当使用UserNameOverTransport绑定时,如何让WCF以摘要模式发送密码? (将WSE3.0代码转换为WCF) [英] How do I get WCF to send the password in digest mode when using UserNameOverTransport binding? (Converting WSE3.0 code to WCF)
问题描述
我想这WSE3.0代码转换为WCF:
I'm trying to convert this WSE3.0 code to WCF:
// we use Microsoft WSE 3.0 to insert the username token in the soap header.
// This strategy takes care of creating and inserting the Nonce and Created elements
// for us, as well as creating a password digest based on Nonce, Created, and
// the password itself. Refer to the WS-Secutiry UsernameToken Profile 1.1
// specification at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss.
Microsoft.Web.Services3.Security.Tokens.UsernameToken nametoken;
nametoken = new Microsoft.Web.Services3.Security.Tokens.UsernameToken(username, password, Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed);
Microsoft.Web.Services3.Design.Policy ClientPolicy = new Microsoft.Web.Services3.Design.Policy();
ClientPolicy.Assertions.Add(new UsernameOverTransportAssertion());
this._proxy.SetPolicy(ClientPolicy);
this._proxy.SetClientCredential<UsernameToken>(nametoken);
我已经得到了除了在消化模式(微软发送密码八九不离十.Web.Services3.Security.Tokens.PasswordOption.SendHashed 在上面code`):
I have gotten pretty close except for sending the password in digest mode (Microsoft.Web.Services3.Security.Tokens.PasswordOption.SendHashed in the above code`):
TransportSecurityBindingElement transportBindingElement =
SecurityBindingElement.CreateUserNameOverTransportBindingElement();
transportBindingElement.AllowInsecureTransport = true;
transportBindingElement.EnableUnsecuredResponse = true;
transportBindingElement.IncludeTimestamp = true;
var binding = new CustomBinding(new BindingElement[] { //
transportBindingElement, //
new TextMessageEncodingBindingElement() {
MessageVersion = MessageVersion.Soap11
}, //
new HttpTransportBindingElement() {
AuthenticationScheme = AuthenticationSchemes.Digest,
}, //
});
以上仍然以纯文本格式发送密码(散列的)。我发现这个链接到有人试图类似的代码转换和别人说,它是不可能建立WCF做到这一点,而无需编写自定义的令牌序列化。
The above still sends the password in plain text (unhashed). I found this link to somebody trying to convert similar code with somebody stating that it was not possible to set up WCF to do this without writing a custom token serializer.
时的这种说法准确吗?
如果是,什么我需要做的创建和使用这个自定义序列?
If it is, what do I need to do to create and use this custom serializer?
它看起来像这样当从网站的可能是一个很好的起点SPEC-OS-UsernameTokenProfile.pdf相对=nofollow>在给出了以下公式的评论链接 Password_Digest = Base64编码(SHA-1(+随机数生成+密码)),但如果有人有什么我需要得出一个更好的解释,以及如何让WCF用我新的串行我很想听听吧。
It looks like this link might be a good starting place when combined with the PDF from the site linked in the comments that gives the following formula Password_Digest = Base64 ( SHA-1 ( nonce + created + password ) ) but if anybody has a better explanation of exactly what I need to derive from and how to get WCF to use my new serializer I'd love to hear it.
推荐答案
您发现我的问题:)
这是非常有趣的问题。 MS经常指责他们产生不安全的系统和API正因为如此,在MS一些工程师成为整合的一些想法什么是安全的,什么是不以新的API。与消化密码UserNameToken配置文件也正是导致这种努力。它被认为是不够安全,也因为它是完全省略WCF。那么,它不应该是一个问题,如果WCF不会与其他平台和框架,其中以消化密码UserNameToken配置文件是非常流行的互操作的API。
This is very interesting problem. MS was often blamed that they produce insecure systems and APIs and because of that some engineers in MS became incorporating some ideas about what is secure and what is not to new APIs. UserNameToken profile with digested password is exactly result of this effort. It is considered as not secure enough and because of that it is completely omitted from WCF. Well, it should not be a problem if WCF would not be an API for interoperability with other platforms and frameworks where UserNameToken profile with digested password is very popular.
是的,我们做了自定义的令牌序列化,当我们解决了这个问题。它不仅是令牌序列化。实际上,你必须实现相当大量的类,使其工作。我不会分享我们的实现,因为这不是我的代码,但你可以尝试的这个。
Yes we did custom token serializer when we solved the problem. It is not only about token serializer. You actually have to implement quite lot of classes to make it work. I will not share our implementation because it wasn't my code but you can try this one.
这篇关于当使用UserNameOverTransport绑定时,如何让WCF以摘要模式发送密码? (将WSE3.0代码转换为WCF)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
