1

我们有一个基于 https 的 WCF 4.0 服务,它允许客户端签署消息以识别自己。然后,我们可以使用证书在后端为客户端提供适当的权限。当 WCF 4.0 客户端发送请求时,这可以正常工作,但是当非 WCF 尝试发送请求时,它会失败并显示以下内容: CryptographicException: Unable to resolve the '#Id-{Guid goes here}' URI in the signature计算摘要。在检查客户端请求时,只要签署了 To 和 Timestamp 节点以外的任何内容,就会发生此故障。非 WCF 客户端希望对正文、操作、消息 ID 和回复部分进行签名。是否可以将 WCF 配置为期望并允许这些签名,或者更好的是,如果它们存在则允许它们,但如果它们不存在则不要出错?

服务配置文件:

<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<extensions>
  <behaviorExtensions>
    <add name="wsdlExtensions" type="MyWCFElements" />
  </behaviorExtensions>
  <bindingElementExtensions>
    <add name="httpsViaProxyTransport" type="MyWCFElements" />
  </bindingElementExtensions>
</extensions>
<behaviors>
  <endpointBehaviors>
    <behavior name="WsdlBehavior">
      <wsdlExtensions singleFile="true" />
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="WebServicesServiceBehavior">
      <serviceMetadata httpsGetEnabled="false" httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceAuthenticationManager serviceAuthenticationManagerType="MyServiceAuthenticationManager" />
      <serviceAuthorization serviceAuthorizationManagerType="MyServiceAuthorizationManager" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyUserNameValidator" />
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <customBinding>
    <binding name="SignedWebServicesF5BindingConfig">
      <textMessageEncoding />
      <security authenticationMode="CertificateOverTransport" allowInsecureTransport="true" requireDerivedKeys="false" securityHeaderLayout="Lax" />
      <httpsViaProxyTransport />
    </binding>
  </customBinding>
</bindings>
<services>
  <service behaviorConfiguration="WebServicesServiceBehavior" name="WebService">
      <endpoint address="signed" binding="customBinding" behaviorConfiguration="WsdlBehavior" bindingConfiguration="SignedWebServicesF5BindingConfig" contract="IWebServicesContract" name="SignedWebServices"/>
      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
  </service>
</services>

4

1 回答 1

0

与 Microsoft 合作后,答案似乎是您无法使用 CertificateOverTransport 并签署消息正文,这是我们的客户试图做的。我们移至 MutualCertificateDuplex 并将响应的 ProtectionLevel 更改为 ProtectionLevel.None(因为我们对签署响应不感兴趣)。我们现在能够通过 https 接收请求并获得响应,因此我们仍然可以依赖传输进行加密,同时将消息的安全性保持在消息级别,而不是传输级别。

希望这对其他人有所帮助,这在 WCF 互操作场景中似乎相当普遍,但在网络上并没有大量关于此的指导。

于 2011-02-14T14:35:58.637 回答