1

我还是 WCF 的新手,并且对为什么在 WCF 中需要某些部分(如果需要)有一些疑问:

1) 我有一个使用 WCF 服务与数据库通信的应用程序。我在本地机器上设置了一个测试 SSL 证书,并将 WCF 服务的 web.config 设置为:

  <wsHttpBinding>
    <binding name="MyService" maxReceivedMessageSize="2147483647">
      <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
        maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
      <security mode="TransportWithMessageCredential">
        <transport clientCredentialType="Windows" />
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
  </wsHttpBinding>

因为我有 SSL 设置,我读过我必须有传输安全性,通过将 clientCredentialType 设置为 Windows 有什么作用?SSL 不是负责来回传递数据的安全性吗?我得到的消息,因为我设置了一个自定义类来验证用户。我只是不明白为什么我需要它来传输,如果我不需要它,当它设置到 Windows 时它会做什么,这是否意味着公司网络内的所有消息都很好,但如果该网络之外的任何消息试图与它被阻止的服务交谈?

2) 对于本节:

<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />

当我去生产时,两者都应该设置为错误正确吗?因此,任何其他尝试设置对生产 url 的服务引用的应用程序都将被阻止,或者无法构建代理类?

3) includeExceptionDetailInFaults,我应该始终将其保留为假吗?目前,当 WCF 服务中发生错误时,我让代码抛出一个新的 FaultException,然后传播到 Web 应用程序中的方法,该方法正在向我发送包含错误消息的电子邮件,用户只会收到一般错误页。

谢谢你。

4

2 回答 2

2

1.如果你在内部使用你的服务,那么你可以使用这个配置,但是客户端和服务器都应该在同一个域上。Windows 凭据是必需的,因为某些证书放置在 Windows 的用户级证书存储中,要对其进行身份验证,您需要提供用户凭据。

2.如果您不希望任何人创建代理,请继续。

<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />

Indicates, that the user can see the WSDL metadata only on https connection and not on http. So if some needs to create proxy, they have to use the https url of your service.

3.Depends on your requirement, If you don't want your user to see the error details. then it's OK. This is required only for debugging. So you are right.

More details on Transport Security

<security mode="Transport">
    <transport clientCredentialType="Windows" />
</security>
于 2013-01-02T20:27:06.033 回答
1

Much useful info here: http://msdn.microsoft.com/en-us/library/aa354508.aspx

and here: http://msdn.microsoft.com/en-us/library/ms789011.aspx

1) Transport Security is just handling the Network-level security; when you specify Message+Transport, you're saying you want the message itself to require authentication as well; just having a valid SSL config isn't enough. ClientCredential Windows, means to attempt to use the effective windows credential of the running process.

By default, the wsHttpBinding binding provides HTTP communication. When configured for transport security, the binding supports HTTPS communication. HTTPS provides confidentiality and integrity protection for the messages that are transmitted over the wire. However the set of authentication mechanisms that can be used to authenticate the client to the service is limited to what the HTTPS transport supports. Windows Communication Foundation (WCF) offers a TransportWithMessageCredential security mode that is designed to overcome this limitation. When this security mode is configured, the transport security is used to provide confidentiality and integrity for the transmitted messages and to perform the service authentication. However, the client authentication is performed by putting the client credential directly in the message. This allows you to use any credential type that is supported by the message security mode for the client authentication while keeping the performance benefit of transport security mode.

2) Whether or not you allow HTTP "GET" operations is entirely up to you and your security preferences; it does obscure your service a bit, but makes it less easy to use.

3) Whether you include exception details in your response depends largely on how much you trust the consumers of your service. When consumers have the exception they'll be better able to react to their own mistakes, but also have more information about your service's implementation.

于 2013-01-02T20:33:12.743 回答