WCF服务中的自定义证书验证
[英]Custom certificate validation in WCF service
问题描述
I want to check client certificates in my WCF service. 
我想在我的WCF服务中检查客户端证书。
My goal is to allow only clients with certificates with specific thumbprints to be able to communicate with my service. 我的目标是只允许具有特定指纹证书的客户能够与我的服务进行通信。
My WCF service is hosted in IIS, I'm using basicHttpBinding and security mode="transport" with credential type "Certificate". 我的WCF服务托管在IIS中,我使用basicHttpBinding和安全模式=“transport”,凭据类型为“Certificate”。 IIS requires client certificates for communication with the service. IIS需要客户端证书才能与服务进行通信。
Thanks in advance for help. 在此先感谢您的帮助。
UPDATE: My configuration: 更新:我的配置:
<basicHttpBinding>
<binding
name="testBinding"
maxReceivedMessageSize="2147483647">
<readerQuotas
maxDepth="2147483647"
maxStringContentLength="2147483647"
maxArrayLength="2147483647"
maxBytesPerRead="2147483647"
maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="Certificate"/>
</security>
</binding>
</basicHttpBinding>
Behavior: 行为:
<serviceBehaviors>
<behavior name="SomeServiceBehavior">
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="Custom" customCertificateValidatorType="SomeService.CustomCertificateValidator,SomeService" />
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
Service configuration: 服务配置:
<service
behaviorConfiguration="SomeServiceBehavior"
name="SomeService">
<endpoint
address=""
binding="basicHttpBinding"
bindingConfiguration="testBinding"
contract="ISomeService">
</endpoint>
</service>
And for test purpose I implemented validator in this way: 为了测试目的,我以这种方式实现了验证器:
public class CustomCertificateValidator : X509CertificateValidator
{
public override void Validate(System.Security.Cryptography.X509Certificates.X509Certificate2 certificate)
{
throw new SecurityTokenValidationException("TEST Certificate was not issued by a trusted issuer TEST");
}
}
And this doesn't work. 这不起作用。 I can connect to my service with any valid certificate. 我可以使用任何有效证书连接到我的服务。
3 个解决方案
解决方案1
14 已采纳 2009-10-13 12:51:24
You can create a class derived from X509CertificateValidator and use it to do custom validation of the incoming certificate. 您可以创建一个派生自X509CertificateValidator的类,并使用它来对传入证书进行自定义验证。 Throw an SecurityTokenValidationException if you want to fail validation for some reason. 如果由于某种原因想要验证失败,则抛出SecurityTokenValidationException。
Set the certificateValidationMode to Custom and specify your validator in the clientCertificate service behavior section of the config file. 将certificateValidationMode设置为Custom,并在配置文件的clientCertificate服务行为部分中指定验证器。
How to: Create a Service that Employs a Custom Certificate Validator 如何:创建使用自定义证书验证程序的服务
解决方案2
7 2010-01-28 13:48:06
I do NOT think there is anyway to have 'Custom Certificate Validation' with 'Transport Security'. 我认为无论如何都没有“自定义证书验证”和“运输安全”。 It only works with 'Message Security'. 它只适用于'Message Security'。
解决方案3
1 2010-09-13 15:25:10
YES, you can use basicHttpBinding with security set to Transport and you need to hook to the ServiceHost creation in IIS - see Custom Service Host . 是的,您可以将basicHttpBinding与安全性设置为Transport,并且您需要挂钩到IIS中的ServiceHost创建 - 请参阅自定义服务主机 。 You should be able to validate thumbprint values, certificates or any other data if you create custom config section to define list of validation criteria. 如果您创建自定义配置部分以定义验证标准列表,则应该能够验证指纹值,证书或任何其他数据。
Sample code for the implementation of all of the above is available in the code download from this CodeProject artticle . 在本CodeProject文章的代码下载中提供了实现上述所有内容的示例代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.