发送用户名和密码以明文形式的Web服务通过HTTP [英] Send username and password in clear text to web service over HTTP

问题描述

我有一个使用Web服务的一个VB.NET（2008）控制台应用程序。我最初开始写它使用旧的/遗产导入WSDL与WSDL.EXE的（pre-WCF）技术（或在Visual Studio添加Web服务），创建基于System.Web.Services类。 Protocols.SoapHttpClientProtocol。不过，我很快就意识到，这不是最好的方式做到这一点（感谢约翰·桑德斯'在我的previous问题的意见 - <一个href="http://stackoverflow.com/questions/16096947/how-to-get-serialized-xml-of-object-passed-to-web-service">How让传递到Web服务对象的序列化XML？）。

I have a VB.NET (2008) console application which consumes a web service. I originally started writing it using the old/legacy (pre-WCF) technology of importing the WSDL with WSDL.exe (or "Add Web Service" in Visual Studio), which creates classes based on System.Web.Services.Protocols.SoapHttpClientProtocol. However, I soon realized that this not the best way to do it (thanks to John Saunders' comments in my previous question -- How to get serialized XML of object passed to web service?).

所以，我有我的code转换过来，现在WCF（使用添加服务引用，创建基于System.ServiceModel.ClientBase类）;和它的作品或多或少相同，但有一个关键点：安全

So, I've got my code converted over to WCF now (using "Add Service Reference", which creates classes based on System.ServiceModel.ClientBase); and it works more or less the same, except for one key point: security.

我进食是用Java编写的Web服务;虽然我们俩（我，谁开发的Web服务队）工作，为同一家公司，我真的没有太多的控制权，他们是如何发布和公开的Web服务。他们的要求是，我通过用户名和放大器;密码（基本HTTP验证）通过HTTP的没有的HTTPS。我知道这不是最安全的方式做到这一点;但是这是一场战斗，我不能打现在。

The web service I am consuming was written in Java; and while we both (me, and the team who developed the web service) work for the same company, I don't really have much control over how they publish and expose the web service. Their requirement is that I pass the username & password (Basic HTTP authentication) over HTTP, not HTTPS. I know that's not the most secure way to do it; but that's a battle I can't fight right now.

这只是正常使用的老办法。但是，如果我尝试在App.config设置这个与WCF做到这一点：

This worked just fine using the old way. But if I try to do this with WCF by setting this in the app.config:

<security mode="Transport">
    <transport clientCredentialType="Basic" />
</security>

...和设置用户名和密码在code是这样的：

... and setting username and password in code like this:

oServiceClient.ClientCredentials.UserName.UserName = "SomeUsername"
oServiceClient.ClientCredentials.UserName.Password = "SomePassword"

我有这个异常客气地扔给我：

I have this exception politely thrown at me:

System.ArgumentException: The provided URI scheme 'http' is invalid; expected 'https'. Parameter name: via

所以，吸;和搜索计算器和其他网站不转了多少在游览这在.NET 3.5的方式。我发现，我想可能是有前途（的http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernamebinding.html);但是，它看起来像这样的解决方案，需要对配置的变化的两个的服务端和客户端。而作为previously提到的，我没有在这个服务器端的任何控制权。

So that sucks; and searching StackOverflow and other sites does not turn up much in the way of getting around this in .NET 3.5. I found thing which I thought might be promising (http://webservices20.blogspot.com/2008/11/introducing-wcf-clearusernamebinding.html); however, it looks like this solution requires config changes on both the service side and the client side. And as previously mentioned, I don't have any control over the server side of this.

有没有办法使用一个基于WCF的客户端来完成这项工作？或者，我需要放弃，回到老路上？

Is there any way to accomplish this using a WCF-based client? Or do I need to give up and go back to the old way?

编辑：我似乎有这个一定的成功：

I seem to be having some success with this:

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="Basic" />
    <message clientCredentialType="UserName" />
</security>

但这种安全模式（TransportCredentialOnly）似乎并不在微软的帮助文章/教程引用。难道我吠叫右树？

But this security mode (TransportCredentialOnly) doesn't seem to be referenced in the Microsoft help articles / tutorials. Am I barking up the right tree?

推荐答案

该解决方案，在我的情况下，竟然是设置安全模式TransportCredentialOnly，像这样的：

The solution, in my case, turned out to be setting security mode to "TransportCredentialOnly", like this:

<security mode="TransportCredentialOnly">
    <transport clientCredentialType="Basic" proxyCredentialType="None"
        realm="" />
    <message clientCredentialType="UserName" algorithmSuite="Default" />
</security>

感谢evgenyl用于提示我打开了我的研究，以其他安全方式;但最后，这是TransportCredentialOnly，而不是消息，这并获得成功。

Credit to evgenyl for prompting me to open up my research to other security modes; but in the end, it was "TransportCredentialOnly" rather than "Message" which did the trick.

这篇关于发送用户名和密码以明文形式的Web服务通过HTTP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！