参考: http : //msdn.microsoft.com/en-us/library/ms731172(v=vs.110).aspx
In order to provide any further assessment, one would need to compare the security of that solution against the requirements of your system. 为了提供进一步的评估,需要将解决方案的安全性与系统需求进行比较。
Honestly, I did not fully understand the rest of the question, although I gather you have concerns about using the client implication of using a self-signed certificate. 老实说,尽管我认为您担心使用客户端使用自签名证书,但我并没有完全理解其余的问题。 That said, the following links (at least one) should provide some guidance: 也就是说,以下链接(至少一个链接)应提供一些指导:
http://msdn.microsoft.com/en-us/library/ff648840.aspx http://msdn.microsoft.com/en-us/library/ff648840.aspx
http://www.codeproject.com/Articles/570539/HTTPSplusCommunicationplusinplusWCFplususingplusSe http://www.codeproject.com/Articles/570539/HTTPSplusCommunicationplusinplusWCFplususingplusSe
http://blog.adnanmasood.com/2010/04/29/step-by-step-guide-for-authenticating-wcf-service-with-username-and-password-over-ssl/ http://blog.adnanmasood.com/2010/04/29/step-by-step-guide-for-authenticating-wcf-service-with-username-and-password-over-ssl/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.