29

我正在尝试使用第三方 Web 服务 https://staging.identitymanagement.lexisnexis.com/identity-proofing/services/identityProofingServiceWS/v2?wsdl

我已经将它添加为服务参考,但我不确定如何传递标头的凭据。

如何使标头请求与此格式匹配?

<soapenv:Header>
    <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <wsse:UsernameToken wsu:Id="UsernameToken-49" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <wsse:Username>12345/userID</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/ oasis-200401-wss-username-token-profile-1.0#PasswordText">password123</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">d+VxCZX1cH/ieMkKEr/ofA==</wsse:Nonce>
            <wsu:Created>2012-08-04T20:25:04.038Z</wsu:Created>
        </wsse:UsernameToken>
    </wsse:Security>
</soapenv:Header>
4

10 回答 10

65

楼上的答案太错误了!不要添加自定义标题。从您的示例 xml 来看,它是一个标准的 WS-Security 标头。WCF 绝对支持开箱即用。添加服务引用时,您应该在配置文件中为您创建 basicHttpBinding 绑定。您必须对其进行修改以包含具有模式 TransportWithMessageCredential 的安全元素和具有 clientCredentialType = UserName 的消息元素:

<basicHttpBinding>
  <binding name="usernameHttps">
    <security mode="TransportWithMessageCredential">
      <message clientCredentialType="UserName"/>
    </security>
  </binding>
</basicHttpBinding>

上面的配置告诉 WCF 期望 SOAP 标头中的用户 ID/密码通过 HTTPS。然后,您可以在拨打电话之前在代码中设置 ID/密码:

var service = new MyServiceClient();
service.ClientCredentials.UserName.UserName = "username";
service.ClientCredentials.UserName.Password = "password";

除非这个特定的服务提供商偏离标准,否则它应该可以工作。

于 2013-04-17T03:24:48.830 回答
41

可能有一种更聪明的方法,但您可以像这样手动添加标题:

var client = new IdentityProofingService.IdentityProofingWSClient();

using (new OperationContextScope(client.InnerChannel))
{
    OperationContext.Current.OutgoingMessageHeaders.Add(
        new SecurityHeader("UsernameToken-49", "12345/userID", "password123"));
    client.invokeIdentityService(new IdentityProofingRequest());
}

SecurityHeader是一个自定义实现的类,由于我选择使用属性来配置 XML 序列化,因此需要一些其他类:

public class SecurityHeader : MessageHeader
{
    private readonly UsernameToken _usernameToken;

    public SecurityHeader(string id, string username, string password)
    {
        _usernameToken = new UsernameToken(id, username, password);
    }

    public override string Name
    {
        get { return "Security"; }
    }

    public override string Namespace
    {
        get { return "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; }
    }

    protected override void OnWriteHeaderContents(XmlDictionaryWriter writer, MessageVersion messageVersion)
    {
        XmlSerializer serializer = new XmlSerializer(typeof(UsernameToken));
        serializer.Serialize(writer, _usernameToken);
    }
}


[XmlRoot(Namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd")]
public class UsernameToken
{
    public UsernameToken()
    {
    }

    public UsernameToken(string id, string username, string password)
    {
        Id = id;
        Username = username;
        Password = new Password() {Value = password};
    }

    [XmlAttribute(Namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd")]
    public string Id { get; set; }

    [XmlElement]
    public string Username { get; set; }

    [XmlElement]
    public Password Password { get; set; }
}

public class Password
{
    public Password()
    {
        Type = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";
    }

    [XmlAttribute]
    public string Type { get; set; }

    [XmlText]
    public string Value { get; set; }
}

我没有Nonce在 XML 中添加该位UsernameToken,但它与那个非常相似Password。该Created元素还需要添加,但它是一个简单的[XmlElement].

于 2013-04-16T07:45:55.050 回答
2

添加自定义的硬编码标头可能会起作用(有时也可能会被拒绝),但这完全是错误的方法。WSSE 的目的是安全。正是出于这个原因,Microsoft 发布了 Microsoft Web Services Enhancements 2.0 和随后的 WSE 3.0。您需要安装此软件包 ( http://www.microsoft.com/en-us/download/details.aspx?id=14089 )。

该文档不容易理解,尤其是对于那些没有使用过 SOAP 和 WS-Addressing 的人。首先,“BasicHttpBinding”是 Soap 1.1,它不会为您提供与 WSHttpBinding 相同的消息头。安装软件包并查看示例。您将需要从 WSE 3.0 引用 DLL,并且您还需要正确设置您的消息。WS Addressing 标头有大量或变体。您正在寻找的是 UsernameToken 配置。

这是一个较长的解释,我应该为大家写一些东西,因为我在任何地方都找不到正确的答案。您至少需要从 WSE 3.0 包开始。

于 2015-06-30T14:19:35.883 回答
2

显然,这篇文章已经存在了好几年了——但事实是我在寻找类似问题时确实找到了它。在我们的例子中,我们必须将用户名/密码信息添加到 Security 标头中。这与在安全标头之外添加标头信息不同。

执行此操作的正确方法(对于自定义绑定 / authenticationMode="CertificateOverTransport")(如在 .Net 框架版本 4.6.1 上)是照常添加客户端凭据:

    client.ClientCredentials.UserName.UserName = "[username]";
    client.ClientCredentials.UserName.Password = "[password]";

然后在安全绑定元素中添加一个“令牌” - 因为当身份验证模式设置为证书时,默认情况下不会包含用户名/密码凭据。

您可以像这样设置此令牌:

    //Get the current binding 
    System.ServiceModel.Channels.Binding binding = client.Endpoint.Binding;
    //Get the binding elements 
    BindingElementCollection elements = binding.CreateBindingElements();
    //Locate the Security binding element
    SecurityBindingElement security = elements.Find<SecurityBindingElement>();

    //This should not be null - as we are using Certificate authentication anyway
    if (security != null)
    {
    UserNameSecurityTokenParameters uTokenParams = new UserNameSecurityTokenParameters();
    uTokenParams.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
security.EndpointSupportingTokenParameters.SignedEncrypted.Add(uTokenParams);
    }

   client.Endpoint.Binding = new CustomBinding(elements.ToArray());

那应该这样做。如果没有上述代码(显式添加用户名令牌),即使在客户端凭据中设置用户名信息也可能不会导致将这些凭据传递给服务。

于 2018-06-14T13:50:42.543 回答
2

暗示WCF 开箱即用地支持问题中提供的标头的答案是不正确的。问题中的标头在 Us​​ernameToken 中包含NonceCreated时间戳,这是 WCF 不支持的 WS-Security 规范的官方部分。WCF 仅支持开箱即用的用户名和密码

如果您需要做的只是添加用户名和密码,那么 Sergey 的答案是最省力的方法。如果您需要添加任何其他字段,则需要提供自定义类来支持它们。

我发现一种更优雅的方法是覆盖 ClientCredentials、ClientCredentialsSecurityTokenManager 和 WSSecurityTokenizer 类以支持其他属性。我提供了博客文章的链接,其中详细讨论了该方法,但这里是覆盖的示例代码:

public class CustomCredentials : ClientCredentials
{
    public CustomCredentials()
    { }

    protected CustomCredentials(CustomCredentials cc)
        : base(cc)
    { }

    public override System.IdentityModel.Selectors.SecurityTokenManager CreateSecurityTokenManager()
    {
        return new CustomSecurityTokenManager(this);
    }

    protected override ClientCredentials CloneCore()
    {
        return new CustomCredentials(this);
    }
}

public class CustomSecurityTokenManager : ClientCredentialsSecurityTokenManager
{
    public CustomSecurityTokenManager(CustomCredentials cred)
        : base(cred)
    { }

    public override System.IdentityModel.Selectors.SecurityTokenSerializer CreateSecurityTokenSerializer(System.IdentityModel.Selectors.SecurityTokenVersion version)
    {
        return new CustomTokenSerializer(System.ServiceModel.Security.SecurityVersion.WSSecurity11);
    }
}

public class CustomTokenSerializer : WSSecurityTokenSerializer
{
    public CustomTokenSerializer(SecurityVersion sv)
        : base(sv)
    { }

    protected override void WriteTokenCore(System.Xml.XmlWriter writer,
                                            System.IdentityModel.Tokens.SecurityToken token)
    {
        UserNameSecurityToken userToken = token as UserNameSecurityToken;

        string tokennamespace = "o";

        DateTime created = DateTime.Now;
        string createdStr = created.ToString("yyyy-MM-ddTHH:mm:ss.fffZ");

        // unique Nonce value - encode with SHA-1 for 'randomness'
        // in theory the nonce could just be the GUID by itself
        string phrase = Guid.NewGuid().ToString();
        var nonce = GetSHA1String(phrase);

        // in this case password is plain text
        // for digest mode password needs to be encoded as:
        // PasswordAsDigest = Base64(SHA-1(Nonce + Created + Password))
        // and profile needs to change to
        //string password = GetSHA1String(nonce + createdStr + userToken.Password);

        string password = userToken.Password;

        writer.WriteRaw(string.Format(
        "<{0}:UsernameToken u:Id=\"" + token.Id +
        "\" xmlns:u=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd\">" +
        "<{0}:Username>" + userToken.UserName + "</{0}:Username>" +
        "<{0}:Password Type=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText\">" +
        password + "</{0}:Password>" +
        "<{0}:Nonce EncodingType=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary\">" +
        nonce + "</{0}:Nonce>" +
        "<u:Created>" + createdStr + "</u:Created></{0}:UsernameToken>", tokennamespace));
    }

    protected string GetSHA1String(string phrase)
    {
        SHA1CryptoServiceProvider sha1Hasher = new SHA1CryptoServiceProvider();
        byte[] hashedDataBytes = sha1Hasher.ComputeHash(Encoding.UTF8.GetBytes(phrase));
        return Convert.ToBase64String(hashedDataBytes);
    }

}

在创建客户端之前,您创建自定义绑定并手动向其添加安全、编码和传输元素。然后,用您的自定义实现替换默认 ClientCredentials 并像往常一样设置用户名和密码:

var security = TransportSecurityBindingElement.CreateUserNameOverTransportBindingElement();
    security.IncludeTimestamp = false;
    security.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
    security.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;

var encoding = new TextMessageEncodingBindingElement();
encoding.MessageVersion = MessageVersion.Soap11;

var transport = new HttpsTransportBindingElement();
transport.MaxReceivedMessageSize = 20000000; // 20 megs

binding.Elements.Add(security);
binding.Elements.Add(encoding);
binding.Elements.Add(transport);

RealTimeOnlineClient client = new RealTimeOnlineClient(binding,
    new EndpointAddress(url));

    client.ChannelFactory.Endpoint.EndpointBehaviors.Remove(client.ClientCredentials);
client.ChannelFactory.Endpoint.EndpointBehaviors.Add(new CustomCredentials());

client.ClientCredentials.UserName.UserName = username;
client.ClientCredentials.UserName.Password = password;
于 2019-10-22T20:48:18.610 回答
0

假设您的名称localhost中有服务参考,web.config因此您可以按以下方式进行

localhost.Service objWebService = newlocalhost.Service();
localhost.AuthSoapHd objAuthSoapHeader = newlocalhost.AuthSoapHd();
string strUsrName =ConfigurationManager.AppSettings["UserName"];
string strPassword =ConfigurationManager.AppSettings["Password"];

objAuthSoapHeader.strUserName = strUsrName;
objAuthSoapHeader.strPassword = strPassword;

objWebService.AuthSoapHdValue =objAuthSoapHeader;
string str = objWebService.HelloWorld();

Response.Write(str);
于 2013-04-16T04:11:33.667 回答
0

假设您正在使用 HttpWebRequest 和 HttpWebResponse 调用 Web 服务,因为 .Net 客户端不支持您尝试使用的 WSLD 的结构。

在这种情况下,您可以在标头上添加安全凭据,例如:

<soap:Envelpe>
<soap:Header>
    <wsse:Security soap:mustUnderstand='true' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'><wsse:UsernameToken wsu:Id='UsernameToken-3DAJDJSKJDHFJASDKJFKJ234JL2K3H2K3J42'><wsse:Username>YOU_USERNAME/wsse:Username><wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText'>YOU_PASSWORD</wsse:Password><wsse:Nonce EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary'>3WSOKcKKm0jdi3943ts1AQ==</wsse:Nonce><wsu:Created>2015-01-12T16:46:58.386Z</wsu:Created></wsse:UsernameToken></wsse:Security>
</soapHeather>
<soap:Body>
</soap:Body>


</soap:Envelope>

您可以使用 SOAPUI 获取 wsse 安全性,使用 http 日志。

请小心,因为这不是一个安全的场景。

于 2016-01-12T17:13:36.467 回答
0

我从这里得到了一个更好的方法:WCF: Creating Custom Headers, How To Add and Consume those Headers

客户端标识自己
这里的目标是让客户端提供某种信息,服务器可以使用这些信息来确定谁在发送消息。以下 C# 代码将添加一个名为 ClientId 的标头:

var cl = new ActiveDirectoryClient();

var eab = new EndpointAddressBuilder(cl.Endpoint.Address);

eab.Headers.Add( AddressHeader.CreateAddressHeader("ClientId",       // Header Name
                                                   string.Empty,     // Namespace
                                                    "OmegaClient")); // Header Value
cl.Endpoint.Address = eab.ToEndpointAddress();

// Now do an operation provided by the service.
cl.ProcessInfo("ABC");

该代码所做的是添加一个名为 ClientId 的端点标头,其值为 OmegaClient 以插入到没有命名空间的soap标头中。

客户端配置文件
中的自定义标头 自定义标头还有另一种方法。这可以在客户端的 Xml 配置文件中实现,其中通过将自定义标头指定为端点的一部分来发送所有消息,如下所示:

<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
    </startup>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="BasicHttpBinding_IActiveDirectory" />
            </basicHttpBinding>
        </bindings>
        <client>
          <endpoint address="http://localhost:41863/ActiveDirectoryService.svc"
              binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IActiveDirectory"
              contract="ADService.IActiveDirectory" name="BasicHttpBinding_IActiveDirectory">
            <headers>
              <ClientId>Console_Client</ClientId>
            </headers>
          </endpoint>
        </client>
    </system.serviceModel>
</configuration>
于 2017-03-24T06:21:07.330 回答
0

我将 customBinding 添加到 web.config。

<configuration>
  <system.serviceModel>
    <bindings>
      <customBinding>
        <binding name="CustomSoapBinding">
          <security includeTimestamp="false"
                    authenticationMode="UserNameOverTransport"
                    defaultAlgorithmSuite="Basic256"
                    requireDerivedKeys="false"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
          </security>
          <textMessageEncoding messageVersion="Soap11"></textMessageEncoding>
          <httpsTransport maxReceivedMessageSize="2000000000"/>
        </binding>
      </customBinding>
    </bindings>
    <client>
      <endpoint address="https://test.com:443/services/testService"
                binding="customBinding"
                bindingConfiguration="CustomSoapBinding"
                contract="testService.test"
                name="test" />
    </client>
  </system.serviceModel>
  <startup>
    <supportedRuntime version="v4.0"
                      sku=".NETFramework,Version=v4.0"/>
  </startup>
</configuration>

添加 customBinding 后,我可以将用户名和密码传递给客户端服务,如下所示:

service.ClientCridentials.UserName.UserName = "testUser";
service.ClientCridentials.UserName.Password = "testPass";

通过这种方式,您可以将标头中的用户名、密码传递给 SOAP WCF 服务。

于 2019-05-21T08:23:18.803 回答
0

如果这与此 Peoplesoft 问题有关:https: //support.oracle.com/knowledge/PeopleSoft%20Enterprise/2370907_1.html

我需要在 Soap 密码上设置该属性,而之前该属性并未在该标签上设置。

我只是在我的自定义绑定上设置 MessageSecurityVersion:

  CustomBinding customBinding = new CustomBinding();
            customBinding.Name = endpointName;
            customBinding.CloseTimeout = TimeSpan.FromMinutes(1);
            customBinding.OpenTimeout = TimeSpan.FromMinutes(1);
            customBinding.SendTimeout = TimeSpan.FromMinutes(20);
            customBinding.ReceiveTimeout = TimeSpan.FromMinutes(20);

            TextMessageEncodingBindingElement textMessageElement = new TextMessageEncodingBindingElement(MessageVersion.Soap11, Encoding.UTF8);
            customBinding.Elements.Add(textMessageElement);

            TransportSecurityBindingElement securityElement = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
            securityElement.IncludeTimestamp = false;
            securityElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
            customBinding.Elements.Add(securityElement);

            // ORDER MATTERS: THIS HAS TO BE LAST!!! - HVT
            HttpsTransportBindingElement transportElement = new HttpsTransportBindingElement();
            transportElement.MaxBufferSize = int.MaxValue;
            transportElement.MaxReceivedMessageSize = int.MaxValue;
            customBinding.Elements.Add(transportElement);

            return customBinding;
于 2021-03-16T16:08:20.127 回答