在web.config中指定默认的WS Trust凭据

时间:2012-10-17 17:01:29

标签: wcf wif claims-based-identity ws-trust

我有一个使用WIF实现的自定义STS。我的WS-Trust服务正在使用这些配置:

<behavior name="WSTrustServiceBehaviour">
    <serviceDebug includeExceptionDetailInFaults="true" />
    <serviceMetadata httpGetEnabled="true" />

    <serviceCredentials>
        <clientCertificate>
            <authentication certificateValidationMode="ChainTrust"
                            revocationMode="NoCheck"
                            trustedStoreLocation="LocalMachine"/>
        </clientCertificate>

        <serviceCertificate storeLocation="LocalMachine"
                            storeName="TrustedPeople"
                            x509FindType="FindByThumbprint"
                            findValue="5BF081CCC2E20094D0648F0A3F3C6A598155D606"/>
    </serviceCredentials>
</behavior>

<ws2007HttpBinding>
    <binding name="WSTrustHttpBinding">
        <security>
            <message clientCredentialType="Certificate"
                     negotiateServiceCredential="false" 
                     establishSecurityContext="false"/>
        </security>
    </binding>
</ws2007HttpBinding>

<service name="System.ServiceModel.Security.WSTrustServiceContract"
         behaviorConfiguration="WSTrustServiceBehaviour">
    <endpoint name="WSTrust13HttpEndpoint"
              address="http/v13"
              binding="ws2007HttpBinding"
              bindingConfiguration="WSTrustHttpBinding"
              contract="System.ServiceModel.Security.IWSTrust13AsyncContract"/>
    <endpoint name="WSTrustFeb05HttpEndpoint"
              address="http/feb05"
              binding="ws2007HttpBinding"
              bindingConfiguration="WSTrustHttpBinding"
              contract="System.ServiceModel.Security.IWSTrustFeb2005AsyncContract" />
    <endpoint name="WSTrustMexHttpEndpoint"
              binding="mexHttpBinding"
              bindingConfiguration=""
              address="http/mex"
              contract="IMetadataExchange"/>
    <host>
        <baseAddresses>
            <add baseAddress="http://services.example.com" />
        </baseAddresses>
    </host>
</service>

现在我有一个需要调用WCF服务的Web应用程序。 Web应用程序和WCF服务都是我的自定义STS的依赖方。在我的Web应用程序的web.config中,我有以下内容:

<ws2007FederationHttpBinding>
    <binding name="MyWCFServiceWS2007FederationHttpBinding"
             useDefaultWebProxy="false"
             messageEncoding="Mtom">
        <security mode="Message">
            <message>
                <issuer address="http://sts.example.com/WSTrust.svc/http/feb05"
                        binding="ws2007HttpBinding"
                        bindingConfiguration="WSTrustHttpBinding"/>
                <issuerMetadata address="http://sts.example.com/Bus/WSTrust.svc/http/mex"/>
            </message>
        </security>
    </binding>
</ws2007FederationHttpBinding>

<endpointBehaviors>
    <behavior name="MyWCFServiceWS2007HttpEndpointBehavior">
        <clientCredentials supportInteractive="false"
                           useIdentityConfiguration="true">
            <serviceCertificate>
                <authentication certificateValidationMode="ChainTrust"
                                revocationMode="NoCheck"/>
            </serviceCertificate>
        </clientCredentials>
    </behavior>
</endpointBehaviors>

<client>
    <endpoint name="MyWCFServiceWS2007FederationHttpEndpoint"
              address="http://services.example.com/MyWCFService.svc/..."
              binding="ws2007FederationHttpBinding"
              bindingConfiguration="MyWCFServiceWS2007FederationHttpBinding"
              contract="..."
              behaviorConfiguration="IdentityWS2007HttpEndpointBehavior"/>
</client>

现在的问题是,当我尝试使用客户端端点调用My WCF服务时,WCF将首先联系STS WS-Trust端点以获取令牌。

但WS-Trust服务期望客户端提供证书来验证自己。如何在web.config中指定这些凭据?

我认为在代码中我会做类似的事情:

var trustChannelFactory = new WSTrustChannelFactory(..., ...);

trustChannelFactory.TrustVersion = System.ServiceModel.Security.TrustVersion.WSTrust13;

trustChannelFactory.Credentials.SupportInteractive = false;

// Set the credentials here:
trustChannelFactory.Credentials  ...

有什么想法吗?

感谢。

0 个答案:

没有答案