为什么 WCF wsHttpBinding Timestamp 是可选的? [英] Why is the WCF wsHttpBinding Timestamp optional?

问题描述

我们有一个使用 wsHttpBinding 的 WCF 服务.我生成的示例请求包含一个时间戳，WCF 为每个请求验证了该时间戳:

 <u:Created>2013-11-02T16:58:24.575Z</u:Created><u:Expires>2013-11-02T17:03:24.575Z</u:Expires></u:时间戳>

我们最近对该服务进行了渗透测试，测试人员注意到可以简单地省略时间戳元素，而无需它也可以接受请求.

我正在查看报告，我想为此添加一个解释.不幸的是，我进行了很好的搜索，但找不到任何解释它的资源，甚至没有提及它.

所以我的问题是:

1. 为什么这是可选的?
2. 如果有人问我，是否可以强制使用时间戳?

这是服务绑定配置:

 <binding name="usernameHttps" maxReceivedMessageSize="2147483647"><安全模式="TransportWithMessageCredential"><message clientCredentialType="UserName" createdSecurityContext="false"/></安全></binding></wsHttpBinding>

这是客户端绑定配置:

<绑定名称="WSHttpBinding_IService" maxReceivedMessageSize="2147483647"><安全模式="TransportWithMessageCredential"><transport clientCredentialType="None"/><message clientCredentialType="UserName" createdSecurityContext="false"/></安全></binding></wsHttpBinding>

解决方案

我得到了 MS 论坛对此的回答:

<块引用>

1. 为什么这是可选的?

时间戳是可选的，因为它是接收者必须对它，来自 MSDN http://msdn.microsoft.com/en-us/library/ms977327.aspx

" 通过知道创建和过期时间，接收者可以决定如果数据足够新以供其使用或数据已变得如此陈旧的消息应该被丢弃."

1. 如果有人问我，是否可以强制使用时间戳?

是的，如上所述，您的服务逻辑需要这样做，最简单的方法是在WCF处理管道中添加一个拦截器这将检查这个标题，如果没有找到它会抛出一个错误http://msdn.microsoft.com/en-us/magazine/cc163302.aspx

We have a WCF service that uses wsHttpBinding. The sample requests I generate include a timestamp which is validated by WCF for each request:

  <u:Timestamp u:Id="_0">
    <u:Created>2013-11-02T16:58:24.575Z</u:Created>
    <u:Expires>2013-11-02T17:03:24.575Z</u:Expires>
  </u:Timestamp>

We recently had the service pen-tested, and the tester noticed that it's possible to simply omit the timestamp element, and requests are accepted without it.

I'm reviewing the report, and I'd like to add an explanation for this. Unfortunately, I've had a good search and I can't find any resources which explain it, or even mention it.

So my questions are:

1. Why is this optional?
2. In case I'm asked, is it possible to make the timestamp mandatory?

This is the service binding config:

 <wsHttpBinding>
    <binding name="usernameHttps" maxReceivedMessageSize="2147483647">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName" establishSecurityContext="false" />
      </security>
    </binding>
  </wsHttpBinding>

This is the client binding config:

<wsHttpBinding>
    <binding name="WSHttpBinding_IService" maxReceivedMessageSize="2147483647">
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="None" />
        <message clientCredentialType="UserName" establishSecurityContext="false" />
      </security>
    </binding>
  </wsHttpBinding>

解决方案

I got an answer to this from the MS forums:

1. Why is this optional?

Time stamp is option because it is reciver that has to take action on it , from MSDN http://msdn.microsoft.com/en-us/library/ms977327.aspx

" By knowing the creation and expiration time, a receiver can decide if the data is new enough for its own use or if the data has become so stale that the message should be discarded. "

1. In case I'm asked, is it possible to make the timestamp mandatory?

YES , as explained above it is your service logic that need to do that , easiest way is to add an interceptors in WCF processing pipeline that will check for this headers and if not found it throws an error http://msdn.microsoft.com/en-us/magazine/cc163302.aspx

这篇关于为什么 WCF wsHttpBinding Timestamp 是可选的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！