建立SecurityContext="False" 和negotiationServiceCredential="False" 的安全含义是什么
[英]What are the security implications of establishSecurityContext="False" and negotiateServiceCredential="False"
问题描述
We've set establishSecurityContext="False" and negotiateServiceCredential="False" on a wsHttpBinding .
我们已经在wsHttpBinding上设置了establishSecurityContext="False"和negotiateServiceCredential="False" 。 In a setup where every single web service call involves connecting and disconnecting, this reduces the number of requests per web service call from 5 to 1, providing a significant performance improvement.在每个 Web 服务调用都涉及连接和断开连接的设置中,这将每个 Web 服务调用的请求数从 5 减少到 1,从而显着提高了性能。
The client has been configured to know the server identity via the identity node:客户端已配置为通过身份节点了解服务器身份:
<endpoint address="..." behaviorConfiguration="..." binding="wsHttpBinding" bindingConfiguration="..." contract="..." name="...">
<identity>
<certificate encodedValue="..." />
</identity>
</endpoint>
What are the security implications of these settings?这些设置的安全含义是什么? Do they reduce security in any way?它们是否会以任何方式降低安全性?
2 个解决方案
解决方案1
1 2018-11-02 16:28:05
The scenario described doesn't actually change the security of a connection established between the client and the server.所描述的场景实际上并没有改变在客户端和服务器之间建立的连接的安全性。 It merely changes how the security is specified and how the credential is specified.它仅更改指定安全性的方式以及指定凭证的方式。
establishSecurityContext is a higher-level mechanism that facilitates specifying a security context using a token, rather than specifying the lower-level details directly. establishSecurityContext安全上下文是一种更高级别的机制,它有助于使用令牌指定安全上下文,而不是直接指定较低级别的详细信息。
negotiateServiceCredential specifies whether the credential to be used may be negotiated as opposed to specified explicitly. negotiateServiceCredential凭证指定要使用的凭证是否可以协商而不是明确指定。
The overall framework documentation for this is here .这方面的整体框架文档在这里。
In a setting where a client makes and disposes connections for every call and where it is known that client and server can meet the specified requirements (ie, there is no need for negotiation), the settings described by the OP are a reasonable way to reduce the overhead to establish a connection without changing the security policies that actually get applied to the connections.在客户端为每次调用建立和处理连接并且知道客户端和服务器可以满足指定要求(即不需要协商)的设置中,OP 描述的设置是减少在不更改实际应用于连接的安全策略的情况下建立连接的开销。
解决方案2
0 2018-11-01 09:32:12
NegotiateServiceCredential, true if service credential is obtained through a process of negotiation; NegotiateServiceCredential,如果通过协商获得服务凭证,则为真; otherwise, false.否则为假。 The default is true.默认值为真。
https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.messagesecurityoverhttp.negotiateservicecredential?redirectedfrom=MSDN&view=netframework-4.7.2#System_ServiceModel_MessageSecurityOverHttp_NegotiateServiceCredential https://docs.microsoft.com/en-us/dotnet/api/system.servicemodel.messagesecurityoverhttp.negotiateservicecredential?redirectedfrom=MSDN&view=netframework-4.7.2#System_ServiceModel_MessageSecurityOverHttp_NegotiateServiceCredential
EstablishSecurityContext.建立安全上下文。 True: If a secure conversation is established using SecurityContextToken. True:如果使用 SecurityContextToken 建立安全对话。 otherwise, false, the default is false.否则为 false,默认为 false。
https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-2.0/aa715023(v=msdn.10) https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-2.0/aa715023(v=msdn.10)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.