设置建立SecurityContext=“False"有什么影响?如果我使用https? [英] What are the impacts of setting establishSecurityContext="False" if i use https?

问题描述

我的 WFC 服务使用 wsHttpBinding 配置:

My WFC service uses wsHttpBinding configured with:

<security mode="TransportWithMessageCredential">
    <message establishSecurityContext="True" clientCredentialType="UserName"/>
    <transport clientCredentialType="None" proxyCredentialType="None"/>
</security>

我们的一个合作伙伴正在尝试使用 Java Metro 库调用我们的服务.他们有这个 问题.我必须设置建立SecurityContext =False"才能工作.我们做了一个快速测试，当我将它设置为 false 时它确实有效.

One of our partner is trying to invoke our services using the java the Metro library. They have this problem. I have to set establishSecurityContext="False" for this to work. We did a quick test and it works indeed when I set it to false.

不使用安全会话会产生什么影响(通过设置建立SecurityContext="False").我已经在 https 上运行了.那么我在安全方面会好吗?还有其他影响需要考虑吗(可能是性能)?

What would be the impacts of not using secure sessions (by setting establishSecurityContext="False"). I'm already running on https. So will I be OK in terms of security? And are there other impacts to consider (performance maybe)?

谢谢

推荐答案

不同之处在于在启用非 SCT(安全上下文令牌)的端点上，密钥交换和验证必须在每次调用中完成，而不是一次完成并为会话缓存，而仅在消息中传递了 SCT.SCT 基于对称密钥，这使得它们在签名/加密消息方面效率更高.当预期客户连续进行多次调用时，使用 SCT 非常好，因为它减轻了每次都进行一次密钥的交换和验证的需要.

The difference is that the on an non-SCT (security context token) enabled endpoint, key exchange and validation must be done per call as opposed to being done once and cached for the session and only a SCT passed around in the messages instead. SCTs are based on a symmetric key which makes them much more efficient for signing/encrypting the message. The use of a SCT is very good when the client is expected to make many calls in succession because it alleviates the need to do the exchange and validation of a one off key every time.

我建议您只为不支持 SCT 的客户端公开另一个端点并告诉他们使用它.可以使用 SCT 的客户端指向默认端点，并保留它带来的所有好处.

What I would recommend is that you just expose another endpoint for clients that don't support SCTs and tell them to use that. Clients that can use SCTs you keep pointed at the default endpoint and keep all the benefits that come with it.

有关该主题的更多信息，请查看 WS-SecureConversation 文档的第三部分.

For more on the subject, check out section three of the WS-SecureConversation documentation.

这篇关于设置建立SecurityContext=“False"有什么影响?如果我使用https?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！