WCF客户端,用于通过WS-Security使用ASMX服务 [英] WCF client for consuming ASMX service with WS-Security
本文介绍了WCF客户端,用于通过WS-Security使用ASMX服务的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我有一个ASMX Web服务(SOAP 1.1),要求使用WS-Security对所有带有证书(私钥)的SOAP请求进行签名。
I have a ASMX web service (SOAP 1.1) that requires to sign all SOAP requests with certificate (private key) using WS-Security.
当ASMX服务使用时收到请求,它将使用证书的公钥对它进行身份验证。
操作完成后,将不会对发送回客户端的响应进行签名!
When the ASMX service receives the request, it will authenticate it using the public key of the certificate. After the operation is done, the response sent back to the client will not be signed!
这是安全要求...
我已经通过添加服务引用和客户端的app.config创建了代理:
I've created the proxy via 'Add Service Reference' and the client's app.config:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<client>
<endpoint
name="endpoint1"
address="http://1.1.1.1/Test.asmx"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ITest"
behaviorConfiguration="TestBehavior"
contract="ITest" >
</endpoint>
</client>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ITest">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="TestBehavior">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="My"
x509FindType="FindByThumbprint" findValue="xxxxxxxxxxxxxxx" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
</configuration>
根据我描述的情况:
-
我使用了正确的绑定吗?
Am I using the correct binding?
clientCredentialType值应该是 Certificate还是 None?
clientCredentialType value should be 'Certificate' or 'None' ?
标记'serviceCertificate'是必需的吗?
The tag 'serviceCertificate' is needed ?
4。什么是我的正确配置
4.What is the correct configuration for my scenario?
如果您知道一些适合我的情况的有用链接,请提供它们。
If you know some useful links that could be suitable for my scenario, please supply them.
预先感谢:)
编辑#1:
EDIT #1:
请求
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">XXXXXXXXXXX</wsa:Action>
<wsa:MessageID wsu:Id="Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">YYYYYYYYYY</wsa:MessageID>
<wsa:ReplyTo wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To wsu:Id="Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<wsa:Address>http://.../TestOperation</wsa:Address>
</wsa:To>
<wsse:Security soap:mustUnderstand="1" >
<wsu:Timestamp wsu:Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<wsu:Created wsu:Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires wsu:Id="Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC...kE9</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#Id-3beeb885-12a4-4b65-b14c-0tmj6ad21855">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#Id-10c46143-cb53-4a8e-9e83-ef374e40aa54">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#Id-17c40943-cs53-4a8e-9e83-ef374e40ab70">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b"">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soap:Header>
<soap:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
...
</soap:Body>
</soap:Envelope>
重新放置:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action>http://.../TestOperationResponse</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:RelatesTo>WWWWWWWWWW</wsa:RelatesTo>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
<wsse:Security>
<wsu:Timestamp wsu:Id="Timestamp-c0kjk2d4-o83d-4fa5-abfa-bd485afdjj80">
<wsu:Created>2002-08-22T00:26:15Z</wsu:Created>
<wsu:Expires>2002-08-22T00:31:15Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soap:Header>
<soap:Body>
<Response>
...
</Response>
</soap:Body>
</soap:Envelope>
编辑#2:
EDIT #2:
生成的请求:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<a:Action soap:mustUnderstand="1" u:Id="_2">XXXXXXXXXXX</a:Action>
<a:MessageID u:Id="_3">YYYYYYYYYY</a:MessageID>
<a:ReplyTo u:Id="_4">
<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uID...</VsDebuggerCausalityData>
<a:To soap:mustUnderstand="1" u:Id="_5">
<a:Address>http://1.1.1.1/Test.asmx</a:Address>
</a:To>
<o:Security soap:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<u:Created>2002-08-22T00:26:15Z</u:Created>
<u:Expires>2002-08-22T00:31:15Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIICeDCC...kE9</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>wRUq.........</DigestValue>
</Reference>
<Reference URI="#_2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>8gIo.........</DigestValue>
</Reference>
<Reference URI="#_3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>zx4h.........</DigestValue>
</Reference>
<Reference URI="#_4">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>UjdN.........</DigestValue>
</Reference>
<Reference URI="#_5">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>34ff.........</DigestValue>
</Reference>
<Reference URI="#uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>ss67.........</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tBSsaZi........</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</soap:Header>
<soap:Body u:Id="_1">
...
</soap:Body>
</soap:Envelope>
此请求的问题是:
- Id格式:Id = Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800(asmx代理)VS Id = _ 2(WCF代理)
- VsDebuggerCausalityData标签存在。如何摆脱它?
- 时间戳记ID格式:Id = Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685(asmx代理)与VS Id = uuid-c0cc2cd4- cb77-4fa5-abfa-bd485afd1685-1(WCF代理)
- 时间戳中的创建和过期标签没有ID属性。
- BinarySecurityToken ID格式:Id = SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d(asmx代理)与VS ID = uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2(WCF代理)
- Id format: Id="Id-3beeb885-16a4-4b65-b14c-0cfe6ad26800" (asmx proxy) VS Id="_2" (WCF proxy)
- 'VsDebuggerCausalityData' tag presence. How do I get rid of it?
- Timestamp Id format: Id="Timestamp-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" (asmx proxy) VS Id="uuid-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685-1" (WCF proxy)
- 'Created' and 'Expires' tags in Timestamp doesn't have Id attribute.
- BinarySecurityToken Id format: Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" (asmx proxy) VS Id="uuid-e00c8062-83d2-4f04-88fc-996218e7bb3d-2" (WCF proxy)
我打电话给我时遇到的错误ASMX服务:
The fault I get when I make a call to the ASMX service:
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"">
<soap:Header>
<wsa:Action>http://schemas.xmlsoap.org/ws/2004/08/addressing/fault</wsa:Action>
<wsa:MessageID>YYYYYYYYYY</wsa:MessageID>
<wsa:To>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:To>
</soap:Header>
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>
System.Web.Services.Protocols.SoapHeaderException: Server unavailable, please try later ---> System.ApplicationException: WSE842: The service pipeline could not be created. ---> System.ApplicationException: WSE2012: X509TokenProvider is unable to provide an X.509 token. There are multiple certificates store that match the find value of 'xxx'.
at Microsoft.Web.Services3.Design.X509TokenProvider.CreateToken(StoreLocation location, StoreName storeName, String findValue, X509FindType findType)
at Microsoft.Web.Services3.Design.X509TokenProvider.GetToken()
at Microsoft.Web.Services3.Design.MutualCertificate10Assertion.ServiceInputFilter..ctor(MutualCertificate10Assertion assertion)
at Microsoft.Web.Services3.Design.MutualCertificate11Assertion.CreateServiceInputFilter(FilterCreationContext context)
at Microsoft.Web.Services3.Design.Policy.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.PolicyAttribute.Microsoft.Web.Services3.IPipelineProvider.CreateServicePipeline(PipelineCreationContext context)
at Microsoft.Web.Services3.Pipeline.TryCreate(Type type, Boolean forClient)
at Microsoft.Web.Services3.WseProtocol.CreateProtocolPipeline()
at Microsoft.Web.Services3.WseProtocol.RouteRequest(SoapServerMessage message)
at System.Web.Services.Protocols.SoapServerProtocol.Initialize()
at System.Web.Services.Protocols.ServerProtocolFactory.Create(Type type, HttpContext context, HttpRequest request, HttpResponse response, Boolean& abortProcessing)
--- End of inner exception stack trace ---
--- End of inner exception stack trace ---
</faultstring>
<faultfactor>http://1.1.1.1/Test.asmx</faultfactor>
</soap:Fault>
</soap:Body>
</soap:Envelope>
我认为问题出在服务器上,因为'xxx'findValue与服务器关联,并且没有我的客户证书。
我该如何解决?
I assume the problem is at the server, because the 'xxx' findValue is associated with the server and not with my client certificate. How can I fix this?
推荐答案
尝试使用此绑定:
<customBinding>
<binding name="NewBinding0">
<textMessageEncoding messageVersion="Soap11WSAddressingAugust2004" />
<security authenticationMode="MutualCertificate">
<secureConversationBootstrap />
</security>
<httpTransport />
</binding>
</customBinding>
您将需要在wcf代理上同时定义客户端和服务器证书,如果您不知道服务器证书仅定义一个虚拟证书。您还需要更改代理的保护级别,以使其不对主体进行加密:
you will need to define both client and server certificates on the wcf proxy, if you do not know the server cert just define a dummy one. you also need to change protection level for your proxy such that it does not encrypt the body:
[System.ServiceModel.ServiceContractAttribute(ConfigurationName="ServiceReference1.SimpleServiceSoap", ProtectionLevel=System.Net.Security.ProtectionLevel.Sign)]
这篇文章总结了其他一些问题您可能会遇到。
This post summaries a few other issues you may encounter.
这篇关于WCF客户端,用于通过WS-Security使用ASMX服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
