仅带有服务证书的WCF消息安全性
[英]WCF Message Security With Service Certificate Only
问题描述
I'm new to WCF, and wanted to know if it is possible to do Message Security, where I use a x.509 certificate for the service only, and for client security do windows credentials, is this acceptable, does it work? 
我是WCF的新手,我想知道是否可以执行Message Security,在其中我仅将x.509证书用于服务,而对于客户端安全,Windows凭据是否可以使用Windows凭据,这行得通吗? Tried searching the web, but either no discuss on this approach exists, or I have put the wrong wording in my google search, any help is much appreciated, thank you all. 尝试在网络上搜索,但是或者没有关于这种方法的讨论,或者我在Google搜索中使用了错误的措词,非常感谢您的帮助,谢谢大家。
basically, I'd have this in my binding: 基本上,我将在绑定中包含以下内容:
<wsHttpBinding>
<binding name="msgBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
and on my behavior: 和我的行为:
<behavior name="wsHttpCertificateBehavior">
...
<serviceCredentials>
<serviceCertificate findValue="MyCert" x509FindType="FindBySubjectName" storeLocation="CurrentUser" storeName="My" />
</serviceCredentials>
</behavior>
2 个解决方案
解决方案1
1 已采纳 2010-07-13 01:02:53
Why are you trying to do this? 你为什么要这样做? What are your security requirements? 您的安全要求是什么?
Are you trying to use a Service Cert to secure the message transfer and then use windows security for the client for authentication and authorization? 您是否要使用服务证书来保护消息传输,然后将Windows安全性用于客户端以进行身份验证和授权?
Windows security only works if you are on the same domain or have some sort of federated security set up. Windows安全性仅在您位于同一域或设置了某种联合安全性时才有效。 If you are on the same domain just use windows security for both. 如果您在同一个域中,请对两者都使用Windows安全性。 If you are not on the same domain then you can't use windows credentials for the client because the server will have no way of validating them. 如果您不在同一域中,则不能为客户端使用Windows凭据,因为服务器将无法验证它们。 You would either have to use a client certificate that was issued by the certificate authority on your service side or use custom credentials. 您要么必须使用由服务方的证书颁发机构颁发的客户端证书,要么使用自定义凭据。
If however you are on the same domain but still require a service side cert then you have to specify the serviceCertificate in the service's config file and define an endpoint address with HTTPS, that is if you are hosting as a stand alone service. 但是,如果您在同一个域上,但仍需要服务端证书,则必须在服务的配置文件中指定serviceCertificate并使用HTTPS定义终结点地址,也就是说,如果您作为独立服务托管。 If you are hosting in IIS then you define the certifice in the IIS website's setup. 如果您托管在IIS中,则可以在IIS网站的设置中定义证书。
You may find this useful Application Deployment Scenarios 您可能会发现此有用的应用程序部署方案
解决方案2
0 2010-07-16 04:26:15
Hey thank you for your help Mogounus. 嘿,谢谢您对Mogounus的帮助。 My problem is quite complicated, but in short, my requirements are to use certs on the server side, after doing some more research i think i figured it out now. 我的问题很复杂,但是总之,我的要求是在服务器端使用证书,在进行了更多研究之后,我认为我现在已经知道了。 So if I understand it correctly, when using certs on both client/server with message security, the client would sign the message with its private key, then attach its pub key, and encrypt with the server's pub key, only the server would be able to decrypt and thus get the signed message along with the pub key of the client to verify the signed data. 因此,如果我理解正确,则在具有消息安全性的两个客户端/服务器上都使用证书时,客户端将使用其私钥对消息签名,然后附加其发布密钥,并使用服务器的发布密钥进行加密,只有该服务器才能解密并因此获得签名的消息以及客户端的pub密钥,以验证签名的数据。
In my case, I had it working, I just needed to verify that the service was using the right stuff to sign/encrypt, but this doesn't seem possible since by the time the message is packaged up, it is already encrypted and i can't see the content. 以我为例,它已经正常工作了,我只需要验证服务是否使用了正确的东西进行签名/加密,但这似乎是不可能的,因为在邮件打包时,它已经被加密,并且看不到内容。
Another problem I realized while searching for this answer is, not all my clients will be in same domain, so will have to either use user/pwd or certs on the client side. 我在搜索此答案时意识到的另一个问题是,并非我的所有客户端都在同一个域中,因此必须在客户端使用user / pwd或certs。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.