2

WCF 有问题 - 连接到不需要签名 SOAP 标头的 Weblogic 服务 - 即 <TO>、<ACTION>、<MessageID> 和其他 WS-Addressing 元素 - 不需要签名。在请求中,WCF 无论如何都会默认对这些进行签名,这不会是一个问题,除非它期望它们也在响应中被签名,并且我从 WCF 返回了这个异常:

System.ServiceModel.Security.MessageSecurityException: 

The 'To', 'http://www.w3.org/2005/08/addressing' required message part  was not     signed.\r\n\r\nServer stack trace: \r\n   at 

System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned)\r\n   at 
System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)\r\n   at 
System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)\r\n   at
System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)\r\n   at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingM....

我正在为 web 服务客户端的其他元素使用 CustomEncoder 和自定义行为,但似乎无法通过此路由禁用默认元素的签名 - 我尝试在 IEndpointBehaviour 中访问以下内容

public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
{
   ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();
   requirements.IncomingSignatureParts...
   requirements.OutgoingSignatureParts...
}

但是HeaderTypes在 WCF 进程的消息行为阶段,这些集合中的数量对我来说始终为零。

此外,在尝试访问MessageHeaderAttributeIClientMessageInspector 时,我尝试添加以下内容但无济于事。

 public object BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)
{
     int headerIndex = request.Headers.FindHeader("To", "http://www.w3.org/2005/08/addressing");

}

这是我的配置 -

XML 中的配置

<binding name="CUS_BINDING" >
      <transactionFlow />
      <security defaultAlgorithmSuite="TripleDesRsa15"
                authenticationMode="MutualCertificate"
                messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                requireDerivedKeys="false"
                messageProtectionOrder="SignBeforeEncrypt"
                securityHeaderLayout="Lax"
                allowSerializedSigningTokenOnReply="true"
                enableUnsecuredResponse="true"                     
                    >

        <secureConversationBootstrap authenticationMode="CertificateOverTransport"
                                   messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                                   requireDerivedKeys="false"
                                        />
      </security>
      <customTextMessageEncoding messageVersion="Soap11WSAddressing10"  />
      <httpsTransport requireClientCertificate="true" />
    </binding>

配置在代码中调整

public static CustomBinding GetServiceBinding()
    {            
        //Get custom binding reference from app.config
        CustomBinding binding = new CustomBinding("CUS_BINDING");
        binding.ReceiveTimeout = new TimeSpan(0, 0, 15, 0);
        binding.SendTimeout = new TimeSpan(0, 0, 15, 0);
        // Reference the asymettric security element            
        AsymmetricSecurityBindingElement securityBindingElement = binding.Elements.Find<AsymmetricSecurityBindingElement>();
        // Get the x509ProtectionParams from the security element
        X509SecurityTokenParameters tokenParameters = new X509SecurityTokenParameters();
        tokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;
        tokenParameters.RequireDerivedKeys = false;
        tokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;

        securityBindingElement.InitiatorTokenParameters = tokenParameters;
        //securityBindingElement.ProtectionTokenParameters = tokenParameters;
        securityBindingElement.LocalClientSettings.DetectReplays = false;

        //Set timestamp to false as it's not in the request
        securityBindingElement.IncludeTimestamp = false;
        // Added during testing, permanant fixture
        securityBindingElement.RequireSignatureConfirmation = true;
        securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;            

        return binding;
    }

所以我需要能够通过任何可能的方法做两件事之一 -

  1. 关闭客户端对这些标头元素的请求的签名,以便它们不会在传入的响应中被签名或

  2. 告诉 WCF 忽略响应 XML 中缺少数字签名并继续

4

2 回答 2

1

前段时间有人问过这个问题,但我在寻找解决方案时发现了这个问题。

所以这对我有用。只需在自定义绑定中设置 enableUnsecuredResponse="true" 即可。

<customBinding>
    <binding name="WsHttpSoap11" >          
        <textMessageEncoding messageVersion="Soap11WSAddressing10" />            
        <security authenticationMode="UserNameOverTransport" enableUnsecuredResponse="true"></security>
        <httpsTransport/>
    </binding>
  </customBinding>
于 2015-02-17T10:25:34.637 回答
-1

我最初的预感是有一些方法可以使 requirements.IncomingSignatureParts 路径工作。但后备方案是简单地一起关闭 ws-addressing(例如,使用消息版本“Soap11”)并在消息检查器/编码器中手动添加它们。

于 2012-09-11T09:40:15.507 回答