wcf - WCF 或 WSE 编辑安全标头

Question

我一直在尝试使用 WCF 或 WSE 更改肥皂安全元素。

1. WCF：实现一个 messageinspector 并在 Beforerequestsent 中添加您的自定义代码。在后面的代码中设置了以下自定义绑定后，我在 ref System.ServiceModel.Channels.Message 请求中看不到安全元素。有一个信封和标题，正文但标题中缺少安全元素。

   AsymmetricSecurityBindingElement secBE = AsymmetricSecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
   X509SecurityTokenParameters x509ProtectionParameters = new X509SecurityTokenParameters();
   x509ProtectionParameters.RequireDerivedKeys = false;
   x509ProtectionParameters.X509ReferenceStyle = X509KeyIdentifierClauseType.SubjectKeyIdentifier;
   x509ProtectionParameters.ReferenceStyle = SecurityTokenReferenceStyle.Internal;
   x509ProtectionParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
   

   这就是 ref 变量请求的样子

   <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">  <s:Header>    <a:Action s:mustUnderstand="1" />    <a:MessageID>urn:uuid:4e929e4c-882b-40dc-9794-e54b71c47148</a:MessageID>    <a:ReplyTo>      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>    
   </a:ReplyTo>    
       <VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo9rzFi9T6thDniQ9lRMdE0sAAAAA1RxuI+tGxUi69I44BS9+QcTNP3q82D9HmHmB8kuqWioACQAA</VsDebuggerCausalityData> 
    </s:Header> 
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">    <getEligibility xmlns="http://org/emedny/mhs/">      <input>        <transData</transData>      </input>  
     </getEligibility> 
     </s:Body>
   </s:Envelope>
   

   尽管提琴手显示了一个传出的安全标头，但我无法访问 Before request sent 方法中的 Security 元素

2. WSE：他们建议使用肥皂过滤器并覆盖一些方法我在代码中包含所有标记

       ProxyGenerationWSDL.MHService MHs = new MHService();
       X509Certificate2 cert = GetCertificateFromStore("User");
       X509SecurityToken x5091 = new X509SecurityToken(cert);
       MHs.SetClientCredential(x5091);
       X509Certificate2 cert2 = GetCertificateFromStore("Server");
       X509SecurityToken x5092 = new X509SecurityToken(cert2);
       MHs.SetServiceCredential(x5092);
       UsernameToken tkuser = new UsernameToken("User1", "Pwd", PasswordOption.SendPlainText);
       MHs.RequestSoapContext.Security.Tokens.Add(x5091);
       MHs.RequestSoapContext.Security.Tokens.Add(x5092);
       MHs.RequestSoapContext.Security.Tokens.Add(tkuser);
       Microsoft.Web.Services3.Security.EncryptedData data = new Microsoft.Web.Services3.Security.EncryptedData(x5092);
       MHs.RequestSoapContext.Security.Elements.Add(new MessageSignature(x5091));
   

   现在创建了一个自定义策略，策略断言，我将覆盖以下内容

   public class ClientOutputFilter : SoapFilter
   {
       public ClientOutputFilter()
           : base()
       { }
   
       public override SoapFilterResult ProcessMessage(SoapEnvelope envelope)
       {    
               XmlDocument document = new XmlDocument();
               string s = envelope.InnerXml;
               document.LoadXml(envelope.InnerXml);  //loading soap message as string 
               string path = "/*:Envelope/*:Header/*:Security/*:TimeStamp";
               XmlNodeList ndlist =
               document.SelectNodes(path);
   //then remove the timestamp element from the security header
   

   但即使在这里，信封也没有安全元素。

请建议。为了编辑安全标头，要覆盖哪些方法

已编辑：现在出现的请求

        <o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
        </o:BinarySecurityToken>
     <o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
        </o:BinarySecurityToken>
    <o:Username>UserName</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
</o:UsernameToken>

需要出现什么

<o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
  </o:BinarySecurityToken>
  <o:BinarySecurityToken u:Id="uuid-993b00fe-4c5c-43e8-9882-c59c1e5d1179-7" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" 
        EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">--Removed--
  </o:BinarySecurityToken>
  <o:Username>UserName</o:Username>
    <o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PWD</o:Password>
    <o:Nonce>XXXX</o:Nonce>
    <o:Created>TTT</o:Created>
 </o:UsernameToken>

编辑以显示 Complete Soap 请求以显示签名和加密详细信息

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mhs="http://org/emedny/mhs/" xmlns:urn="urn:hl7-org:v3">
<soapenv:Header>
<wsse:Security soap:mustUnderstand="1" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d">MIICeDCC....(eMedNY signed user MLS cert).......</wsse:BinarySecurityToken>
    <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685">MIIDFj.....( eMedNY MLS web-service end-point public cert)........</wsse:BinarySecurityToken>
    <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="SecurityToken-970e9a80-00cc-4c86-8ec4-3ba16e029a5b">
    <wsse:Username>....your_username.....</wsse:Username>
    <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">.....your_plaintext_password....</wsse:Password>
    <wsse:Nonce>KNyu6MsXCkTg4DDyvwvEiw==</wsse:Nonce>
    <wsu:Created>2010-09-15T18:00:30Z</wsu:Created>
    </wsse:UsernameToken>
    <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
    <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference>
    <wsse:Reference URI="#SecurityToken-c0cc2cd4-cb77-4fa5-abfa-bd485afd1685" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </KeyInfo>
    <xenc:CipherData>
    <xenc:CipherValue>gpBAWt91pdwhKva............</xenc:CipherValue>
    </xenc:CipherData>
    <xenc:ReferenceList>
    <xenc:DataReference URI="#Enc-0641b860-b16d-4941-91c0-d60bece67794"/>
    </xenc:ReferenceList>
    </xenc:EncryptedKey>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
    SAMP L E R EQUE ST W I T H WS S E CURI T Y
    eMedNY Meds History Service User Guide Page 13 of 48 February 16, 2012
    Version 1.1
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
    <Reference URI="#Id-f10674fd-b999-47c9-9568-c11fa5e5405b">
    <Transforms>
    <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>wRUq.........</DigestValue>
    </Reference>
    </SignedInfo>
    <SignatureValue>tBSsaZi........</SignatureValue>
    <KeyInfo>
    <wsse:SecurityTokenReference>
    <wsse:Reference URI="#SecurityToken-e00c8062-83d2-4f04-88fc-996218e7bb3d" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference>
    </KeyInfo>
    </Signature>
    </wsse:Security>
    </soapenv:Header>
    <soapenv:Body wsu:Id="Id-f10674fd-b999-47c9-9568-c11fa5e5405b" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <xenc:EncryptedData Id="Enc-0641b860-b16d-4941-91c0-d60bece67794" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
    <xenc:CipherData>
    <xenc:CipherValue>SQsTCAK6ZaVhojB8+Y.........</xenc:CipherValue>
    </xenc:CipherData>
    </xenc:EncryptedData>
    </soapenv:Body>

Answer 1

在 WCF 中，您需要使用自定义消息编码器。检查员太早被召唤来改变安全性。如果您将分享有关您想要进行的确切更改的更多详细信息，也许我们可以以更好的方式提供帮助。