建立SecurityContext=“False"的安全含义是什么?和negotiationServiceCredential=“假" [英] What are the security implications of establishSecurityContext="False" and negotiateServiceCredential="False"
问题描述
我们在 wsHttpBinding 上设置了 establishSecurityContext="False" 和 negotiateServiceCredential="False".在每个网络服务调用都涉及连接和断开连接的设置中,这将每个网络服务调用的请求数从 5 个减少到 1 个,从而显着提高了性能.
We've set establishSecurityContext="False" and negotiateServiceCredential="False" on a wsHttpBinding. In a setup where every single web service call involves connecting and disconnecting, this reduces the number of requests per web service call from 5 to 1, providing a significant performance improvement.
客户端已配置为通过身份节点知道服务器身份:
The client has been configured to know the server identity via the identity node:
<endpoint address="..." behaviorConfiguration="..." binding="wsHttpBinding" bindingConfiguration="..." contract="..." name="...">
<identity>
<certificate encodedValue="..." />
</identity>
</endpoint>
这些设置的安全含义是什么?它们会以任何方式降低安全性吗?
What are the security implications of these settings? Do they reduce security in any way?
推荐答案
所描述的场景实际上并没有改变在客户端和服务器之间建立的连接的安全性.它仅更改指定安全性的方式以及指定凭证的方式.
The scenario described doesn't actually change the security of a connection established between the client and the server. It merely changes how the security is specified and how the credential is specified.
establishSecurityContext 是一种更高级别的机制,它有助于使用令牌指定安全上下文,而不是直接指定较低级别的详细信息.
establishSecurityContext is a higher-level mechanism that facilitates specifying a security context using a token, rather than specifying the lower-level details directly.
negotiateServiceCredential 指定要使用的凭据是否可以协商而不是明确指定.
negotiateServiceCredential specifies whether the credential to be used may be negotiated as opposed to specified explicitly.
关于此的整体框架文档是 此处.
The overall framework documentation for this is here.
在客户端为每次调用建立和处理连接并且知道客户端和服务器可以满足指定要求(即不需要协商)的设置中,OP 描述的设置是合理的在不更改实际应用于连接的安全策略的情况下减少建立连接的开销的方法.
In a setting where a client makes and disposes connections for every call and where it is known that client and server can meet the specified requirements (i.e., there is no need for negotiation), the settings described by the OP are a reasonable way to reduce the overhead to establish a connection without changing the security policies that actually get applied to the connections.
这篇关于建立SecurityContext=“False"的安全含义是什么?和negotiationServiceCredential=“假"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
