如何将 WCF 配置为仅对 TimeStamp 标头进行签名 [英] How can I configure WCF to only sign the TimeStamp header
问题描述
我正在尝试配置我的 WCF 客户端以创建一个包含 WS-Addressing、WS-Security 和 TLS 的 SOAP 1.1 请求.
I am trying to configure my WCF client to create a SOAP 1.1 request that includes WS-Addressing, WS-Security and TLS.
安全要求是消息包含用户名令牌和时间戳,并且使用包含的 BinarySecurityToken 对时间戳进行签名.
The security requirements are that the message includes a Username Token, TimeStamp and that the TimeStamp is signed using an included BinarySecurityToken.
我使用了以下 link 中的示例来创建我的WCF 客户端绑定.我稍微修改了示例(见下文),以便使用 HTTPS 作为传输机制,而 MessageSecurity 基于 UsernameOverTransport.
I have used the example from the following link to create my WCF client binding. I have slightly modified the the example (see below) so that HTTPS is used as the transport mechanism and the MessageSecurity is based on UsernameOverTransport.
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
// the message security binding element will be configured to require 2 tokens:
// 1) A username-password encrypted with the service token
// 2) A client certificate used to sign the message
// Instantiate a binding element that will require the username/password token in the message (encrypted with the server cert)
TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
// Create supporting token parameters for the client X509 certificate.
X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters();
// Specify that the supporting token is passed in message send by the client to the service
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
// Turn off derived keys
clientX509SupportingTokenParameters.RequireDerivedKeys = false;
// Augment the binding element to require the client's X509 certificate as an endorsing token in the message
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters);
// Create a CustomBinding based on the constructed security binding element.
return new CustomBinding(messageSecurity, httpsTransport);
此客户端生成的 SOAP 消息非常接近于满足我正在调用的服务的要求,唯一的问题是 wsa:To 地址和时间戳地址都已签名.
The SOAP messages that are generated by this client are very close to meeting the requirements of the service I am calling, the only issue is that the wsa:To address is being signed as well as the TimeStamp address.
有没有办法准确指定哪些 WCF 标头已签名?因为我需要限制客户端只签署 TimeStamp 标头.
Is there a way to specify exactly which WCF headers are signed? As I need to restrict the client only sign the TimeStamp header.
推荐答案
我知道这是一个老问题,但我已经被问过几次了.
I know it's an old question but I've been asked about this a couple of times.
我设法通过将 messageVersion 指定为 Soap11 而不是 Soap11WSAddressing10 来实现这一点,然后手动添加 WS-Addresing 标头,从而避免了手动实现签名机制的需要.
I managed to achieve this by specifying the messageVersion as Soap11 instead of Soap11WSAddressing10 and then manually adding the WS-Addresing headers afterwards which avoided the need to manually implement the signing mechanism.
这篇关于如何将 WCF 配置为仅对 TimeStamp 标头进行签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
