使用 WS-Security UsernameToken PasswordDigest 身份验证方案使用 Axis 2 Web 服务的 WCF 客户端出错 [英] Error in WCF client consuming Axis 2 web service with WS-Security UsernameToken PasswordDigest authentication scheme

问题描述

我有一个 WCF 客户端连接到基于 Java 的 Axis2 Web 服务(在我的控制范围之外).它即将应用 WS-Security，我需要修复 .NET 客户端.但是，我正在努力提供正确的身份验证.我知道 WSE 3.0 可能会让它变得更容易，但我不想恢复到过时的技术.

I have a WCF client connecting to a Java based Axis2 web service (outside my control). It is about to have WS-Security applied to it, and I need to fix the .NET client. However, I am struggling to provide the correct authentication. I am aware that WSE 3.0 might make it easier, but I would prefer not to revert to an obsolete technology.

类似问题(未解决)，包括this、this 和 这个.

Similar issues (unsolved), include this, this and this.

SOAP 消息应该如下所示:

The SOAP message should look like this:

<wsse:UsernameToken>
  <wsse:Username><!-- Removed--></wsse:Username> 
  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"><!-- Removed--></wsse:Password> 
  <wsse:Nonce><!-- Removed--></wsse:Nonce> 
  <wssu:Created>2010-05-28T12:50:33.675+01:00</wssu:Created> 
</wsse:UsernameToken>

但是，我的看起来像这样:

However, mine looks like this:

<s:Header>
<h:Security xmlns:h="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"></h:Security>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2010-06-23T10:31:23.441Z</u:Created>
<u:Expires>2010-06-23T10:36:23.441Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-d329b3b2-6a1f-4882-aea6-ec6b8a492de7-1">
<o:Username>
<!-- Removed-->
</o:Username>
<o:Password>
<!-- Removed-->
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>

我的客户是这样的:附言请注意必需 SecurityHeaderType 参数.那是什么?

My client looks like this: P.S. Note the required SecurityHeaderType param. What is that?

public MyAck SendRequest(MyRequest request)
{
 RemoteServicePortTypeClient client = new RemoteServicePortTypeClient();

 client.ClientCredentials.UserName.UserName = "JAY";
 client.ClientCredentials.UserName.Password = "AND";

    // what is the difference between the two different Credential types??
    //client.ClientCredentials.HttpDigest.ClientCredential.UserName = "SILENT";
    //client.ClientCredentials.HttpDigest.ClientCredential.Password = "BOB";

 SecurityHeaderType sht = new SecurityHeaderType();
 //sht.Any = ???; // How do I use this???
 //sht.AnyAttr = ???; // How do I use this ???

 // SecurityHeaderType is a required parameter
 return client.RemoteServiceOperation_Provider(sht, request);
}

当前绑定如下:

<basicHttpBinding>
    <binding name="CustomBinding">
        <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None"></transport>
            <message clientCredentialType="UserName" />
        </security>
    </binding>
</basicHttpBinding>

我也尝试过自定义绑定并遇到类似的错误:

I've also tried a custom binding and got a similar error:

<customBinding>
  <binding name="myCustomBindingConfig">
    <security authenticationMode="UserNameOverTransport"
      messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
      securityHeaderLayout="Strict"
      includeTimestamp="false"></security>
    <textMessageEncoding messageVersion="Soap11"></textMessageEncoding>
    <httpsTransport />
  </binding>
</customBinding>

和端点(地址明显改变了...):

And endpoint (Address obviously changed...):

<endpoint address="https://www.somecompany.com/uat/axis/services/RemoteServiceOperation_Provider"
      binding="basicHttpBinding" bindingConfiguration="CustomBinding"
      contract="RemoteService.RemoteServicePortType"
      name="RemoteService_UAT" />

返回的自定义故障如下:

The custom fault that is being returned is as follows:

<ErrorID>0</ErrorID>
<ErrorType>UNEXPECTED</ErrorType>
<ErrorDescription><![CDATA[Array index out of range: 0]]></ErrorDescription>
<TimeStamp>2010-06-23T13:28:54Z</TimeStamp>

我读了很多关于自定义标头、标记、绑定的文章，但我的大脑完全糊涂了.任何人都可以建议以正确格式发送消息的分步过程吗?

I've read lots about custom headers, tokens, bindings and my brain is completely confused. Can anyone suggest a step by step process for sending the message in the right format?

这似乎是这样使用自定义令牌转发 WCF，但是应该如何根据需要应用摘要和随机数?

This appears to be the way forward for WCF, using custom tokens, but how should one apply the digest and nonce as required?

欢迎任何帮助.

我取得了一些有限的成功.我使用 Microsoft.Web.Services3 库创建了一个具有正确摘要的 UsernameToken.然后，我创建了自己的自定义行为，并在 BeforeSendRequest 方法中执行了以下操作以注入标头:

I've had some limited success. I've used the Microsoft.Web.Services3 library to create a UsernameToken with the correct digest. I've then created my own custom behavior and in the BeforeSendRequest method I've done the following to inject the header:

object IClientMessageInspector.BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)
{
    UsernameToken ut = new UsernameToken("USERNAME", "PASSWORD", PasswordOption.SendHashed);

    XmlElement securityElement = ut.GetXml(new XmlDocument());

    MessageHeader myHeader = MessageHeader.CreateHeader("Security", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", securityElement, false);
    request.Headers.Add(myHeader);

    return Convert.DBNull;
}

我添加如下行为:

CustomBehavior behavior = new CustomBehavior("USERNAME", "PASSWORD");
client.Endpoint.Behaviors.Add(behavior);

我现在可以看到标题:

<s:Header>
<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken wsu:Id="SecurityToken-c6aeb72d-4d36-4650-abd3-33cc66caac6d" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:Username>
<!-- Removed-->
</wsse:Username>
<wsse:Password>
<!-- Removed-->
</wsse:Password>
<wsse:Nonce>
<!-- Removed-->
</wsse:Nonce>
<wsu:Created>2010-06-24T16:23:58Z</wsu:Created>
</wsse:UsernameToken>
</Security>
</s:Header>

但我收到错误:

<soapenv:Fault>
<faultcode xmlns="">soapenv:Server</faultcode>
<faultstring xmlns="">WSDoAllReceiver: security processing failed; nested exception is: 
    org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: USERNAME)</faultstring>
<faultactor xmlns="">urn:Remote_Provider</faultactor>
<detail xmlns="">
<CUSTOMError xmlns="urn:customerror:v01">
<ErrorID>0</ErrorID>
<ErrorType>UNEXPECTED</ErrorType>
<ErrorDescription><![CDATA[WSDoAllReceiver: security processing failed; nested exception is: 
    org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: Callback supplied no password for: USERNAME)]]></ErrorDescription>
<TimeStamp>2010-06-24T17:23:59Z</TimeStamp>
</CUSTOMError>
</detail>
</soapenv:Fault>

密码节点上似乎缺少 Type 属性:

There appears to be a missing Type attribute on the password node:

Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest"

但是，我不确定安全跟踪和日志记录设置是否全面删除了这些节点的属性和内容.我尝试在诊断日志中使用 logKnownPii 设置，但安全信息仍然模糊不清.对此有什么想法吗?

However, I'm not sure if the security tracing and logging settings are blanket removing the attributes and content of those nodes. I've attempted to use the logKnownPii setting in the diagnostics logging, but the security information remains obscured. Any ideas on that one?

推荐答案

我可以确认我的问题中的 UPDATE 确实有效:

I can confirm that the UPDATE from my question actually works:

object IClientMessageInspector.BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)
{
    UsernameToken ut = new UsernameToken("USERNAME", "PASSWORD", PasswordOption.SendHashed);

    XmlElement securityElement = ut.GetXml(new XmlDocument());

    MessageHeader myHeader = MessageHeader.CreateHeader("Security", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", securityElement, false);
    request.Headers.Add(myHeader);

    return Convert.DBNull;
}

和客户:

CustomBehavior behavior = new CustomBehavior("USERNAME", "PASSWORD");
client.Endpoint.Behaviors.Add(behavior);

错误消息无关.安全标头与一个非常简单的 basicHttpBinding 配合使用:

The error message was unrelated. The security header works with a very simple basicHttpBinding:

<basicHttpBinding>
  <binding name="BasicSOAPBinding">
      <security mode="Transport" />
  </binding>
</basicHttpBinding>

这篇关于使用 WS-Security UsernameToken PasswordDigest 身份验证方案使用 Axis 2 Web 服务的 WCF 客户端出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！