0

我是 WCF、.NET、Web 服务和一切的新手——事实上,在我接受目前的工作之前,我主要是一名 Java 和 SQL 编码器。

手头的任务:我们数据库中的部分客户数据需要定期导出到第三方提供的数据库,并可通过 Web 服务访问,而后者又由第四家提供的 STS 进行联合保护派对。

在花费数小时处理令人困惑的 MSDN 文档和大量关于 WCF 的博客文章之后,我仍然无法让 STS 与我交谈,我得到的只是一个(400) Bad Request..

我的代码:

private static SecurityToken RequestSecurityToken()
{
    WSHttpBinding binding = new WSHttpBinding();
    binding.AllowCookies = true;
    WSHttpSecurity security = new WSHttpSecurity();
    security.Mode = SecurityMode.TransportWithMessageCredential;
    security.Message.ClientCredentialType = MessageCredentialType.Certificate;
    security.Message.NegotiateServiceCredential = true;
    security.Message.EstablishSecurityContext = false;
    binding.Security = security;
    WSTrustChannelFactory factory = new WSTrustChannelFactory(binding, "https://FOURTH_PARTY_STS");
    factory.TrustVersion = TrustVersion.WSTrust13;
    factory.Credentials.ClientCertificate.SetCertificate(StoreLocation.CurrentUser, StoreName.TrustedPeople, X509FindType.FindBySubjectName, "CUSTOMER_CERTIFICATE");
    RequestSecurityToken rst = new RequestSecurityToken
    {
        RequestType = RequestTypes.Issue,
        AppliesTo = new EndpointReference("https://THIRD_PARTY_WS"),                
        TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
    };
    rst.Claims.Dialect = "http://docs.oasis-open.org/wsfed/authorization/200706/authclaims"; // Taken from an exception message 
    rst.Claims.Add(new RequestClaim("urn:tgic:names:ISTS:1.0:user:PartnerId", false, "CUSTOMER_ID"));
    return factory.CreateChannel().Issue(rst);
}

生成此 SOAP 主体:

<trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
    <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
        <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
            <wsa:Address>https://THIRD_PARTY_WS</wsa:Address>
        </wsa:EndpointReference>
    </wsp:AppliesTo>
    <trust:Claims Dialect="http://docs.oasis-open.org/wsfed/authorization/200706/authclaims" xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
        <auth:ClaimType Uri="urn:tgic:names:ISTS:1.0:user:PartnerId" Optional="true">
            <auth:Value>CUSTOMER_ID</auth:Value>
        </auth:ClaimType>
    </trust:Claims>
    <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
    <trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</trust:TokenType>
</trust:RequestSecurityToken>

根据第四方的文档,STS 期望是这样的:

<wst:RequestSecurityToken 
    xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
    xmlns:wsp15="http://www.w3.org/ns/ws-policy" 
    xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" 
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
    Context="1aae57c8-092c-47a4-a5eb-c2ecbc21441d"> 
    <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
    <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
    <wsp:AppliesTo>
        <wsp15:URI>https://THIRD_PARTY_WS</wsp15:URI>
    </wsp:AppliesTo>
    <wst:Claims Dialect="urn:oasis:names:tc:SAML:2.0:assertion:AttributeStatementType"> 
        <saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            <saml2:Attribute Name="urn:tgic:names:ISTS:1.0:user:PartnerId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
                <saml2:AttributeValue>9330931615</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement> 
    </wst:Claims>
    <wst:Lifetime>
        <wsu:Created>2013-09-17T18:18:10Z</wsu:Created>
        <wsu:Expires>2013-09-17T18:23:10Z</wsu:Expires>
    </wst:Lifetime>
</wst:RequestSecurityToken>

该文档的其他地方指出 Context 和 Lifetime 是可选的。因此,据我所知,我有两个问题:

  1. 如何将 ApplysTo 地址序列化为 URI 元素?
  2. 如何将声明序列化为 Attribute/AttributeValue 元素(使用正确的方言)?

我是否必须实现一些自定义序列化?如果是这样,我如何以及在哪里将它连接到工厂/绑定/请求中?

4

1 回答 1

0
  1. 要使用 STS,您必须使用 WS2007HttpBinding 而不是 WSHttpBinding。您可以在 WIF SDK 中找到 STS 示例。它包含一个带有自定义令牌的示例。看这里
  2. 尝试在没有其他客户端参数的情况下发出 securitytoken。制作一个仅发布令牌并调用 RP 方法的工作解决方案。
  3. 据我了解,您希望传递给 STS 自定义客户端凭据PartnerId。在我的项目中,我使用通过请求的AdditionalContext传递自定义凭据。

rst.AdditionalContext = new AdditionalContext(); rst.AdditionalContext.Items.Add(new ContextItem(new Uri("you_any_uri"), PartnerId));

这种方式不需要任何序列化程序。

传递客户端凭据的另一种方法:使用RequestSecurityToken.Properties。在这种情况下,您必须实现自定义请求序列化程序。

var channelFactory = new WSTrustChannelFactory(binging, endpoint)
{
       TrustVersion = TrustVersion.WSTrust13
};
channelFactory.WSTrustRequestSerializer = CustomRequestSerializer;

这里自定义WSTrust13RequestSerializer的实现

public class CustomRequestSerializer: WSTrust13RequestSerializer
{
    public override void WriteXmlElement(XmlWriter writer, string elementName, object elementValue, RequestSecurityToken rst,
        WSTrustSerializationContext context)
    {
        var parameters = new string[1] {"paramname"};

        if (parameters.Any(p => p == elementName))
        {
            writer.WriteElementString(elementName, (string)elementValue);
        }
        else
        {
            base.WriteXmlElement(writer, elementName, elementValue, rst, context);
        }
    }

    public override void ReadXmlElement(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context)
    {
        var parameters = new string[1] {"paramname"};

        var key = parameters.FirstOrDefault(reader.IsStartElement);
        if (!string.IsNullOrWhiteSpace(key))
        {
            rst.Properties.Add(key, reader.ReadElementContentAsString());
            return;
        }

        base.ReadXmlElement(reader, rst, context);            
    }
}
于 2015-05-08T06:56:10.627 回答