2

我有一个 wcf 服务。服务的绑定是wsHttpBinding,安全类型是消息安全。该服务托管在 IIS 上。IIS 上的站点绑定是 http(80)。该服务还具有配置有服务行为的证书。

捆绑:

<wsHttpBinding>
        <binding name="maksServiceBinding" maxReceivedMessageSize="2147483647">
          <security mode ="Message">
            <message clientCredentialType="UserName" establishSecurityContext="true" />
          </security>
        </binding>
</wsHttpBinding>

行为:

<serviceCredentials>
            <serviceCertificate findValue="xxxxName" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="xxx.xxx.xxxServiceUsernameValidator, xxx.xxx"/>
            <!--<clientCertificate >
              <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
            </clientCertificate>-->
          </serviceCredentials>

我的服务运行良好,但我有三个问题:

1)我如何强制我的客户端进行这些配置:certificateValidationMode="ChainTrust" revocationMode="NoCheck" 这些配置可以在客户端更改(例如:certificateValidationMode 可以更改为 None)但我不希望客户端更改这些配置。(评论)不起作用。

2)当certificateValidationMode为ChainTrust时,客户端需要添加证书才能使用我的服务。但是如果客户端不添加证书并将certificateValidationMode更改为None,客户端可以使用该服务。如果我找不到防止这种情况的解决方案,我将使用 X509CertificateValidator 编写自定义证书验证。因为服务消息无法加密(不安全)。

3)我用 fiddler2 观察客户端的请求和响应。我尝试了两种情况。第一的; 添加了证书,并且 certificateValidationMode 为 ChainTrust。第二; 未添加证书,并且 certificateValidationMode 为 None。这两种情况的请求和响应是相同的。问题来了。请求和响应是否加密?如果它们是加密的,那第二种情况又会如何呢?因为客户端上没有证书。证书可以存储在缓存等其他地方吗?

Fiddler2 输出:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1" u:Id="_2">http://nvi.gov.tr/adres/IMaksCrudBusinessOf_Bina/Read</a:Action>
    <a:MessageID u:Id="_3">urn:uuid:e1ef9b1b-14c4-4952-b535-ff84a11b18b4</a:MessageID>
    <a:ReplyTo u:Id="_4">
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1" u:Id="_5">http://umuts/MaksServices/MaksBinaIslemleri.svc</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-11">
        <u:Created>2013-03-10T17:54:01.744Z</u:Created>
        <u:Expires>2013-03-10T17:59:01.744Z</u:Expires>
      </u:Timestamp>
      <c:SecurityContextToken u:Id="uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <c:Identifier>urn:uuid:ced2f798-d488-405d-9e4d-a9bce5acc8f5</c:Identifier>
      </c:SecurityContextToken>
      <c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-9" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <o:SecurityTokenReference>
          <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
        </o:SecurityTokenReference>
        <c:Offset>0</c:Offset>
        <c:Length>24</c:Length>
        <c:Nonce>vUN53uBYs3XxRkW30IRUGg==</c:Nonce>
      </c:DerivedKeyToken>
      <c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
        <o:SecurityTokenReference>
          <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
        </o:SecurityTokenReference>
        <c:Nonce>cJDYx++Xl28SaS57RPr/Og==</c:Nonce>
      </c:DerivedKeyToken>
      <e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
        <e:DataReference URI="#_1"/>
        <e:DataReference URI="#_6"/>
      </e:ReferenceList>
      <e:EncryptedData Id="_6" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
        <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <o:SecurityTokenReference>
            <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
          </o:SecurityTokenReference>
        </KeyInfo>
        <e:CipherData>
          <e:CipherValue>Awdg0bBuWmrYzddiVm2TztRIvytluR/wUVfe329DiPk2kNVO1NI5RE4/Gol/3dyObGXbvBO9eFR1Y84gOAw6gwVue+BVRMqIlYxuVkSijXsWzp/Cz84nJN+paGnKtXMIlefdRC3y3G3AcN3TX8hzwoPM1BQttJ8YJQV8PK7Lbgv2YXX/9XzgIteeIgz5KzMWp+rJ0egGxdsKLkwE3jFbj+ncfiKX7qWoFhQgCz53FbNXvPMQ/QE7LBaqhEereX/U2+Dc8ku+D/eep9g5i6v9p0RPv2g5K4dT5UeLXIh5Whqh8fx9xSZY1WsV+RegePNIyXEf/meeN3FnnC8dyJENoxfKny0tWfkiXyLxtF6SHHAUh50VKPnsrdpJh+9yIfprCpLRSLqIAaRGPjiK+oZEnDSNI7q/ipFB8KHeJKi+b38VrfBC/4IqUL+BQ+AHfWyRS2yYsAXGBWsIBLzUU7AFsslpJb3Z5Q2Z7g5FpRNUKiIbvhPZ+1dLBdthYAP0JuiawX4WCq4Ew0UB6Rh6bH1OD5eqfEbetRzr4KJt/9VW585x/Opx24wAfP2ktC5Tl//Az6jz1PAOhotHDXUN6FCW5oG9ah93S2i/fHNpqeiJoVCWEOBR+v8ExJcgbC/EtH01TaoyMHS+UlpbzWZk1h5sC21rtqHVrWjy4s0ZupBiPWabfVwKzz0VJ4DCTbnnHdNcyryvAM6kS+6qOgZbf6pWDx5MqRp00l2+N3yFJWoOCjPWzCqRcL0WUHucrJhRvCzpzKy16mQuFyFrZwXJjYmSBFv41V1lP/uyV+1+WMRcAdezqDDaYOyRb15jizMXZD9YYRau89nre64UzsCDNpmt4heD+tqOIivsId4tteKg64umY3xPRRaD0beZDrfBm8SpXsgt7U1K/wd2R2Q4U0fVFKgYJPH/1W6ZgONd/skg6AZ1tRK4y2nDiQk+yV8F99j9ipk2iMgjhDxlNN20yA2Svz85i3wJqUp3Qh+Eksmre2rcuClE1GZPadAOWumJVuL8FsNjZ50jeTWwYUE3jYKxCFIs+05jeiRbBRrbhVCDSze/47to9sNNXyGrR0yxIYE5QI+fE7zbjalWXdSISD68cpuGUg+ne/+ABa3DMlxmj1DOD3DwlHpWFxWC4F2E/nQvd5cDczyru+hpEw6kObR1RhlZR8AWY1FDP7YotugGM3imPelrRR91+vYPjY74pz0XZX6KqIlUS70as8tKodrZejMxqK542pmsc1r1/NyOmr669++6EEt1U5gikO8LLuUyKw7IpI6cxqyIN1aKoMhpZktS3NS4paQdWxtJqS1mT0FgvpyxVurPliWh5nreb8/5/txrfVxvNjmbEEVDTdHIa4IzefPpX19ZQwYnWea5hGGBSS7q20VA3gXkQGmHxjyZl9Vm6xCqTXqI8HLk7+zOncUuzo8rsk6k/LoEhLKkVpSliwrMMZdOvAyY9mgpn55KWDpD4cTxli4KhosltOmZ4S+8cErMSwBUVqiB2DEMj2nPsOjM9wA1LnPsWj7yva84Fc5/zwLS+hUN40MFohtsu3+wj5eyXnoIbDmTGTLq4W/p8DFxZfgE50DLtNmy06TAz06lOzpXYViFwC/gJnhNrmn/a3l79QCIl+ldyOqbrsosSSCXqk7aLx6IvLiw5AugiH3lQXH6bjtPd3KoYXZiTbSdTNNDy+Q8d1uO8lDAsXClXdRqUuss8pPQJhVHUdvffr0AF//mpfiC1O5kSppTpJCjyhpZ7B+uHLKeehXuhvuGxyIsdb4NzPD+cjDhxwwdEFH2nUCOYLdIsqzSCluF3hovAFnCQ00wdqS2s/GTu+p+8d7VrYaau6Fv+B8/N3pBLBWIPjmEbKlmX70KaBAT2y3CEUG+nGmiqI649UXJ492A7s0bdTBVmetdTyAyvRsFucDi/ZswbTr4D4LrDNouYn+cI0cUoXOAJ5zv3xFGuYdeqsyaLIHP2y06P9RSHCACBvjZHwW3Kl4BUZOneTCAquFPgFdc8gcwXmx8uGaIgwdTx9H20FOq+VIacpr2sThZ4yxZdz6SPIejlOOyrL/oxgaqRi9Rkt+N91Z6U7/dK3Rl8SHjc0LQT3czL0MOtzwY5lq05FXhnSzpkXauQ9K8Qy83Nxfx5s8DT3tOyFOdTe308melK/3uRlvyQ5wJFqcd6u7+fQNqCsDJ3hQmHJqZCwRawJPcS1B9zlpo+9sT86Gz0HwUpSILHEHF0iBLg9X1yz6jZfeWc8qW1noFvnRI0aNkiypQSEbC/nR4AJp7KPsaD6bwK7+H3yX+p6Tqydyj4ckVQBP9jV3w0dfk5wQNaQIXyVEzr4/x9Jg4fb4CGK8gCTSFx8jPta8vjWRirf/LpYoFwF02S6llSGRJERIc/hR1FPLTn3gfx5sl5bqkpmk2U3hHSO0OR1fYU8Dcw2YJduxC3e8aHXOMVrkHx4N6hLT6a5EJy8N4W79vqo+6964ZC9nKxQk/l7UkgcEtogw5pnuZZn39elk4pAK51FsrAgnzNIpFoepOfBP3hLj3xGFSUDHmt50G+cAlxgl04Y2i/isecXDOxzMxWN7wpJjcgr25tju93Y2Bt+sR4Zs+mg4A2cSQ4LSrXrfQSPuKL0KeU60u9wJmQda/zT5NNOIVFL4fTl9yNOBugpESbTIF/ceg4KW9rOeyqJJQg16GRVLG1Xayu6GXdjSuxVfoInccNJQJZpzaeMZolYeHnQVWcP9D1QmBBuJL/OnKrsvDpZt61qn9lCXcYF+UiTl+tZOOQry9ASKnNZFHIIymUyFb26Gzgydzud5b/HCfy6T4YxKO</e:CipherValue>
        </e:CipherData>
      </e:EncryptedData>
    </o:Security>
  </s:Header>
  <s:Body u:Id="_0">
    <e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
      <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
        <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
        </o:SecurityTokenReference>
      </KeyInfo>
      <e:CipherData>
        <e:CipherValue>xgJK91cn2sLm4FvnVJZoueexPXVExJaA/gCoBdZK2nLlBLvIFnQz/Y6okzRfh0jugF6Vrx5aj+0i3T6V6TfNnBkFuLsKnDeyL2D/cawlBqM=</e:CipherValue>
      </e:CipherData>
    </e:EncryptedData>
  </s:Body>
</s:Envelope>
4

0 回答 0