验证一个SWT令牌REST WCF服务 [英] Validating a SWT Token REST WCF Service

问题描述

我目前工作的一个WPF客户端，从获得的Windows Azure AppFabric的ACS一个SWT令牌上。有了这个道理我想消费REST风格的WCF服务。
我用<一个href=\"http://blogs.msdn.com/b/alikl/archive/2011/09/12/obtaining-swt-security-token-from-windows-azure-appfabric-acs-in-wpf-application-using-webbrowser-control.aspx\"相对=nofollow>本教程获得SWT令牌和它的作品完美。随着这个MSDN教程的帮助下我创造了REST风格的WCF服务。

问题是，该令牌可能有错误的格式，因为令牌验证不能在令牌验证，swtWithSignatur的 IsHMACValid 方法进行验证（错误。长度== 1）。

令牌的例子与我联系服务器：

<$c$c>{\"appliesTo\":\"http://localhost:7100/Service/Default.aspx\",\"context\":null,\"created\":1326996221,\"expires\":1326999821,\"securityToken\":\"&lt;?xml版本=安培; QUOT; 1.0安培; QUOT;编码=安培; QUOT; UTF-16和; QUOT;＆GT;＆放大器; LT; WSSE：华盛顿州立大学的BinarySecurityToken：ID =安培; QUOT; UUID：74ba5667-04ea-4074-9544-aaafb570c648和放大器; QUOT;值类型=安培; QUOT; HTTP：//schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0& QUOT; EncodingType=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary&quot; xmlns:wsu=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd&quot; xmlns:wsse=&quot;http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd&quot;>aHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmZW1haWxhZGRyZXNzPXBhdHJpY2suZWNrZXIlNDBnbWFpbC5jb20maHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmbmFtZT1QYXRyaWNrK0Vja2VyJmh0dHAlM2ElMmYlMmZzY2hlbWFzLnhtbHNvYXAub3JnJTJmd3MlMmYyMDA1JTJmMDUlMmZpZGVudGl0eSUyZmNsYWltcyUyZm5hbWVpZGVudGlmaWVyPWh0dHBzJTNhJTJmJTJmd3d3Lmdvb2dsZS5jb20lMmZhY2NvdW50cyUyZm84JTJmaWQlM2ZpZCUzZEFJdE9hd2xzM1doNlgwRFJ6d1BsdzU2a1R0WURmLVNNaDZxZFJtQSZodHRwJTNhJTJmJTJmc2NoZW1hcy5taWNyb3NvZnQuY29tJTJmYWNjZXNzY29udHJvbHNlcnZpY2UlMmYyMDEwJTJmMDclMmZjbGFpbXMlMmZpZGVudGl0eXByb3ZpZGVyPUdvb2dsZSZBdWRpZW5jZT1odHRwJTNhJTJmJTJmbG9jYWxob3N0JTNhNzEwMCUyZlNlcnZpY2UlMmZEZWZhdWx0LmFzcHgmRXhwaXJlc09uPTEzMjY5OTk4MjEmSXNzdWVyPWh0dHBzJTNhJTJmJTJmZmhiYXlhenVyZW5zLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQlMmYmSE1BQ1NIQTI1Nj1SUnN3OUJTSlc2ZFJ0MjJyNkNkcjZWZHpyJTJicTF6MHlhV0FMNVdlJTJiJTJmV3owJTNk&lt;/wsse:BinarySecurityToken>\",\"tokenType\":\"http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0\"}

在Windows Azure管理门户我已经选择了 SWT 令牌格式为我的信赖方应用程序。
根据第一个教程的SWT令牌格式看起来不错，但令牌验证不会接受它。

PS：如果有人试图第二教程（如何：验证一个REST WCF服务部署到Windows Azure使用ACS）：
我认为这是在点11在步骤3，您必须修改的web.config 文件中的错误（系统/ web服务部分不存在）。配置应该是这个样子：

 ＆LT;？XML版本=1.0＆GT？;
＆LT;结构＆gt;
  ＆LT; system.webServer＆GT;
    ＆LT;模块runAllManagedModulesForAllRequests =真正的＆GT;
      ＆LT;添加名称=SWTModuleTYPE =SecurityModule.SWTModule，SecurityModule/＆GT;
    ＆LT; /模块＆gt;
  ＆LT; /system.webServer>
＆LT; /结构＆gt;
 

解决方案

令牌，这是我发送给服务器，有格式错误。
以上令牌是一个JSON格式，并包含一个securityToken'，这是EN codeD XML。随着 HttpUtility.UrlDe code 和的XMLReader 就可以检索的base64字符串。上述令牌的基于64位字符串是：

<$c$c>aHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmZW1haWxhZGRyZXNzPXBhdHJpY2suZWNrZXIlNDBnbWFpbC5jb20maHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmbmFtZT1QYXRyaWNrK0Vja2VyJmh0dHAlM2ElMmYlMmZzY2hlbWFzLnhtbHNvYXAub3JnJTJmd3MlMmYyMDA1JTJmMDUlMmZpZGVudGl0eSUyZmNsYWltcyUyZm5hbWVpZGVudGlmaWVyPWh0dHBzJTNhJTJmJTJmd3d3Lmdvb2dsZS5jb20lMmZhY2NvdW50cyUyZm84JTJmaWQlM2ZpZCUzZEFJdE9hd2xzM1doNlgwRFJ6d1BsdzU2a1R0WURmLVNNaDZxZFJtQSZodHRwJTNhJTJmJTJmc2NoZW1hcy5taWNyb3NvZnQuY29tJTJmYWNjZXNzY29udHJvbHNlcnZpY2UlMmYyMDEwJTJmMDclMmZjbGFpbXMlMmZpZGVudGl0eXByb3ZpZGVyPUdvb2dsZSZBdWRpZW5jZT1odHRwJTNhJTJmJTJmbG9jYWxob3N0JTNhNzEwMCUyZlNlcnZpY2UlMmZEZWZhdWx0LmFzcHgmRXhwaXJlc09uPTEzMjY5OTk4MjEmSXNzdWVyPWh0dHBzJTNhJTJmJTJmZmhiYXlhenVyZW5zLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQlMmYmSE1BQ1NIQTI1Nj1SUnN3OUJTSlc2ZFJ0MjJyNkNkcjZWZHpyJTJicTF6MHlhV0FMNVdlJTJiJTJmV3owJTNk

我去codeD这个字符串，并得到了我的ACS令牌。这ACS令牌是现在有效，可用于我的REST风格的WCF服务。

在服务器端code并没有改变。这是我已经得到了在客户端：

  //解析从JSON字符串令牌，
VAR令牌= JsonNotifyRequestSecurityTokenResponse.FromJson（txtReceivedToken.Text）;
//获取安全令牌和去code将其
字符串的xmlString = HttpUtility.UrlDe code（token.SecurityTokenString）;
//获取的base64字符串的
字符串string64 =;
使用（XmlReader中的XMLReader = XmlReader.Create（新StringReader（的xmlString）））{
  而（xmlReader.Read（））{
    如果（xmlReader.NodeType == XmlNodeType.Text）{//找到第一个文本元素，它应该是为Base64字符串
      string64 = xmlReader.Value;
      打破;
    }
  }
}
//德code将其
字符串acsToken = base64De code（string64）;//设置页眉
字符串headerValue =的String.Format（WRAP的access_token = \\{0} \\，acsToken）;
client.Headers.Add（授权，headerValue）;
流流= client.OpenRead（@http://127.0.0.1:81/Service1.svc/users）;StreamReader的读者=新的StreamReader（流）;
串响应= reader.ReadToEnd（）;
 

的 base64De code 方法从<一个我偷 href=\"http://www.vbforums.com/showthread.php?t=287324\">http://www.vbforums.com/showthread.php?t=287324.
在 JsonNotifyRequestSecurityTokenResponse.FromJson 部分，我从 http://www.leastprivilege.com/，但我认为这可能与任何可用的JSON解析器解析。

我不知道这是否是最好的解决办法，但它为我工作。

I'm currently working on a WPF client, which obtains a SWT token from Windows Azure AppFabric ACS. With this token I want to consume a RESTful WCF Service. I used this tutorial to obtain the SWT token and it works perfect. With the help of this MSDN tutorial I created the RESTful WCF service.

The problem is that the token may have the wrong format, because the token validator can't validate it (Error in the IsHMACValid method of the token validator, swtWithSignatur.Length == 1).

Example of a token with which I contact the server:

{"appliesTo":"http://localhost:7100/Service/Default.aspx","context":null,"created":1326996221,"expires":1326999821,"securityToken":"<?xml version="1.0" encoding="utf-16"?><wsse:BinarySecurityToken wsu:Id="uuid:74ba5667-04ea-4074-9544-aaafb570c648" ValueType="http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">aHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmZW1haWxhZGRyZXNzPXBhdHJpY2suZWNrZXIlNDBnbWFpbC5jb20maHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmbmFtZT1QYXRyaWNrK0Vja2VyJmh0dHAlM2ElMmYlMmZzY2hlbWFzLnhtbHNvYXAub3JnJTJmd3MlMmYyMDA1JTJmMDUlMmZpZGVudGl0eSUyZmNsYWltcyUyZm5hbWVpZGVudGlmaWVyPWh0dHBzJTNhJTJmJTJmd3d3Lmdvb2dsZS5jb20lMmZhY2NvdW50cyUyZm84JTJmaWQlM2ZpZCUzZEFJdE9hd2xzM1doNlgwRFJ6d1BsdzU2a1R0WURmLVNNaDZxZFJtQSZodHRwJTNhJTJmJTJmc2NoZW1hcy5taWNyb3NvZnQuY29tJTJmYWNjZXNzY29udHJvbHNlcnZpY2UlMmYyMDEwJTJmMDclMmZjbGFpbXMlMmZpZGVudGl0eXByb3ZpZGVyPUdvb2dsZSZBdWRpZW5jZT1odHRwJTNhJTJmJTJmbG9jYWxob3N0JTNhNzEwMCUyZlNlcnZpY2UlMmZEZWZhdWx0LmFzcHgmRXhwaXJlc09uPTEzMjY5OTk4MjEmSXNzdWVyPWh0dHBzJTNhJTJmJTJmZmhiYXlhenVyZW5zLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQlMmYmSE1BQ1NIQTI1Nj1SUnN3OUJTSlc2ZFJ0MjJyNkNkcjZWZHpyJTJicTF6MHlhV0FMNVdlJTJiJTJmV3owJTNk</wsse:BinarySecurityToken>","tokenType":"http://schemas.xmlsoap.org/ws/2009/11/swt-token-profile-1.0"}

In the Windows Azure Management Portal I've selected SWT as token format for my Relying Party Application. According to the first tutorial the format for the SWT token looks good, but the token validator won't accept it.

PS: If someone is trying the second tutorial (How To: Authenticate to a REST WCF Service Deployed to Windows Azure Using ACS): I think there is an error in point 11 in step 3, where you have to modify the web.config file (the system/webService section doesn't exist). The configuration should look something like this:

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
      <add name="SWTModule" type="SecurityModule.SWTModule, SecurityModule" />
    </modules>
  </system.webServer>
</configuration>

解决方案

The token, which I sent to the server, had the wrong format. The above token is in a json format and contains a 'securityToken', which is encoded xml. With HttpUtility.UrlDecode and XMLReader it is possible to retrieve the base64 string. The base64 string of the above token is:

aHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmZW1haWxhZGRyZXNzPXBhdHJpY2suZWNrZXIlNDBnbWFpbC5jb20maHR0cCUzYSUyZiUyZnNjaGVtYXMueG1sc29hcC5vcmclMmZ3cyUyZjIwMDUlMmYwNSUyZmlkZW50aXR5JTJmY2xhaW1zJTJmbmFtZT1QYXRyaWNrK0Vja2VyJmh0dHAlM2ElMmYlMmZzY2hlbWFzLnhtbHNvYXAub3JnJTJmd3MlMmYyMDA1JTJmMDUlMmZpZGVudGl0eSUyZmNsYWltcyUyZm5hbWVpZGVudGlmaWVyPWh0dHBzJTNhJTJmJTJmd3d3Lmdvb2dsZS5jb20lMmZhY2NvdW50cyUyZm84JTJmaWQlM2ZpZCUzZEFJdE9hd2xzM1doNlgwRFJ6d1BsdzU2a1R0WURmLVNNaDZxZFJtQSZodHRwJTNhJTJmJTJmc2NoZW1hcy5taWNyb3NvZnQuY29tJTJmYWNjZXNzY29udHJvbHNlcnZpY2UlMmYyMDEwJTJmMDclMmZjbGFpbXMlMmZpZGVudGl0eXByb3ZpZGVyPUdvb2dsZSZBdWRpZW5jZT1odHRwJTNhJTJmJTJmbG9jYWxob3N0JTNhNzEwMCUyZlNlcnZpY2UlMmZEZWZhdWx0LmFzcHgmRXhwaXJlc09uPTEzMjY5OTk4MjEmSXNzdWVyPWh0dHBzJTNhJTJmJTJmZmhiYXlhenVyZW5zLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQlMmYmSE1BQ1NIQTI1Nj1SUnN3OUJTSlc2ZFJ0MjJyNkNkcjZWZHpyJTJicTF6MHlhV0FMNVdlJTJiJTJmV3owJTNk

I decoded this string and got my ACS token. This ACS token is now valid and my RESTful WCF service can be used.

Code on the server side didn't changed. This is what I've got on the client side:

// parse the token from the json string, 
var token = JsonNotifyRequestSecurityTokenResponse.FromJson(txtReceivedToken.Text);
// get the security token and decode it
string xmlString = HttpUtility.UrlDecode(token.SecurityTokenString);
// get the base64 string an
string string64 = "";
using (XmlReader xmlReader = XmlReader.Create(new StringReader(xmlString))) {
  while (xmlReader.Read()) {
    if (xmlReader.NodeType == XmlNodeType.Text) { // find the first text element, which should be the base64 string
      string64 = xmlReader.Value;
      break;
    }
  }
}
// decode it
string acsToken = base64Decode(string64);

// set the header
string headerValue = string.Format("WRAP access_token=\"{0}\"", acsToken);
client.Headers.Add("Authorization", headerValue);
Stream stream = client.OpenRead(@"http://127.0.0.1:81/Service1.svc/users");

StreamReader reader = new StreamReader(stream);
String response = reader.ReadToEnd();

The base64Decode method i 'stole' from http://www.vbforums.com/showthread.php?t=287324. The JsonNotifyRequestSecurityTokenResponse.FromJson part i got from http://www.leastprivilege.com/ , but i think it could be parsed with any available JSON parser.

I don't know if it is the best solution, but it works for me.

这篇关于验证一个SWT令牌REST WCF服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！