Web服务(RP)的WCF/日内瓦客户端绑定，需要由STS根据WS-Trust/WS-SecureConversation发布的安全上下文令牌(SCT) [英] WCF/Geneva client binding for webservice (RP) that requires an Security Context Token (SCT) issued by an STS according to WS-Trust/WS-SecureConversation

问题描述

大家好，

我正在尝试为Web服务(RP)设置WCF客户端，该客户端需要由服务域内STS发出的SecurityContextToken.如果有用/必要，我也可以使用Geneva-SDK来实现客户端.
STS正在使用(自定义的)用户名令牌进行身份验证，其中包括用户名，密码和一个一次性密码.
从webservice-documentation中，我有一个针对STS的RST的示例:

Hi All,

I'm trying to set up a WCF client for a webservice (RP) that requires a SecurityContextToken that is issued by an STS within the service domain. If it's usefull/necessary, I could also use the Geneva-SDK to implement the client.
The STS is using a (customized) username token for authentication, which includes username, password and an additional one-time-password.
From the webservice-documentation, I've an example for an RST against the STS:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
    <wsa:Action
      soapenv:actor=""
      soapenv:mustUnderstand="0"
      xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing/">
      http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
    </wsa:Action>
    <wsse:Security
      soapenv:actor=""
      soapenv:mustUnderstand="1"
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:UsernameToken xmlns:acme="http://www.acme.com/namespace">
        <wsse:Username>myuser</wsse:Username>
        <wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">mypasswd</wsse:Password>
        <acme:OTP>12345678</acme:OTP>
      </wsse:UsernameToken>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <RequestSecurityToken xmlns="http://schemas.xmlsoap.org/ws/2005/02/trust">
      <TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</TokenType>
      <RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</RequestType>
    </RequestSecurityToken>
  </soapenv:Body>
</soapenv:Envelope>

并致电包括已发布的SCT在内的实际服务:

And a call to the actual service, including the issued SCT:

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
  xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header>
    <wsse:Security
      soapenv:actor=""
      soapenv:mustUnderstand="1"
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsc:SecurityContextToken xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <wsc:Identifier>acme:1234567abcde</wsc:Identifier>
      </wsc:SecurityContextToken>
    </wsse:Security>
  </soapenv:Header>
  <soapenv:Body>
    <getSomeStuff xmlns="http://www.acme.com/namespace"/>
  </soapenv:Body>
</soapenv:Envelope>

安全性是在传输级别(通过HTTPS)完成的.
根据Web服务提供商的说法，所有这些都符合WS-Trust，WS-Security和WS-SecureConversation标准.
关于"wsFederationHttpBinding"的WCF示例的一些经验，所以我认为应该有可能为上述场景实现WCF客户端，主要是为实际服务使用适当的绑定.也就是说，没有手动执行STS/RST/SCT的操作.
但是我对此非常迷失.我在网上搜索了最后一天，以找到一个示例或与这种情况相关的东西，但无济于事.
在Web服务的WSDL上使用"WsdlImporter"工具仅会生成自定义绑定HTTPS传输与STS或SCT没有关系(当然不起作用).

因此，如果有人对如何实现客户端有所了解，问题就很普遍了.对于此类服务，请使用WCF(或可能是Geneva SDK).任何信息将不胜感激.


谢谢& Ciao，

Markus

Security is done on transport level (via HTTPS).
According to the webservice provider, all this adheres to the WS-Trust, WS-Security and WS-SecureConversation standards.
I've some experience with the WCF-examples for the "wsFederationHttpBinding", so I'd thought that it should be possible to implement a WCF-client for the above scenario, using (mainly) an appropriate binding for the actual service. That is, w/o manually doing the STS/RST/SCT stuff.
But I'm pretty lost on that. I've searched the web for the last day to find an example or something related to such an scenario, alas to no avail.
Using the "WsdlImporter"-tool on the WSDL of the webservice simply generates a custom binding with HTTPS-transport that has no relation to the STS or the SCT (and doesn't work, of course).

So, the question is quite general if someone has an idea how to implement a client for such a service, using WCF (or maybe Geneva SDK). Any information would be greatly appreciated.


Thanks & Ciao,

Markus

推荐答案

大家好，

WRT我的

Hello All,

WRT my prior post (which didn't had too much resonance so far :) ) I'm trying now to give some additional resp. more precise information to ask for your advice.
What I'm trying to do is to generate WCF client proxy code for a WS that uses a SecurityContextToken (SCT) according to the WS-Trust/WS-SecureConversation standards. The token is issued by an separate STS on the same domain.
AFAIK WCF supports the relevant standards (WS-Security, WS-Trust, WS-SecureConversation) so I'd thought that it should be possible to generate client code that (implicitly) handles the bootstrapping of the secure conversation (request the SCT from the STS etc.).

I've tried to fed the webservice-WSDL to the "svcutil"-tool, but it gives a warning for the part of the WSDL that IMHO is crucial to the SCT/STS/SecureConversation thing. Consequently, the generated client code/configuration has no relation to the SCT/STS.

Warning: The following Policy Assertions were not imported:
  XPath://wsdl:definitions[@targetNamespace='http://www.acme.com/namespace']/wsdl:binding[@name='TicketServiceBinding']
Assertions:
    <sp:SupportingTokens xmlns:sp='http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'>..</sp:SupportingTokens>

这是WS("TicketService")的WSDL:

This is the WSDL for the WS ("TicketService"):

<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
	targetNamespace="http://www.acme.com/namespace"
	xmlns:acme="http://www.acme.com/namespace"
	xmlns:soapbind="http://schemas.xmlsoap.org/wsdl/soap/"
	xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
	xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
	xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
	xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
	xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
	xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">

	<!-- ================================================================================
	WS-Policy
	================================================================================ -->

	<wsp:Policy wsu:Id="TicketServiceSecurityPolicy">
		<wsp:ExactlyOne>
			<wsp:All>
				<sp:TransportBinding>
					<wsp:Policy>
						<sp:TransportToken>
							<wsp:Policy>
								<sp:HttpsToken RequireClientCertificate="false"/>
							</wsp:Policy>
						</sp:TransportToken>
						<sp:Layout>
							<wsp:Policy>
								<sp:Strict/>
							</wsp:Policy>
						</sp:Layout>
						<sp:AlgorithmSuite>
							<wsp:Policy>
								<sp:Basic128/>
							</wsp:Policy>
						</sp:AlgorithmSuite>
					</wsp:Policy>
				</sp:TransportBinding>
				<sp:SupportingTokens>
					<wsp:Policy>
						<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
							<sp:Issuer>
								<wsa:Address>
									https://www.acme.com/services/STS
								</wsa:Address>
							</sp:Issuer>
						</sp:SecureConversationToken>
					</wsp:Policy>
				</sp:SupportingTokens>
			</wsp:All>
		</wsp:ExactlyOne>
	</wsp:Policy>

	<!-- ================================================================================
	WSDL-Types
	================================================================================ -->
       
	<!-- ommited types for  the sake of brevity -->


	<!-- ================================================================================
	WSDL-Messages
	================================================================================ -->

	<wsdl:message name="getClientListRequest">
		<wsdl:part element="acme:getClientList" name="parameters"/>
	</wsdl:message>
	<wsdl:message name="getClientListResponse">
		<wsdl:part element="acme:getClientListResponse" name="parameters"/>
	</wsdl:message>
	<wsdl:message name="getTicketRequest">
		<wsdl:part element="acme:getTicket" name="parameters"/>
	</wsdl:message>
	<wsdl:message name="getTicketResponse">
		<wsdl:part element="acme:getTicketResponse" name="parameters"/>
	</wsdl:message>

	<!-- ================================================================================
	WSDL-PortType
	================================================================================ -->

	<wsdl:portType name="TicketServicePortType">
		<wsdl:operation name="getClientList" parameterOrder="parameters">
			<wsdl:input message="acme:getClientListRequest" name="getClientListRequest"/>
			<wsdl:output message="acme:getClientListResponse" name="getClientListResponse"/>
		</wsdl:operation>
		<wsdl:operation name="getTicket" parameterOrder="parameters">
			<wsdl:input message="acme:getTicketRequest" name="getTicketRequest"/>
			<wsdl:output message="acme:getTicketResponse" name="getTicketResponse"/>
		</wsdl:operation>
	</wsdl:portType>

	<!-- ================================================================================
	WSDL-Binding
	================================================================================ -->

	<wsdl:binding name="TicketServiceBinding" type="acme:TicketServicePortType">
		<soapbind:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
		<wsp:PolicyReference URI="#TicketServiceSecurityPolicy"/>
		<wsdl:operation name="getClientList">
			<soapbind:operation soapAction="urn:getClientList" style="document"/>
			<wsdl:input name="getClientListRequest">
				<soapbind:body use="literal"/>
			</wsdl:input>
			<wsdl:output name="getClientListResponse">
				<soapbind:body use="literal"/>
			</wsdl:output>
		</wsdl:operation>
		<wsdl:operation name="getTicket">
			<soapbind:operation soapAction="urn:getTicket" style="document"/>
			<wsdl:input name="getTicketRequest">
				<soapbind:body use="literal"/>
			</wsdl:input>
			<wsdl:output name="getTicketResponse">
				<soapbind:body use="literal"/>
			</wsdl:output>
		</wsdl:operation>
	</wsdl:binding>

	<!-- ================================================================================
	WSDL-Service
	================================================================================ -->

	<wsdl:service name="AcmeTicketService">
		<wsdl:port binding="acme:TicketServiceBinding" name="TicketService">
			<soapbind:address location="https://www.acme.com/services/TicketService"/>
		</wsdl:port>
	</wsdl:service>

</wsdl:definitions>

安全性是在传输级(通过HTTPS)完成的.
STS有一个单独的WSDL，但是AFAICS它仅描述了SCT的RST/RSTR机制.不确定服务的实现方式，但是我非常确定它基于某些Java框架.
这可能是(可能是已知的)互操作性问题WRT WS-SecureConversation，版本冲突或类似问题吗?
还是WCF不支持这种服务(带有单独的STS发出的带有SCT的SecureeConversation)?


感谢&乔，

马库斯

Security is done on transport-level (via HTTPS).
There is a separate WSDL for the STS, but AFAICS it only describes the RST/RSTR mechanism for the SCT.
I'm not sure how the service is implemented, but I'm quite sure that it's based on some Java-Framework.
Could this be a (possibly known) interoperability problem WRT WS-SecureConversation, a version-conflict or something alike?
Or doesn't WCF support this kind of sevice (SecureConversation with an SCT that is issued by an separate STS)?


Thanks & Ciao,

Markus

这篇关于Web服务(RP)的WCF/日内瓦客户端绑定，需要由STS根据WS-Trust/WS-SecureConversation发布的安全上下文令牌(SCT)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！