WCF错误处理从安全令牌服务收到的令牌
[英]WCF error processing the token received from a Security Token Service
问题描述
This question is a sort of follow up to this one: How to create a .NET client for a wso2 Secure Token Service 
这个问题是该问题的一种跟进: 如何为wso2安全令牌服务创建.NET客户端
Briefly, I am trying to implement a client for a web service in a federated security scenario. 简要地说,我正在尝试在联合安全性场景中为Web服务实现客户端。 My client should invoke a method of a given web service authenticating itself with a security token provided by another web service (both services are implemented with wso2 platform). 我的客户端应调用给定Web服务的方法,该方法使用另一个Web服务提供的安全令牌来对自身进行身份验证(这两个服务均使用wso2平台实现)。
As I stated in the answer to the above question, with the proper binding configuration, the client is able to receive the requested token. 正如我在上述问题的答案中所述,通过正确的绑定配置,客户端可以接收请求的令牌。 The following is my binding configuration: 以下是我的绑定配置:
<wsFederationHttpBinding>
<binding name="fs">
<security mode="TransportWithMessageCredential">
<message issuedKeyType="SymmetricKey" issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<issuer address =<!-- STS URL HERE--> binding ="customBinding" bindingConfiguration ="StsBinding"/>
<claimTypeRequirements>
<add claimType="http://wso2.org/claims/userid" />
</claimTypeRequirements>
</message>
</security>
</binding>
</wsFederationHttpBinding>
...
<customBinding>
<binding name="StsBinding">
<textMessageEncoding messageVersion="Soap12WSAddressing10"/>
<useManagedPresentation/>
<security authenticationMode="UserNameOverTransport" includeTimestamp ="true" keyEntropyMode ="ServerEntropy" securityHeaderLayout ="Lax"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" >
</security>
<httpsTransport authenticationScheme ="Basic"/>
</binding>
</customBinding>
However, when my client process the recieved token it fails with a SecurityNegotiationException stating that the "urn:IssueTokenResponse" action is wrong. 但是,当我的客户端处理收到的令牌时,它会失败并显示SecurityNegotiationException,该错误指出“ urn:IssueTokenResponse”操作是错误的。 What does this exception means? 此异常是什么意思? What should be the correct action? 正确的动作应该是什么?
I don't have access to any details of both services so I need to know if I can do something on client side only. 我无法访问这两种服务的任何详细信息,因此我需要知道是否只能在客户端执行某些操作。
I have tried to follow the advice contained in this forum post https://social.msdn.microsoft.com/Forums/vstudio/en-US/6c838f7e-f72f-4fdd-827d-b29c61522aa0/wrong-action-httpdocsoasisopenorgwssxwstrust200512rstrissue?forum=wcf but I don't think it applies to my case because there isn't a single messageSecurityVersion value which seems to work 我已尝试遵循此论坛帖子https://social.msdn.microsoft.com/Forums/vstudio/en-US/6c838f7e-f72f-4fdd-827d-b29c61522aa0/wrong-action-httpdocsoasisopenorgwssxwstrust200512rstrissue?forum= wcf,但我认为这不适用于我的情况,因为没有单个messageSecurityVersion值似乎有效
1 个解决方案
解决方案1
0 已采纳 2014-12-01 15:24:26
I finally find a working solution, at least for the "wrong action" error. 我终于找到了一个可行的解决方案,至少对于“错误操作”错误。
Digging through the WCF documentation I found a reference document describing how to set-up a Security Token Service ( MSDN address here ) 浏览WCF文档后,我找到了参考文档,该文档描述了如何设置安全令牌服务( 此处为MSDN地址 )
The most intresting part of the document is this small phrase that seems to indicate the expected action for a response sent by a STS: 该文档中最引人入胜的部分是这个小短语,似乎表明STS发送的响应预期采取的措施:
In addition, it defines the associated Action Uniform Resource Identifiers (URIs).
After some more research on the extensbility mechanism provided by the WCF framework I found a promising reference about IClientMessageInspector that allows to customize client behavior when sending requests or when receiving replies. 在对WCF框架提供的可扩展性机制进行了更多研究之后,我找到了有关IClientMessageInspector的有希望的参考,该参考允许自定义客户端在发送请求或接收回复时的行为。
The following is the simple code of the behavior: 以下是行为的简单代码:
Public Class ChangeReplyActionMessageInspector
Implements IClientMessageInspector
Public Sub AfterReceiveReply(ByRef reply As Message, correlationState As Object) Implements IClientMessageInspector.AfterReceiveReply
If reply.Headers.Action = "urn:IssueTokenResponse" Then
reply.Headers.Action = "http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue"
End If
End Sub
Public Function BeforeSendRequest(ByRef request As Message, channel As ServiceModel.IClientChannel) As Object Implements IClientMessageInspector.BeforeSendRequest
Return Nothing
End Function
End Class
To attach this custom behavior to the client object responsible to talk to the Security Token Service I need a IEndpointBehavior like this one: 要将这种自定义行为附加到负责与安全令牌服务通信的客户端对象上,我需要一个IEndpointBehavior,如下所示:
Public Class ChangeReplyActionEndpointBehavior
Implements IEndpointBehavior
Public Sub AddBindingParameters(endpoint As ServiceEndpoint, bindingParameters As BindingParameterCollection) Implements IEndpointBehavior.AddBindingParameters
End Sub
Public Sub ApplyClientBehavior(endpoint As ServiceEndpoint, clientRuntime As ClientRuntime) Implements IEndpointBehavior.ApplyClientBehavior
clientRuntime.ClientMessageInspectors.Add(New ChangeReplyActionMessageInspector)
End Sub
Public Sub ApplyDispatchBehavior(endpoint As ServiceEndpoint, endpointDispatcher As EndpointDispatcher) Implements IEndpointBehavior.ApplyDispatchBehavior
End Sub
Public Sub Validate(endpoint As ServiceEndpoint) Implements IEndpointBehavior.Validate
End Sub
End Class
That it is programmatically attached to the client with the following code: 通过以下代码以编程方式将其附加到客户端:
Dim endpointBehaviorCollection As New System.Collections.Generic.KeyedByTypeCollection(Of IEndpointBehavior)
endpointBehaviorCollection.Add(New ChangeReplyActionEndpointBehavior)
client.ClientCredentials.IssuedToken.IssuerChannelBehaviors.Add(New Uri("STS URL HERE"), endpointBehaviorCollection)
In this way the issued security token is sent back to the target service with the final request. 通过这种方式,将发出的安全令牌与最终请求一起发送回目标服务。 I am still getting errors for the final request that however needs further investigation. 对于最终要求,我仍然遇到错误,但是需要进一步调查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.