堆栈内存溢出
  简体   繁体   English

带有用户名令牌和客户端证书的WCF SOAP调用

[英]WCF SOAP call with both username token and client certificate

 原文  2014-08-28 20:15:15       c#/ .net/ wcf/ soap/ ws-security

问题描述

I'm trying to get a call to a web service (not sure what the backend is written in) using both a username token (username/pwd) and a client certificate. 我正在尝试使用用户名令牌(用户名/密码)和客户端证书来调用Web服务(不确定后端是什么写入)。

Short version : what combination of WCF code/config is needed to generate the SOAP headers below if I have a client cert and a username/password to work with? 简短版本 :如果我有一个客户端证书和用户名/密码可以使用WCF代码/配置的组合来生成下面的SOAP标头?

Long Version 长版

Below is the service interface as generated by "Add Service Reference" in Visual Studio 2010 (names/URIs changed to protect the innocent): 下面是由Visual Studio 2010中的“添加服务引用”生成的服务接口(名称/ URI已更改以保护无辜者): 

 [System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0")]
    [System.ServiceModel.ServiceContractAttribute(Namespace="http://servicenamespacehere", ConfigurationName="Service.Contract.ConfigName.Here")]
    public interface IBackendService {

        // CODEGEN: ...
        [System.ServiceModel.OperationContractAttribute(IsOneWay=true, Action="http://servicenamespacehere#Method1")]
        [System.ServiceModel.XmlSerializerFormatAttribute(SupportFaults=true)]
        void Method1(Method1Params request);

I need the resulting call's SOAP security headers to look as follows: 我需要生成的调用的SOAP安全标头如下所示: 

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
   <s:Header>
      <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <u:Timestamp u:Id="_0">
            <u:Created>2014-08-26T20:22:50.522Z</u:Created>
            <u:Expires>2014-08-26T20:27:50.522Z</u:Expires>
         </u:Timestamp>
         <o:UsernameToken u:Id="uuid-6f243c9c-fd85-4634-8b57-cb196aee3195-60591">
            <o:Username>myUser</o:Username>
            <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">somePwd</o:Password>
         </o:UsernameToken>
         <o:BinarySecurityToken u:Id="uuid-6f243c9c-fd85-4634-8b57-cb196aee3195-60592" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">BASE64TOKENHERE=</o:BinarySecurityToken>
         <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
            <SignedInfo>
               <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
               <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
               <Reference URI="#_0">
                  <Transforms>
                     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  </Transforms>
                  <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                  <DigestValue>BASE64DIGESTHERE=</DigestValue>
               </Reference>
            </SignedInfo>
            <SignatureValue>BASE64SIGNATUREHERE=</SignatureValue>
            <KeyInfo>
               <o:SecurityTokenReference>
                  <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-6f243c9c-fd85-4634-8b57-cb196aee3195-60592"/>
               </o:SecurityTokenReference>
            </KeyInfo>
         </Signature>
      </o:Security>
   </s:Header>
   SOAP XML PAYLOAD FOLLOWS...

I was not able to find any comnbination of WCF binding/endpoint settings that would support client message credentials that would include both UserName and Certificate types. 我无法找到支持包含UserNameCertificate类型的客户端消息凭据的WCF绑定/端点设置的任何组合。

As a result of some searches I found someone who indicated that I needed a custom WCF binding to include both credential types, and they pointed to this MSDN link: 由于某些搜索,我发现有人表示我需要自定义WCF绑定以包含两种凭据类型,并且他们指向此MSDN链接:

http://msdn.microsoft.com/en-us/library/ms751480(v=vs.100).aspx http://msdn.microsoft.com/en-us/library/ms751480(v=vs.100).aspx

But when I follow the code example I get an error: 但是,当我按照代码示例时,我收到一个错误: 

'The service certificate is not provided for target'

Now the ClientCredentials object has both a ClientCertificate property (which I successfully load via my client cert's thumbprint), but what is the ServiceCertificate for? 现在,ClientCredentials对象同时具有ClientCertificate属性(我通过客户端证书的指纹成功加载),但ServiceCertificate是什么?

What combination of WCF code/config is needed to generate the SOAP headers above if all I have a client cert and a username/password to work with? 如果所有我都有客户端证书和用户名/密码可以使用,那么生成上面的SOAP头需要什么样的WCF代码/配置组合?

2 个解决方案

解决方案1
 5 已采纳  2014-09-03 12:17:41

This can only be done with a code binding: 这只能通过代码绑定来完成: 

        var b = new CustomBinding();
        var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
        sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
        sec.MessageSecurityVersion =
            MessageSecurityVersion.
                WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
        sec.IncludeTimestamp = false;
        sec.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.EncryptBeforeSign;

        b.Elements.Add(sec);
        b.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8));
        b.Elements.Add(new HttpsTransportBindingElement());

解决方案2
 0  2014-09-02 21:16:07

I am not sure if i understand it correctly but by looking at your error it looks like you are not passing Certificate while creating end point to authenticate the service. 我不确定我是否理解正确,但通过查看您的错误,看起来您在创建终端验证服务时没有通过证书。 

   // Create the service host
   ServiceHost myServiceHost = 
    new ServiceHost(typeof(Calculator), httpUri);
myServiceHost.AddServiceEndpoint(typeof(ICalculator), binding, "");

// Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.
    SetCertificate(StoreLocation.LocalMachine,
    StoreName.My,
    X509FindType.FindBySubjectName,
    "Contoso.com");

http://msdn.microsoft.com/en-us/library/ms733098.aspx http://msdn.microsoft.com/en-us/library/ms733098.aspx

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何在WCF客户端中提供UserName和Client Certificate(为什么这个例子有用)? - How to supply both UserName and Client Certificate in WCF client (why does this example work)? WCF 下的 SOAP web 服务的同时客户端证书和用户名身份验证 - Simultaneous client-certificate and username authentication of a SOAP web service under WCF 结合使用Certificate和UserName在WCF中通过basicHttpsBinding进行客户端身份验证以传递反向代理身份验证 - Use both Certificate and UserName for client authentication in WCF with basicHttpsBinding for passing reverse proxy authentication 如何配置 wcf 服务客户端以在消息级别同时使用证书和用户名凭据? - How to configure a wcf service client to use both certificate and username credentials at the message level? 具有基本证书验证和客户端证书验证的WCF客户端 - WCF Client with both Basic and Client Certificate Authentication 客户端在WCF中是否需要用于用户名身份验证的证书 - Does the client need a certificate for username authentication in WCF WCF 客户端证书和用户名凭据被禁止 - WCF Client Certificate AND UserName Credentials forbidden SOAP标头中的WCF用户名和密码 - WCF Username and Password in SOAP Header WCF和客户端证书身份验证 - WCF and client certificate authentication 为 Soap 请求生成用户名令牌 - Generating Username Token For Soap Request
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM