WCF 有问题 - 连接到不需要签名 SOAP 标头的 Weblogic 服务 - 即 <TO>、<ACTION>、<MessageID> 和其他 WS-Addressing 元素 - 不需要签名。在请求中,WCF 无论如何都会默认对这些进行签名,这不会是一个问题,除非它期望它们也在响应中被签名,并且我从 WCF 返回了这个异常:
System.ServiceModel.Security.MessageSecurityException:
The 'To', 'http://www.w3.org/2005/08/addressing' required message part was not signed.\r\n\r\nServer stack trace: \r\n at
System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ExecuteMessageProtectionPass(Boolean hasAtLeastOneSupportingTokenExpectedToBeSigned)\r\n at
System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)\r\n at
System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)\r\n at
System.ServiceModel.Security.AsymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)\r\n at System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingM....
我正在为 web 服务客户端的其他元素使用 CustomEncoder 和自定义行为,但似乎无法通过此路由禁用默认元素的签名 - 我尝试在 IEndpointBehaviour 中访问以下内容
public void AddBindingParameters(ServiceEndpoint endpoint, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
{
ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();
requirements.IncomingSignatureParts...
requirements.OutgoingSignatureParts...
}
但是HeaderTypes
在 WCF 进程的消息行为阶段,这些集合中的数量对我来说始终为零。
此外,在尝试访问MessageHeaderAttribute
IClientMessageInspector 时,我尝试添加以下内容但无济于事。
public object BeforeSendRequest(ref System.ServiceModel.Channels.Message request, System.ServiceModel.IClientChannel channel)
{
int headerIndex = request.Headers.FindHeader("To", "http://www.w3.org/2005/08/addressing");
}
这是我的配置 -
XML 中的配置
<binding name="CUS_BINDING" >
<transactionFlow />
<security defaultAlgorithmSuite="TripleDesRsa15"
authenticationMode="MutualCertificate"
messageSecurityVersion="WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireDerivedKeys="false"
messageProtectionOrder="SignBeforeEncrypt"
securityHeaderLayout="Lax"
allowSerializedSigningTokenOnReply="true"
enableUnsecuredResponse="true"
>
<secureConversationBootstrap authenticationMode="CertificateOverTransport"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireDerivedKeys="false"
/>
</security>
<customTextMessageEncoding messageVersion="Soap11WSAddressing10" />
<httpsTransport requireClientCertificate="true" />
</binding>
配置在代码中调整
public static CustomBinding GetServiceBinding()
{
//Get custom binding reference from app.config
CustomBinding binding = new CustomBinding("CUS_BINDING");
binding.ReceiveTimeout = new TimeSpan(0, 0, 15, 0);
binding.SendTimeout = new TimeSpan(0, 0, 15, 0);
// Reference the asymettric security element
AsymmetricSecurityBindingElement securityBindingElement = binding.Elements.Find<AsymmetricSecurityBindingElement>();
// Get the x509ProtectionParams from the security element
X509SecurityTokenParameters tokenParameters = new X509SecurityTokenParameters();
tokenParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.IssuerSerial;
tokenParameters.RequireDerivedKeys = false;
tokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
securityBindingElement.InitiatorTokenParameters = tokenParameters;
//securityBindingElement.ProtectionTokenParameters = tokenParameters;
securityBindingElement.LocalClientSettings.DetectReplays = false;
//Set timestamp to false as it's not in the request
securityBindingElement.IncludeTimestamp = false;
// Added during testing, permanant fixture
securityBindingElement.RequireSignatureConfirmation = true;
securityBindingElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
return binding;
}
所以我需要能够通过任何可能的方法做两件事之一 -
关闭客户端对这些标头元素的请求的签名,以便它们不会在传入的响应中被签名或
告诉 WCF 忽略响应 XML 中缺少数字签名并继续