SOAP WCF 将 Signature 和 BinarySecurityToken 添加到标头 [英] SOAP WCF add Signature and BinarySecurityToken to header

问题描述

我需要更多，签名必须在 Header 标签内的 Security 标签内，带有 BinarySecurityToken 元素

就像:

<!-- 示例文件的摘录 --><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-D53CCD6983E4CE0gtBD7142791021078262"MIIDbDgg4iF74cqiF6NcnzBnD9qA2MB6hSo38e0RISilEFSzWikDqBtOjgm7ux9fdeHojDm4uvhsSfbEyGmGTAQRzg9yIiD3ovjOzuZsf+I3HWS9F6xlwZFbGsoD+I3HWS9F6x7UkFbXDs</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">.....</ds:签名>

我可以像这样直接从客户端证书以编程方式填充 xml 元素:

var cert = new X509Certificate2(ClientCertificateFilePath, ClientCertificatePassword);var export = cert.Export(X509ContentType.Cert, ClientCertificatePassword);var base64 = Convert.ToBase64String(export);

问题是如何在header中添加Signature和BinarySecurityToken?

解决方案

手动编码 SOAP 信封以调用服务可能是一种选择.
以下是有关如何添加 SOAP 标头的一些讨论.

有关使用证书对客户端进行身份验证的更多信息，请参阅以下链接.
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
如果有什么我可以帮忙的，请随时告诉我.

I need something more, Signature must be within a Security tag inside Header tag, with a BinarySecurityToken element

Just like:

<soapenv:Header> <!-- extrac of the example file -->
  <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-D53CCD6983E4CE0BD7142791021078262">
        MIIDbDgg4iF74cqiF6NcnzBnD9qA2MB6hSo38e0RISilEFSzWikDqBtOjgm7ux9fdeHojDm4uvhsSfbEyGmGTAQRzg9yIiD3ovjOzuZsf+I3HWS9F6xl6sb2+wvYXD4DFk/OD+N7UszGsoWFZg
    </wsse:BinarySecurityToken>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          .....
    </ds:Signature>

I can programmatically populate xml element directly from the Client cert like this:

var cert = new X509Certificate2(ClientCertificateFilePath, ClientCertificatePassword);
        var export = cert.Export(X509ContentType.Cert, ClientCertificatePassword);
        var base64 = Convert.ToBase64String(export);

The question is how to add Signature and BinarySecurityToken to the header?

解决方案

Manually coding a SOAP envelop to call the service might be a choice.
Here are some discussions about how to add SOAP headers.
What is the Java Apache CXF equivalent of C# WCF AddressHeader?
This commonly due to that the web service on the server-side are not WCF, therefore, we may not be able to call services through WCF.
In my opinion, the above SOAP envelop format decides the channel shape of the binding used by WCF, this might be compatible with the WCF service which authenticates the client with a certificate.

BasicHttpBinding binding = new BasicHttpBinding();
            binding.Security.Mode = BasicHttpSecurityMode.TransportWithMessageCredential;
            binding.Security.Message.ClientCredentialType = BasicHttpMessageCredentialType.Certificate;

When the server authenticates the client with a certificate, the client uses the same binding type and provides a certificate to the server, with attaching the signature of the certificate in the SOAP envelope. Below is the Http traffic during the communicating with the server-side captured by Fiddler. their soap envelop are similar.

More information about authenticating the client with a certificate, please refer to the below link.
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/message-security-with-a-certificate-client
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/transport-security-with-certificate-authentication
Feel free to let me know if there is anything I can help with.

这篇关于SOAP WCF 将 Signature 和 BinarySecurityToken 添加到标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！