使用用户名通过 https 为 WS-Security 配置 WCF [英] Configure WCF for WS-Security with Username over https

问题描述

我正在尝试使用 WCF 客户端通过 https 调用基于 Java、启用 WS-Security 的 Web 服务，但似乎无法正确配置安全性.使用 SvcTraceViewer，我在尝试的任何安全配置中都没有看到预期的安全标头.

I'm trying to call a Java based, WS-Security enabled web service over https using a WCF client and can't seem to get the security configuration right. Using SvcTraceViewer, I don't see the expected security header with any of the security configurations I have tried.

我最近的安全配置是:

    <wsHttpBinding>
        <binding name="MySoapBinding" closeTimeout="00:01:00"
            openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
            allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
            maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
            messageEncoding="Text" textEncoding="utf-8"
            useDefaultWebProxy="true">
            <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                maxBytesPerRead="4096" maxNameTableCharCount="16384" />
          <security mode="TransportWithMessageCredential">
            <transport/>
            <message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="false"/>
          </security>
        </binding>
    </wsHttpBinding>

我在代码中设置了用户名/密码，如下所示:

and I set the username/password in code like this:

    svc.ClientCredentials.UserName.UserName = TestBase.userName;
    svc.ClientCredentials.UserName.Password = TestBase.password;

Java Web 服务需要这样的安全标头:

The Java web service expects a security header like this:

<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-bf41c571-7d32-438c-937e-7d83a3ac2d14">
<wsu:Created>2010-12-27T16:43:16Z</wsu:Created>
<wsu:Expires>2010-12-27T16:48:16Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-4c9b30b1-d697-4c64-89cb-a6d7e857aebf">
<wsse:Username>MyUserName</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MyPassword</wsse:Password>
<wsse:Nonce>pzLdD4S+OCDG6Ut9Ur1oOQ==</wsse:Nonce>
<wsu:Created>2010-12-27T16:43:16Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>

我根本看不到安全标头.

I see no Security header at all.

我在网上阅读了很多关于传输与消息级别安全性和安全模式的内容，但似乎找不到正确的选项集.我应该如何配置我的绑定

I have read quite a bit online about transport vs. message level security and security modes, but can't seem to find the right set of options. How should I configure my binding for

• https 通信
• SOAP 标头中的用户名/密码，纯文本 (WS-Security)
• 需要时间戳
• 需要随机数

推荐答案

原来 Rick Strahl 遇到了几乎完全相同的问题.事实证明，SvcTraceViewer不显示实际的在线消息.但是，他的博客概述了通过 Charles(或在我的情况下是免费的 Fiddler 2)代理以查看实际消息的过程.

Turns out Rick Strahl had almost exactly the same issue. It turns out that SvcTraceViewer does not show the actual on-the-wire message. However, his blog outlines a procedure to proxy through Charles (or in my case Fiddler 2, which is free) to see the actual message.

事实证明，我正在根据我正在调用的 Web 服务的要求发送时间戳元素，但是如果我这样做了，WCF 会要求响应中包含时间戳(我没有得到).错误消息非常具有误导性.幸运的是，我可以将服务更改为返回时间戳.

It turns out that I'm sending a Timestamp element as required by the web service I'm calling, but if I do, WCF demands a Timestamp in the response (which I'm not getting). The error message is quite misleading. Fortunately I can have the service changed to return a Timestamp.

http://www.west-wind.com/weblog/posts/205198.aspx

这篇关于使用用户名通过 https 为 WS-Security 配置 WCF的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！