从WCF创建WS-Security头删除时间戳元素 [英] Remove timestamp element from ws-security headers created by WCF

问题描述

我消费从WCF要求的形式请求一个老的Java Web服务：

I am consuming an old Java web service from WCF that requires the request in the form:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
    <s:Header>
        <wsse:Security mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd">
            <wsse:UsernameToken wsu:Id="xxx" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ssecurity-utility-1.0.xsd">
                <wsse:Username>username</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        ...
    </s:Body>
</s:Envelope>

使用以下配置黑客作品，但我不希望在配置暴露出的用户名和密码

Using the following config hack "works" but I don't want the username and password exposed in config:

<binding name="bindingName">
      <security mode="Transport">
        <transport clientCredentialType="Certificate" />
      </security>
</binding>
...
<endpoint address="https://endpoint address"
      binding="basicHttpBinding" bindingConfiguration="bindingName"
      contract="contract"
      name="bindingName">

    <headers>
        <wsse:Security mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- wssecurity-secext-1.0.xsd">
            <wsse:UsernameToken wsu:Id="UsernameToken-8293453" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ssecurity-utility-1.0.xsd">
                <wsse:Username>username</wsse:Username>
                <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
            </wsse:UsernameToken>
        </wsse:Security>
    </headers>
</endpoint>

我想用什么线沿线的东西：

What I want to use is something along the lines of:

<binding name="bindingName">
    <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Certificate" />
        <message clientCredentialType="UserName" />
    </security>
</binding>

但这种生成时间戳元素中安全元素，这在java web服务borks上。

But this generates the timestamp element in the security element, which the java webservice borks on.

我需要做的是去除它生成的XML的时间戳或有某种自定义绑定做了什么我。

What I need to do is remove the timestamp from the XML it generates or have some sort of custom binding to do it for me.

我试图创建自定义的凭据，但是这不仅改变了的UsernameToken 元素。

I tried creating custom credentials, but this only changed the usernameToken element.

我已经看了很多很多的SO问题（许多来自2007及更早版本），包括没有快乐如下：

I have already looked at many, many SO questions (many from 2007 and earlier) including the following with no joy:

• 从安全删除Timestamp元素


• 如何使WCF客户端符合特定的WS-Security

• Remove Timestamp element from Security
• How to make WCF Client conform to specific WS-Security

什么是去除时间戳元素的最好，最简单，最优雅的方式。

What is the best, simplest and most elegant way to remove the timestamp element.

在此先感谢

推荐答案

上找到的克里斯蒂安·克里斯滕森的博客文章对他在整合到Java AXIS 1.X和WSS4J Web服务。困境。 。比我黑客先前试图所以更简单，更容易

Found the answer on Kristian Kristensen's blog post about his woes in integrating to a Java AXIS 1.X and WSS4J web service.. So much simpler and easier than the hacks I was trying previously.

您可以用一个简单的自定义如此在App.config中绑定解决这个问题：

You can solve this with a simple custom binding in App.config as so:

修正 - 没有在以前的版本中的错误 - 忘记在httpTransport

BUGFIX - there is a bug in previous version - forgot to add certificate in httpTransport

<system.serviceModel>
    <bindings>
        <customBinding>
            <binding name="CustomBindingName">
                <security authenticationMode="UserNameOverTransport" includeTimestamp="false">
                    <secureConversationBootstrap />
                </security>
                <textMessageEncoding messageVersion="Soap11" />
                <httpsTransport useDefaultWebProxy="false" requireClientCertificate="true" />
            </binding>
        </customBinding>
    </bindings>

    <client>
        <endpoint address="<endpoint address>" 
            binding="customBinding"
            bindingConfiguration="CustomBindingName"
            contract="<contract goes here>"
            name="EndpointName" />

    </client>
</system.serviceModel>

这给了没有，仅仅通过调用这个迷惑的Java服务器的时间戳正确的SOAP WS-Security头代码

This gives the correct SOAP ws-security header without the timestamp that confused the java server just by calling this code

var client = new [clientType]();

client.ClientCredentials.ClientCertificate.Certificate = [certificate];

client.ClientCredentials.UserName.UserName = [UserName];
client.ClientCredentials.UserName.Password = [Password];

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;

// TODO wrap in try catch
client.Open();

var result = client.[action](new [RequestType] { ... });

延伸阅读：

Further Reading:

• 链接来源来回答 - 谢尔-SverreJerijærvi的博客


• 在那里我找到了答案实际 - 的克里斯蒂安·克里斯滕森的博客

• Source of links to answer - Kjell-Sverre Jerijærvi's blog
• Where I found the actual answer - Kristian Kristensen's blog

这篇关于从WCF创建WS-Security头删除时间戳元素的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！