调用Web服务从.NET WS安全 [英] Invoking a web service with WS Security from .NET
本文介绍了调用Web服务从.NET WS安全的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我需要消耗从ASP.NET使用的WS-Security保护Web服务
我测试用了SoapUI服务,为在信封要求:
< soapenv:信封的xmlns:soapenv =http://schemas.xmlsoap.org/soap/envelope/的xmlns:网络=http://aduana.gov.py/webservices>
< soapenv:页眉/>
< soapenv:身体与GT;
<网址:agregarGuia> !
< - 可选: - >
<&贵啊GT;< /吉亚> !
< - 可选: - >
< autenticacion> !
< - 可选: - >
< codAduana>< / codAduana> !
< - 可选: - >
< firmaWSAA>< / firmaWSAA> !
< - 可选: - >
< idUsuario>< / idUsuario> !
< - 可选: - >
< ticketWSAA>< / ticketWSAA>
< / autenticacion>
< /网络:agregarGuia>
< / soapenv:身体与GT;
< / soapenv:信封>
和我得到的回应是:
< ENV:信封的xmlns:ENV =http://schemas.xmlsoap.org/soap/envelope/>
< ENV:页眉/>
< ENV:身体与GT;
< ENV:故障>
<&faultode的GT; ENV:服务器16; / faultode的>
< faultstring> org.jboss.ws.core.CommonSOAPFaultException:此服务需要与放大器; LT; WSSE:安全>中一个缺少< / faultstring方式>
< / ENV:故障>
< / ENV:身体与GT;
< / ENV:信封>
于是我联系了服务提供商,他们告诉我,使用的WS-Security是强制性调用服务。因此,向服务器发送SOAP消息必须经过数字与我的证书签名。
问题是我不知道该怎么做。到目前为止,我增加了一个服务引用,我路过提到证书代码:
VAR srvRef =新DnaSoapClient();
srvRef.ClientCredentials.ClientCertificate.Certificate = theCert;
VAR响应= srvRef.agregarManifiesto(dnaManifiesto);
我用Google搜索周围,一些人建议WCF。我建立一个ASP.NET 4.5应用程序。什么是我与这个场景的选择吗?
我需要知道如何使用我的证书对消息进行签名。
修改1:
我是能够推动这个问题,现在我可以发送SOAP消息的证书签名,我很接近完成我的任务。现在我在安全标签设置正确的元素失败了,我编辑的问题,同时显示信封,正确的和我的。
正确:这是一个样本信封一个正确的请求
< soapenv:页眉和GT;
< WSSE:安全的xmlns:WSSE =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd的xmlns:WSU = http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">
< WSSE:的BinarySecurityToken EncodingType =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary的ValueType =HTTP ://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3WSU:ID =X509-B259DAB3D28E48CB6A140000796019094> MIIC9TCCAd2gAwIBAgIIUiM4nWs8kfcwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTkxMTIwWhcNMTgxMjIwMTQzNzEzWjBBMRQwEgYDVQQDDAtjb3VyaWVyLnRudDEOMAwGA1UECwwFc29maWExDDAKBgNVBAoMA2RuYTELMAkGA1UEBhMCcHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOS71x5 + ChwGzWs4VlLgkePbU8 / zFHUrrE8nFNVsukMCc5q5hCK8 / CeNM + mxImilLdJrGoC2 / 000lQetB9B3AqIrAdOfBFU4 / qsAlgWI + kt2jnUsJMLRjQfxhAKMeX4RUb0CmTcsnXtWlFvYFFjiUi9nUJVSxCsmldVFgLIAHRPjAgMBAAGjfzB9MB0GA1UdDgQWBBTCwBBmU7f / 4SmNz7GNJ25ILkPuhjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDF + 1hOSdgg2DFOUofnnXdx9TxjeMA4GA1UdDwEB / wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAALVVGGNsTSMcfDBwkkNQH3MpfiNTo / mhH8ahqUVN1 + 5BIwWstv8fH0Sl9ea1XShKLPDfDIx8WSzUUIt / 93f74B3a3oMpBtbVEiku2BKUp5cJfkYe2c5zPOxk3nzmQwcEoB ++ RgX9DJOtUkKA / It2IM9 / 8ggUyjceJQCpBRiA9Kg7 + h3HfmOKNn + 9 / pNu498JXhSRKa8Jr4pp / 1udYRk + W8sKGEBtAU9MvL3y0AbvLhUD + MZyvpHGB17fslC8Nnd5EBQH8hQD + DWGepyCBIlb0NA13YEoLMcRKDcWvSPd0UGWo2G0IOeUZaGuzzIz2n04QrXvnqQKAOFd9yH2VfGtWE =< / WSSE:的BinarySecurityToken>
< DS:签名ID =SIG-96的xmlns:DS =http://www.w3.org/2000/09/xmldsig#>
< DS:SignedInfo中>
< DS:CanonicalizationMethod的算法=http://www.w3.org/2001/10/xml-exc-c14n#的xmlns:DS =http://www.w3.org/2000/ 09 / XMLDSIG#>
< EC:InclusiveNamespaces PrefixList =soapenv网的xmlns:EC =http://www.w3.org/2001/10/xml-exc-c14n#>< / EC:InclusiveNamespaces>
< / DS:CanonicalizationMethod的>
< DS:是SignatureMethod算法=http://www.w3.org/2000/09/xmldsig#rsa-sha1的xmlns:DS =http://www.w3.org/2000/09 / XMLDSIG#>< / DS:是SignatureMethod>
< DS:参考URI =#ID-95的xmlns:DS =http://www.w3.org/2000/09/xmldsig#>
< DS:变换的xmlns:DS =http://www.w3.org/2000/09/xmldsig#>
< DS:变换算法=http://www.w3.org/2001/10/xml-exc-c14n#的xmlns:DS =http://www.w3.org/2000/ 09 / XMLDSIG#>
< EC:InclusiveNamespaces PrefixList =网的xmlns:EC =http://www.w3.org/2001/10/xml-exc-c14n#>< / EC:InclusiveNamespaces>
< / DS:转换>
< / DS:变换>
< DS:DigestMethod算法=http://www.w3.org/2000/09/xmldsig#sha1的xmlns:DS =http://www.w3.org/2000/09/xmldsig #>< / DS:DigestMethod>
< DS:DigestValue中的xmlns:DS =http://www.w3.org/2000/09/xmldsig#> whvAdAkypsWVXHXbIz / T54n0dBw = LT; / DS:DigestValue中>
< / DS:参考>
< / DS:SignedInfo中>
< DS:SignatureValue所>
MdHy5mceNtQWUD5WmVOzZU8roxD3EQkQmcZA9LsfhBcp3cFAD3P1qJJ9EyrRFBs5yCiYDY716Wzh
M + tFybt1 + EujXZZ3ytk4XaahkexNAG51iup1wvw0Km + nsj4u / x8DzTA / J9EG3ZdTSUrIVBsFcEQa
TF4BwUAgGBS87xqL5zc =
< / DS:SignatureValue所>
< DS:密钥信息n =KI-B259DAB3D28E48CB6A140000796019095>
< WSSE:SecurityTokenReference WSU:ID =STR-B259DAB3D28E48CB6A140000796019096的xmlns:WSSE =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext -1.0.xsd>
< WSSE:参考URI =#X509-B259DAB3D28E48CB6A140000796019094的ValueType =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile- 1.0#采用X509v3的xmlns:WSSE =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>< / WSSE:参考>
< / WSSE:SecurityTokenReference>
< / DS:密钥信息>
< / DS:签字>
< WSU:时间戳WSU:ID =TS-94>
< WSU:创建的xmlns:WSU =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd> 2014- 05-13T19:06:00.188Z< / WSU:创建>
< WSU:过期的xmlns:WSU =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd> 2014- 05-13T19:07:00.188Z< /华盛顿州立大学:截止日期>
< / WSU:时间戳>
< / WSSE:安全和GT;
< / soapenv:页眉和GT;
煤矿,这是行不通的。
< S:信封的xmlns:S =http://schemas.xmlsoap.org/soap/envelope/的xmlns :U =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>
< S:页眉和GT;
< VsDebuggerCausalityData的xmlns =http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink> uIDPowmum40QT95GqsY7XPKT7LIAAAAAvMwgorinWU + AVOWH + 3TPjP6NBU03AZtHqle8GLRYcYAACQAA< / VsDebuggerCausalityData>
<○:安全小号:mustUnderstand属性=1的xmlns:O =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0的.xsd>
< U:时间戳U:n =_ 0>
< U:创建> 2014-05-15T21:30:20.723Z< / U:创建>
< U:过期> 2014-05-15T21:35:20.723Z< / U:过期>
< / U:时间戳>
<○:的BinarySecurityToken U:n =UUID-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2的ValueType =http://docs.oasis-open.org/wss/2004/01/oasis -200401-WSS-X509令牌瞩目-1.0#采用X509v3> MIIC9jCCAd6gAwIBAgIINNZyZplkQHgwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTgzMjQ3WhcNMTgxMjIwMTQzNzEzWjBCMRUwEwYDVQQDDAxjb3Vycmllci5kaGwxDDAKBgNVBAsMA09QUzEOMAwGA1UECgwFREhMUFkxCzAJBgNVBAYTAlBZMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGoP0dxByIfto / hqJCOhobTdwQJ3AxJkqUeSNFnprAH8zi6HjBJhzkXptqXiR9GZR1H4U3UaN6aczKVh2PaPqU8ooTxjST0ywWBgXA1WP3ukrybUKxpSvqmiRJ / cANAYLovL + gmh2v / fqPiLs7vsgT + zj1330wRGqtrokYPMjlbQIDAQABo38wfTAdBgNVHQ4EFgQU6IHB4XfP7 + rbryy1Ru8kFcfSDqcwDAYDVR0TAQH / BAIwADAfBgNVHSMEGDAWgBQxftYTknYINgxTlKH5513cfU8Y3jAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQB3NQC + 0 / VmC7A1MStKdc2NctTo7P + mhvIBe54U / Vs8I5vXiatKz01BzHIbl7chjP063V4YTtehDCGkwUTtARqpkua7RfdlMqsmcr1s3qnD4lUpGuAeVW0Wsrhu1xGjPf02fTBdD3yyGWCeUiNvKuoweeATlGyB / VlHJaZHN4HuJCnWlPic6uUUMBYqrOOa + WJR / OCFHqkEiBsUihD6ergj7AeAAFcG41GI2ZjVWK / PEB71sbQqqGgLpigAS9f8PNMm + TnQuizrvLPKm3hanOKYr9ORrbWjZCL3dva1YobK4ykvUYpncj6YsOtuDi62RcHYjT7IF9UoeZHBE2vePc + K< / O:&的BinarySecurityToken GT;
<签名的xmlns =http://www.w3.org/2000/09/xmldsig#>
<&的SignedInfo GT;
< CanonicalizationMethod的算法=http://www.w3.org/2001/10/xml-exc-c14n#/>
<是SignatureMethod算法=http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
<参考URI =#_ 0>
<&变换GT;
<变换算法=http://www.w3.org/2001/10/xml-exc-c14n#/>
< /变换>
< DigestMethod算法=http://www.w3.org/2000/09/xmldsig#sha1/>
<&的DigestValue GT; pM8KraJSLZumo77gD9 + JF2f8eBU = LT; /&的DigestValue GT;
< /参考和GT;
< /&的SignedInfo GT;
<&SignatureValue所GT; MZ9ZTKeGj5KNUEn4R6cQhRhOdK0frNK1O5KRGbM + YqfvzlVwVKQ6n7p9rncbtrdGsLg3CVwUVwB7PBF78tDx3p0LjF / Eg015t6qouSyK / 92qL3oRz / 8TbqLKpe / 1uySdmGhrqPrVlTDF2rHuFGwmQVSILyUVLg / nW7K + EDwS / LG = LT; /&的SignatureValue GT;
<密钥信息>
<○:SecurityTokenReference>
<○:参考URI =#UUID-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2/>
< / O:SecurityTokenReference>
< /密钥信息>
< /签署及GT;
< / O:安全和GT;
< / S:页眉和GT;
< / S:信封>
解决方案我设法得到这个工作,我在这里发布的解决方案为别人着想。
总之,手头的任务是消耗用Java编写的与WS-安全功能的Web服务。让我澄清一下,这应该是一个简单的任务如果Web服务开发人员自觉写出好的WSDL和/或他们的合作人。不幸的是,他们都没有任何。
如果在这种情况下,你必须使用了SoapUI 并的Fiddler 通过你自己取的服务。
的第一件事就是用了SoapUI拿到香皂版本,该服务的使用,将定义绑定,您可以使用的类型,在我的情况是SOAP 1.1,并在convination与WS-安全部队我使用customBinding因为WsHttpBinding的只支持SOAP 1.2和basicBinding是不是灵活消耗WS-Security的支持服务。
经过测试,错误的会议和大量的提琴手读取服务器响应我终于下面的结合就出来了。所有配置完成,没有涉及代码:< system.serviceModel>
<&绑定GT;
<绑定名称=MyBinding>
< textMessageEncoding messageVersion =Soap11/>
<安全authenticationMode =MutualCertificateenableUnsecuredResponse =真allowSerializedSigningTokenOnReply =真正的
messageSecurityVersion =WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
includeTimestamp =false的>
< /安全>
< httpsTransport />
< /&结合GT;
< / customBinding>
< /绑定>
<&行为GT;
< endpointBehaviors>
<行为NAME =ClientCertificateBehavior>
< clientCredentials>
< clientCertificate findValue =xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx
storeLocation =的currentUserSTORENAME =我的
x509FindType =FindByThumbprint/>
< serviceCertificate>
< defaultCertificate findValue =xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx年xx月xx
storeLocation =的currentUserSTORENAME =我的
x509FindType =FindByThumbprint/>
<认证certificateValidationMode =无/>
< / serviceCertificate>
< / clientCredentials>
< /行为>
< / endpointBehaviors>
< /行为>
<客户端>
<端点地址=https://secure.aduana.gov.py/test/tere/serviciotere
结合=customBindingbindingConfiguration =MyBinding
合同=serviciotereSoapNAME =serviciotereSoapbehaviorConfiguration =ClientCertificateBehavior>
<同一性GT;
< DNS值=tere_test/>
< /身份>
< /端点>
< /客户>
< /system.serviceModel>
。与你的证书指纹十六进制值)
xx替换。资源,帮助我排序的问题型动物:
这和这里I need to consume a web service secured with WS-Security from ASP.NET.
I'm testing the service with SoapUI, being the envelop request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://aduana.gov.py/webservices"> <soapenv:Header/> <soapenv:Body> <web:agregarGuia> <!--Optional:--> <guia>?</guia> <!--Optional:--> <autenticacion> <!--Optional:--> <codAduana>?</codAduana> <!--Optional:--> <firmaWSAA>?</firmaWSAA> <!--Optional:--> <idUsuario>?</idUsuario> <!--Optional:--> <ticketWSAA>?</ticketWSAA> </autenticacion> </web:agregarGuia> </soapenv:Body> </soapenv:Envelope>And the response I get is:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header/> <env:Body> <env:Fault> <faultcode>env:Server</faultcode> <faultstring>org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security>, which is missing.</faultstring> </env:Fault> </env:Body> </env:Envelope>So I contacted the service provider and they told me that the use of WS-Security is mandatory to invoke the service. Therefore, the SOAP message sent to the server must be digitally signed with my certificate.
The problem is I don't know how to do that. So far I added a Service Reference and I'm passing the mentioned certificate in code:
var srvRef = new DnaSoapClient(); srvRef.ClientCredentials.ClientCertificate.Certificate = theCert; var response = srvRef.agregarManifiesto( dnaManifiesto );I have googled around and some folks recommend WCF. I'm building an ASP.NET 4.5 application. What are my options with this scenario? I need to know how to sign the message using my certificate.
EDIT 1: I was able to advance the issue, now I can send the SOAP message signed with the certificate and I'm close to finish my task. Now I fail in setting the correct elements in Security tag, I edited the question to show both envelope, the correct one and mine.
Correct: this is an sample envelope for a correct request
<soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-B259DAB3D28E48CB6A140000796019094">MIIC9TCCAd2gAwIBAgIIUiM4nWs8kfcwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTkxMTIwWhcNMTgxMjIwMTQzNzEzWjBBMRQwEgYDVQQDDAtjb3VyaWVyLnRudDEOMAwGA1UECwwFc29maWExDDAKBgNVBAoMA2RuYTELMAkGA1UEBhMCcHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOS71x5+ChwGzWs4VlLgkePbU8/zFHUrrE8nFNVsukMCc5q5hCK8/CeNM+mxImilLdJrGoC2/000lQetB9B3AqIrAdOfBFU4/qsAlgWI+kt2jnUsJMLRjQfxhAKMeX4RUb0CmTcsnXtWlFvYFFjiUi9nUJVSxCsmldVFgLIAHRPjAgMBAAGjfzB9MB0GA1UdDgQWBBTCwBBmU7f/4SmNz7GNJ25ILkPuhjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDF+1hOSdgg2DFOUofnnXdx9TxjeMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAALVVGGNsTSMcfDBwkkNQH3MpfiNTo/mhH8ahqUVN1+5BIwWstv8fH0Sl9ea1XShKLPDfDIx8WSzUUIt/93f74B3a3oMpBtbVEiku2BKUp5cJfkYe2c5zPOxk3nzmQwcEoB++RgX9DJOtUkKA/It2IM9/8ggUyjceJQCpBRiA9Kg7+h3HfmOKNn+9/pNu498JXhSRKa8Jr4pp/1udYRk+W8sKGEBtAU9MvL3y0AbvLhUD+MZyvpHGB17fslC8Nnd5EBQH8hQD+DWGepyCBIlb0NA13YEoLMcRKDcWvSPd0UGWo2G0IOeUZaGuzzIz2n04QrXvnqQKAOFd9yH2VfGtWE=</wsse:BinarySecurityToken> <ds:Signature Id="SIG-96" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ec:InclusiveNamespaces PrefixList="soapenv web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:SignatureMethod> <ds:Reference URI="#id-95" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ec:InclusiveNamespaces PrefixList="web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:DigestMethod> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">whvAdAkypsWVXHXbIz/T54n0dBw=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> MdHy5mceNtQWUD5WmVOzZU8roxD3EQkQmcZA9LsfhBcp3cFAD3P1qJJ9EyrRFBs5yCiYDY716Wzh M+tFybt1+EujXZZ3ytk4XaahkexNAG51iup1wvw0Km+nsj4u/x8DzTA/J9EG3ZdTSUrIVBsFcEQa TF4BwUAgGBS87xqL5zc= </ds:SignatureValue> <ds:KeyInfo Id="KI-B259DAB3D28E48CB6A140000796019095"> <wsse:SecurityTokenReference wsu:Id="STR-B259DAB3D28E48CB6A140000796019096" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:Reference URI="#X509-B259DAB3D28E48CB6A140000796019094" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"></wsse:Reference> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="TS-94"> <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-05-13T19:06:00.188Z</wsu:Created> <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-05-13T19:07:00.188Z</wsu:Expires> </wsu:Timestamp> </wsse:Security> </soapenv:Header>
Mine, this is not working
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <s:Header> <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPowmum40QT95GqsY7XPKT7LIAAAAAvMwgorinWU+AVOWH+3TPjP6NBU03AZtHqle8GLRYcYAACQAA</VsDebuggerCausalityData> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <u:Timestamp u:Id="_0"> <u:Created>2014-05-15T21:30:20.723Z</u:Created> <u:Expires>2014-05-15T21:35:20.723Z</u:Expires> </u:Timestamp> <o:BinarySecurityToken u:Id="uuid-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIC9jCCAd6gAwIBAgIINNZyZplkQHgwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTgzMjQ3WhcNMTgxMjIwMTQzNzEzWjBCMRUwEwYDVQQDDAxjb3Vycmllci5kaGwxDDAKBgNVBAsMA09QUzEOMAwGA1UECgwFREhMUFkxCzAJBgNVBAYTAlBZMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGoP0dxByIfto/hqJCOhobTdwQJ3AxJkqUeSNFnprAH8zi6HjBJhzkXptqXiR9GZR1H4U3UaN6aczKVh2PaPqU8ooTxjST0ywWBgXA1WP3ukrybUKxpSvqmiRJ/cANAYLovL+gmh2v/fqPiLs7vsgT+zj1330wRGqtrokYPMjlbQIDAQABo38wfTAdBgNVHQ4EFgQU6IHB4XfP7+rbryy1Ru8kFcfSDqcwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQxftYTknYINgxTlKH5513cfU8Y3jAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQB3NQC+0/VmC7A1MStKdc2NctTo7P+mhvIBe54U/Vs8I5vXiatKz01BzHIbl7chjP063V4YTtehDCGkwUTtARqpkua7RfdlMqsmcr1s3qnD4lUpGuAeVW0Wsrhu1xGjPf02fTBdD3yyGWCeUiNvKuoweeATlGyB/VlHJaZHN4HuJCnWlPic6uUUMBYqrOOa+wJr/OCFHqkEiBsUihD6ergj7AeAAFcG41GI2ZjVWK/PEB71sbQqqGgLpigAS9f8PNMm+TnQuizrvLPKm3hanOKYr9ORrbWjZCL3dva1YobK4ykvUYpncj6YsOtuDi62RcHYjT7IF9UoeZHBE2vePc+K</o:BinarySecurityToken> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI="#_0"> <Transforms> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>pM8KraJSLZumo77gD9+JF2f8eBU=</DigestValue> </Reference> </SignedInfo> <SignatureValue>MZ9ZTKeGj5KNUEn4R6cQhRhOdK0frNK1O5KRGbM+YqfvzlVwVKQ6n7p9rncbtrdGsLg3CVwUVwB7PBF78tDx3p0LjF/Eg015t6qouSyK/92qL3oRz/8TbqLKpe/1uySdmGhrqPrVlTDF2rHuFGwmQVSILyUVLg/nW7K+EDwS/Lg=</SignatureValue> <KeyInfo> <o:SecurityTokenReference> <o:Reference URI="#uuid-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2"/> </o:SecurityTokenReference> </KeyInfo> </Signature> </o:Security> </s:Header> </s:Envelope>
解决方案I managed to get this working i post the solution here for others. To summarize, the task at hand was to consume a web service written in java with ws-security features. Let me clarify that this should be a easy task if the web service developer consciously write a good wsdl and/or they are collaborative people. Unfortunately they are not any. If you are in this case you have to be armed with SoapUI and Fiddler to take the service by your self. The first thing is with SoapUI get the Soap version that the service use, that will define the type of binding you can use, in my case it was Soap 1.1 and in convination with ws-security force me to use customBinding because wsHttpBinding only support Soap 1.2 and basicBinding is not that flexible to consume a WS-Security enabled service.
After sessions of tests-errors and a lot of Fiddler to read the server responses i finally came out with the following binding. All done by configuration, no code involved:<system.serviceModel> <bindings> <binding name="MyBinding" > <textMessageEncoding messageVersion="Soap11"/> <security authenticationMode="MutualCertificate" enableUnsecuredResponse="true" allowSerializedSigningTokenOnReply="true" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" includeTimestamp="false"> </security> <httpsTransport /> </binding> </customBinding> </bindings> <behaviors> <endpointBehaviors> <behavior name="ClientCertificateBehavior"> <clientCredentials> <clientCertificate findValue="xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint" /> <serviceCertificate> <defaultCertificate findValue="xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx" storeLocation="CurrentUser" storeName="My" x509FindType="FindByThumbprint"/> <authentication certificateValidationMode="None" /> </serviceCertificate> </clientCredentials> </behavior> </endpointBehaviors> </behaviors> <client> <endpoint address="https://secure.aduana.gov.py/test/tere/serviciotere" binding="customBinding" bindingConfiguration="MyBinding" contract="serviciotereSoap" name="serviciotereSoap" behaviorConfiguration="ClientCertificateBehavior"> <identity> <dns value="tere_test"/> </identity> </endpoint> </client> </system.serviceModel>. Replace xx with your certificates Thumbprint hex values) . Resources that helped me sort the differents issues: this and here
这篇关于调用Web服务从.NET WS安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
