具有用戶名安全性的WCF服務不起作用

Question

我之前創建了很少的wcf服務，但從未實現安全性。 現在，我正在嘗試為我的wcf服務實現用戶名安全性。 經過研究，使用wsHttpBinding在服務上實現了安全性。 但是，當我嘗試使用SOAPUI工具測試服務時，我收到一些奇怪的消息，並且找不到錯誤所在。 請幫助我在這里找到問題所在。

這是我的驗證課程。

namespace WDARProductsService
{
    public class MyAuthentication : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            if (string.IsNullOrWhiteSpace(userName))
                throw new SecurityTokenException("userName required");

            if (string.IsNullOrWhiteSpace(password))
                throw new SecurityTokenException("password required");

            if (userName.ToLower() != "someusername" && password != "somepassword")
                throw new FaultException("userName and/or password is invalid.");
        }
    }
}

這是我的wcf配置。

 <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="svcbhvr1">
          <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WDARProductsService.MyAuthentication, WDARProductsService"/>
            <serviceCertificate findValue="WDARProdService"
                          storeLocation="LocalMachine"
                          storeName="Root"
                          x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="wshbinding">
          <security mode="Message">
            <message clientCredentialType="UserName"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service name="WDARProductsService.ProductService" behaviorConfiguration="svcbhvr1">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wshbinding" contract="WDARProductsService.IProductService" ></endpoint>
      </service>
    </services>

    <serviceHostingEnvironment aspNetCompatibilityEnabled="false" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>

這是我從SOAPUI發送的SOAP消息。

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/">
  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-38DE8B83BF5FAA37EE13984444482027">
        <wsse:Username>someusername</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">somepassword</wsse:Password>
        <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">vkis9SvbH3lnvdNWR/L5nA==</wsse:Nonce>
        <wsu:Created>2014-04-25T16:47:28.202Z</wsu:Created>
      </wsse:UsernameToken>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <tem:GetProducts>
    </tem:GetProducts>
  </soap:Body>
</soap:Envelope>

這是服務器的響應。

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
   <s:Header>
      <a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
   </s:Header>
   <s:Body>
      <s:Fault>
         <s:Code>
            <s:Value>s:Sender</s:Value>
            <s:Subcode>
               <s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/02/sc">a:BadContextToken</s:Value>
            </s:Subcode>
         </s:Code>
         <s:Reason>
            <s:Text xml:lang="en-US">The message could not be processed. This is most likely because the action 'http://tempuri.org/IProductService/GetProducts' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.</s:Text>
         </s:Reason>
      </s:Fault>
   </s:Body>
</s:Envelope>

誰能幫我找出問題所在。 謝謝大家。

Answer 1

默認情況下，將“安全性”設置為“消息”的WsHttpBinding將啟用安全性上下文：請參閱： http : //msdn.microsoft.com/zh-cn/library/system.servicemodel.wshttpsecurity.message.aspx

因此，在發送包含用戶名令牌的消息之前。 您需要建立安全的對話。 我不知道SoapUI是否支持它，但是您可以在其中找到一些提示： SoapUI中的WCF wsHttpBinding

如果您不想使用安全對話，則將EstablishmentSecurityContext設置為false。 如果打算在生產中使用它，請考慮使用TransportWithMessageCredential來使用SSL加密消息。