0

我正在创建一个 Active STS,它使用颁发的令牌(SAML1、SAML2)对 RST 进行身份验证并颁发 BinarySecurityTokens。这对 .net 客户端运行良好。但是,来自 Java 客户端(代码、SOAP UI 等)的 RST,我们得到以下异常-

<ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Access is denied.</Message>
at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize(MessageRpc&amp;amp; rpc)
       at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp;amp; rpc)
       at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
       at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
       at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
       at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
       at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
       at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
       at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
       at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
       at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
       at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)...

我怀疑问题出在绑定的 serviceAuthorization 上。但是,我找不到任何有关为基于声明的身份验证配置授权的文档。这是我的配置-行为-

<serviceBehaviors>
<behavior name="">
  <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
  <serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="WSTrustServiceBehaviour">
  <serviceCredentials useIdentityConfiguration="true" identityConfiguration="STSIDConfig">
    <issuedTokenAuthentication audienceUriMode="Never" certificateValidationMode="None">
    </issuedTokenAuthentication>
  </serviceCredentials>
  <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
  <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
  <serviceDebug includeExceptionDetailInFaults="true" />
  <serviceAuthorization principalPermissionMode="Always" />
</behavior>
</serviceBehaviors>

捆绑

<ws2007FederationHttpBinding>
<clear/>
<binding name="WS2007FedttpBinding">
  <security mode="TransportWithMessageCredential">
    <message establishSecurityContext="false" issuedKeyType="BearerKey">
    </message>
  </security>
</binding>
</ws2007FederationHttpBinding>

服务-

<service behaviorConfiguration="WSTrustServiceBehaviour" name="CustomSTS">
    <endpoint name="WSTrust13HttpEndpoint" address="" binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FedttpBinding" contract="System.ServiceModel.Security.IWSTrust13SyncContract" />
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>

请让我知道缺少什么

4

1 回答 1

0

似乎 ws2007FederationHttpBinding 要求 RST 具有 WS-Addressing 标头,并且由于来自 java 客户端的请求缺少 WS-Addressing 标头而发生访问被拒绝错误。我没有找到为 ws2007FederationHttpBinding 禁用 WS-Addressing 的选项,因此现在我们已请求客户端添加 WS-Addressing 标头。

于 2016-01-04T16:14:38.500 回答