为受 SSL 保护的 WSIT/Metro Web 服务和客户端设置身份验证 [英] Setting up authentication for SSL protected WSIT / Metro web service and client

问题描述

我对为受 SSL 保护的服务设置标准身份验证感到有些困惑.我尝试了 HTTP 标头方式，但这是非标准的，WS-I 对我来说很重要.可以在方法级别将 Authentication Token 设置为 Username.这是 WSIT XML 中的结果 BindingPolicy:

I'm kind of confused about setting up standard authentication for my SSL protected service. I have tried the HTTP header way, but that's non standard, and WS-I is important for me. It is possible to set up the Authentication Token to be Username on method level. This is the resulted BindingPolicy in the WSIT XML:

<wsp:Policy wsu:Id="DataStoreWSPortBindingPolicy">
    <wsp:ExactlyOne>
        <wsp:All>
            <wsam:Addressing wsp:Optional="false"/>
            <sp:TransportBinding>
                <wsp:Policy>
                    <sp:TransportToken>
                        <wsp:Policy>
                            <sp:HttpsToken RequireClientCertificate="false"/>
                        </wsp:Policy>
                    </sp:TransportToken>
                    <sp:Layout>
                        <wsp:Policy>
                            <sp:Lax/>
                        </wsp:Policy>
                    </sp:Layout>
                    <sp:IncludeTimestamp/>
                    <sp:AlgorithmSuite>
                        <wsp:Policy>
                            <sp:Basic128/>
                        </wsp:Policy>
                    </sp:AlgorithmSuite>
                </wsp:Policy>
            </sp:TransportBinding>
            <sp:Wss10/>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="DataStoreWSPortBinding_hello_Input_Policy">
    <wsp:ExactlyOne>
        <wsp:All>
            <sp:SupportingTokens>
                <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                        <wsp:Policy>
                            <sp:WssUsernameToken10/>
                        </wsp:Policy>
                    </sp:UsernameToken>
                </wsp:Policy>
            </sp:SupportingTokens>
        </wsp:All>
    </wsp:ExactlyOne>
</wsp:Policy>

SvcUtil 警告:

<!--    WsdlImporter encountered unrecognized policy assertions in ServiceDescription 'http://webServices/':    -->
          <!--    <wsdl:binding name='DataStoreWSPortBinding'>    -->
          <!--        <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">..</sp:SupportingTokens>    -->

我想通过 ClientCredentials 在 WCF 客户端中设置凭据，然后通过数据库在服务端进行身份验证.实现这一目标的步骤是什么?

I want to set credentials in the WCF client via ClientCredentials and then authenticate on the service side via database. What are the steps to achieve that?

推荐答案

如果您想在传输级别使用标准方式，为什么不使用 HTTP 基本身份验证?这是 HTTP 协议的通用标准化身份验证机制，它也适用于 Web 服务.

If you want to have standard way on transport level why don't you use HTTP Basic authentication? That is the common standardized authentication mechanism for HTTP protocol and it works with web services as well.

你得到的错误很可能是因为 SupportingTokens 断言.即使是正确的断言 WCF 也不支持它.尝试使用 SignedSupportingTokens 或 SignedEncryptedSupportingTokens.如果您无法修改您的服务以生成此类 WSDL，您甚至可以尝试修改您手动获得的 WSDL.

The error you got is most probably because of SupportingTokens assertion. Even it is correct assertion WCF doesn't support it. Try to use SignedSupportingTokens or SignedEncryptedSupportingTokens. If you are not able to modify your service to produce such WSDL you can even try to modify the WSDL you got manually.

WS-I 是什么意思?有多种 WS-I 标准，其中一些标准根本不需要策略——只是简单的 SOAP 服务，其中标头直接在 WSDL 中描述.

What you meant by WS-I? There are multiple WS-I standards and some of them don't expect policies at all - just plain SOAP services where headers are described in WSDL directly.

这篇关于为受 SSL 保护的 WSIT/Metro Web 服务和客户端设置身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！