如何控制 WCF SOAP 请求中签名的元素? [英] How can I control which elements are signed in a WCF SOAP request?

问题描述

我正在为不受我控制的 Java Web 服务创建 WCF 客户端，并且遇到了一个问题，即如果 Timestamp 标头元素已签名，该服务将返回 InvalidSecurity 错误.

I am creating a WCF client for a Java web service that is out of my control, and have run into a problem, in that the service returns an InvalidSecurity fault if the Timestamp header element is signed.

我目前正在使用以下 SecurityBindingElement，但这会自动对 Timestamp 元素进行签名.我怎样才能阻止这种行为?更一般地说，我如何控制哪些元素已签名，哪些未签名?

I am currently using the following SecurityBindingElement, but this automatically signs the Timestamp element. How can I stop this behaviour? More generally, how can I control which elements are signed and which aren't?

var version = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(version);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion = version;
sec.IncludeTimestamp = true;
sec.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;

推荐答案

通常，您可以通过实现自定义端点行为来控制哪些元素被签名，并在 AddBindingParameters() 中执行以下操作:

In general you can control which elements get signed by implementing a custom endpoint behavior and in AddBindingParameters() do something like this:

ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();
requirements.IncomingSignatureParts...

但是我没有看到删除此 api 中的元素的方法 - 只是添加一些.也许你可以通过私人反射来破解它.

However I don't see a way to remove an element in this api - only to add some. Maybe you can hack this with private reflection.

此外，我不确定这对安全性是否有效.我认为您唯一的方法是将includeTimestamp"设置为 false，在这种情况下，您不会向客户端发送时间戳.如果您必须发送时间戳(未签名)，则仍将其保留为 false 并通过 自定义编码器.应该不难.如果消息已签名，请注意不要更改消息中的任何其他内容.

Also I'm not sure this will work for security. I think your only way is to either set "includeTimestamp" to false, in which case you will not send a timestamp to the client. If you must send a timestamp (unsigned) then still keep it false and create the timestamp yourself via a custom encoder. Should not be hard. Just watch out not to changes anything else in the message if it is signed.

这篇关于如何控制 WCF SOAP 请求中签名的元素?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！