[英]WCF Security Authentication with https and validation
我嘗試了解WCF中的身份驗證如何工作。 有一個https端點的自托管服務,該服務綁定到我的證書之一。 一切正常時
security mode="None"
那么即使在不同的機器上也可以正常工作。 同樣的情況
mode="Transport" and <transport clientCredentialType="None"/>
。 當我嘗試通過UserName添加驗證時,它可以正常運行,但僅在localhost上運行,當托管在其他計算機上時,我會收到錯誤消息:
“收到了來自另一方的不安全或不正確安全的錯誤...”
為什么它不能與UserName密碼驗證一起使用?
EDIT2:我發現以下異常在服務器上引發並被捕獲(但僅在不同機器上):“安全時間戳無效,因為其創建時間('2014-11-29T01:30:48.824Z')在當前時間為“ 2014-11-28T14:51:52.704Z”,允許的時鍾偏斜為“ 00:05:00”。” 我不知道創建時間在哪里,但是肯定不是從另一台計算機上進行的。 怎么了?
第二個問題是關於證書的。 托管https並將地址綁定到證書時,是否應將此證書以受信任的方式安裝在客戶端計算機上? (我用netsh綁定了它)如果沒有以下代碼,我將無法連接到wcf服務:
System.Net.ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) => true);
是否在客戶端進行證書驗證? 它檢查它是否存在以及是否由受信任的發行者發行?
編輯:附加問題:當我嘗試使用瀏覽器輸入服務安全的端點時,它說此連接不安全,不是受信任的來源等。在我的服務計算機上,我已將證書綁定到https,並且該證書是MyCertificate,由“ CertificateIssuer”頒發”。 現在,我將發布者證書安裝到Service and Client計算機中-我的意思是將“ CertificateIssuer”放入“受信任的根證書頒發機構”,當我從同一台計算機進入時,仍然是不受信任的事件。我應該如何配置它為受信任的?
服務器配置:
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true"/>
</appSettings>
<system.web>
<compilation debug="true"/>
</system.web>
<!-- When deploying the service library project, the content of the config file must be added to the host's
app.config file. System.Configuration does not support config files for libraries. -->
<system.diagnostics>
<trace autoflush="true"/>
<sources>
<source name="System.ServiceModel" switchValue="Information, ActivityTracing" propagateActivity="true">
<listeners>
<add name="sdt" type="System.Diagnostics.XmlWriterTraceListener" initializeData="SdrConfigExample.e2e"/>
</listeners>
</source>
</sources>
</system.diagnostics>
<system.serviceModel>
<services>
<service name="WcfService1.TestService" behaviorConfiguration="ServiceUsernameValidation">
<host>
<baseAddresses>
<add baseAddress="https://localhost:8734/Services/"/>
<add baseAddress="http://localhost:8735/Wsdl/"/>
</baseAddresses>
</host>
<!-- Service Endpoints -->
<!-- Unless fully qualified, address is relative to base address supplied above -->
<endpoint address="Test" binding="basicHttpBinding" contract="WcfService1.ITestService">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
<!-- Metadata Endpoints -->
<!-- The Metadata Exchange endpoint is used by the service to describe itself to clients. -->
<!-- This endpoint does not use a secure binding and should be secured or removed before deployment -->
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<!-- To avoid disclosing metadata information,
set the values below to false before deployment -->
<serviceMetadata httpsGetEnabled="True"/>
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="False"/>
</behavior>
<behavior name="ServiceUsernameValidation">
<serviceMetadata httpsGetEnabled="True"/>
<serviceDebug includeExceptionDetailInFaults="False"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfSecurity.PasswordValidator,WcfSecurity"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding>
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
</system.serviceModel>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
</startup>
</configuration>
客戶端配置:
<?xml version="1.0"?>
<configuration>
<system.diagnostics>
<trace autoflush="true"/>
<sources>
<source name="System.ServiceModel" switchValue="Information, ActivityTracing" propagateActivity="true">
<listeners>
<add name="sdt" type="System.Diagnostics.XmlWriterTraceListener" initializeData="SdrConfigExample.e2e"/>
</listeners>
</source>
</sources>
</system.diagnostics>
<startup>
<supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
</startup>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_ITestService">
<security mode="TransportWithMessageCredential" >
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="https://175.28.233.153:8734/Services/Test" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_ITestService" contract="ServiceReference1.ITestService"
name="BasicHttpBinding_ITestService" />
</client>
</system.serviceModel>
</configuration>
服務器代碼:
ServiceHost host = new ServiceHost(typeof(TestService));
var uri = host.Description.Endpoints[0].Address.Uri;
var cert = FindCertificate("CN=MyCertificate");
if (!ReserveAddressForHttps(uri.Host, uri.Port, cert, 5000))
{
throw new Exception("Failed to assign service certificate into local interface.");
}
host.Open();
host.Description.Endpoints.ToList().ForEach(x => Console.WriteLine(x.Address));
Console.WriteLine();
Console.WriteLine("Service started...");
Console.ReadLine();
host.Close();
客戶代碼:
TestServiceClient client = new TestServiceClient();
client.ClientCredentials.UserName.UserName = "hej";//this is valid
client.ClientCredentials.UserName.Password = "hej";
System.Net.ServicePointManager.ServerCertificateValidationCallback =
((sender, certificate, chain, sslPolicyErrors) => true);
try
{
var result = client.GetData(123);
Console.WriteLine(result);
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
Console.ReadLine();
安全時間戳記的目的是防止出現“重播攻擊”
在您的情況下,創建日期(在客戶端上設置)比服務器上的日期晚了將近12個小時。 最明顯的解釋是其中一個時鍾設置不正確。
重播攻擊檢測可以被禁用 ,這不是安全隱患,因為無論如何必須簽署請求才能受益 。
關於證書,安裝過程記錄在TechNet上 -請注意,您可以查看證書是否已正確安裝:
如果要驗證已安裝證書,則可以加載證書管理單元,並且應該在“證書–當前用戶信任的根證書頒發機構-證書”下看到它。
一旦瀏覽器信任該證書,您的WCF客戶端也將信任該證書。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.