如何指定需要对WS-Security中的时间戳进行签名+修复客户端未使用ID xxx签名时间戳的错误? [英] How to specify that the Timestamp that's part of WS-Security needs to be signed + fix error that client did not sign timestamp with id xxx?
问题描述
我已经实现了外部服务的WSDL.他们有实现的终点,我们需要配置WCF配置,以便我们的WSDL最终像他们一样,以便该公司能够调用我们的服务,而我们的WCF服务知道该怎么做.
I have implemented a WSDL of an external service. They have the endpoint of this implementation and we need to configure our WCF configuration so that our WSDL ends up being like theirs so that that company is able to call our service and our WCF service knows what to do.
他们的WSDL包含以下已签名的元素:
Their WSDL contains these signed elements:
<wsp:Policy wsu:Id="SecureMessagePolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:SignedElements>
<sp:XPath>/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Envelope']/*[namespace-uri()='http://schemas.xmlsoap.org/soap/envelope/' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
<sp:XPath>/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Envelope']/*[namespace-uri()='http://www.w3.org/2003/05/soap-envelope' and local-name()='Header']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' and local-name()='Security']/*[namespace-uri()='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' and local-name()='Timestamp']</sp:XPath>
</sp:SignedElements>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
我的WSDL的签名部分如下所示:
The signing part of my WSDL looks like this:
<wsp:Policy wsu:Id="{{POLICE_NAME_REQUEST}}">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="{{POLICE_NAME_RESPONSE}}">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="{{POLICE_NAME_FAULT}}">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
WCF为请求,响应和错误生成这些东西.他们的WSDL仅完成了这三件事.我认为这并不重要.
WCF generates these things for the request, response and fault. Their WSDL has it done for these 3 things just once. I don't think this really matters.
如您所见,我们的WSDL说应该对同一事物进行签名.(正文,收件人,发件人,FaultTo,ReplyTO,MessageID,RelatesTo,Action). EXCEPT SignedElements 部分,该部分指定还应对 TimeStamp 进行签名.
As you can see, our WSDL says that the same thing should be signed. (Body, To, From, FaultTo, ReplyTO, MessageID, RelatesTo, Action). EXCEPT SignedElements part which specifies that the TimeStamp should also be signed.
时间戳记是 http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd 命名空间的一部分(称为WSDL中的 wsu ):
The Timestamp is part of the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd namespace (called wsu in their WSDL):
<wsu:Timestamp ... >
<wsu:Created>2011-11-30T11:12:12.459Z</wsu:Created>
<wsu:Expires>2011-12-01T11:12:12.459Z</wsu:Expires>
</wsu:Timestamp>
我的绑定现在看起来像这样:
My binding now looks like this:
<binding>
<MissingWSAddressingHeadersTextEncoding />
<security
authenticationMode="MutualCertificate"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
enableUnsecuredResponse="false"
messageProtectionOrder="EncryptBeforeSign"
includeTimestamp="true"
defaultAlgorithmSuite="TripleDesRsa15"
allowSerializedSigningTokenOnReply="false"/>
<httpsTransport requireClientCertificate="true"/>
</binding>
MissingWSAddressingHeadersTextEncoding 是在水下使用 TextMessageEncoder 的自定义编码器.
MissingWSAddressingHeadersTextEncoding is a custom encoder that uses a TextMessageEncoder underwater.
如何指定我的WSDL也应该签署时间戳记?我猜想如果我返回的响应带有未签名的响应,则可能会发生错误.
How do I specify that my WSDL should also sign the Timestamp? I guess that if I return a response with an unsigned response, errors might occur.
推荐答案
我找到了答案.
Apparently, a timestamp is ALWAYS signed when signing is used (docs.microsoft), so I do not need to worry about signing the timestamp.
当我检查SOAP UI的响应时,我仅收到 FailedAuthentication 错误.我实现了[Recommended WCF logging],它告诉我时间戳不是由SOAP UI签名的,这很奇怪,因为我确实在WS外发配置中指定了此时间戳.
When I checked SOAP UI's response, I just got FailedAuthentication errors. I implemented [Recommended WCF logging] which told me that the timestamp was not signed by SOAP UI, which is weird because I did specify this in the WS outgoing config.
我的解决方法是使用 MutualCertificateDuplex .这确实签署了时间戳.我也将 allowSerializedSigningTokenOnReply 放在 true 上,尽管我认为这并不重要.
My fix was to use MutualCertificateDuplex. This did sign the Timestamp. I also put allowSerializedSigningTokenOnReply on true, although I don't think this matters.
这篇关于如何指定需要对WS-Security中的时间戳进行签名+修复客户端未使用ID xxx签名时间戳的错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
