我有一个wcf服务。服务的绑定是wsHttpBinding,安全类型是消息安全性。该服务托管在IIS上。 IIS上的站点绑定是http(80)。该服务还具有配置了服务行为的证书。
结合:
<wsHttpBinding>
<binding name="maksServiceBinding" maxReceivedMessageSize="2147483647">
<security mode ="Message">
<message clientCredentialType="UserName" establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
行为:
<serviceCredentials>
<serviceCertificate findValue="xxxxName" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="xxx.xxx.xxxServiceUsernameValidator, xxx.xxx"/>
<!--<clientCertificate >
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck"/>
</clientCertificate>-->
</serviceCredentials>
我的服务运作良好,但我有三个问题:
1)如何为这些配置强制执行客户端: certificateValidationMode =“ChainTrust”revocationMode =“NoCheck” 可以在客户端更改这些配置(例如:certificateValidationMode可以更改为None)但我不希望客户端更改这些配置。 (评论)不起作用。
2)当certificateValidationMode为ChainTrust时,客户端需要添加证书以使用我的服务。但是,如果客户端未添加证书并将certificateValidationMode更改为None,则客户端可以使用该服务。如果我找不到阻止这种情况的解决方案,我将使用X509CertificateValidator编写自定义证书验证。因为服务消息无法加密(不安全)。
3)我用fiddler2观察客户端的请求和响应。我尝试了两种情况。 第一;添加证书,certificateValidationMode为ChainTrust。 第二;不添加证书,certificateValidationMode为None。 两种情况的请求和响应都是相同的。问题来了。请求和响应是否已加密?如果它们是加密的,第二种情况怎么样?因为客户端上没有证书。证书可以存储在缓存等其他地方吗?
Fiddler2输出:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1" u:Id="_2">http://nvi.gov.tr/adres/IMaksCrudBusinessOf_Bina/Read</a:Action>
<a:MessageID u:Id="_3">urn:uuid:e1ef9b1b-14c4-4952-b535-ff84a11b18b4</a:MessageID>
<a:ReplyTo u:Id="_4">
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1" u:Id="_5">http://umuts/MaksServices/MaksBinaIslemleri.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-11">
<u:Created>2013-03-10T17:54:01.744Z</u:Created>
<u:Expires>2013-03-10T17:59:01.744Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken u:Id="uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:ced2f798-d488-405d-9e4d-a9bce5acc8f5</c:Identifier>
</c:SecurityContextToken>
<c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-9" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
</o:SecurityTokenReference>
<c:Offset>0</c:Offset>
<c:Length>24</c:Length>
<c:Nonce>vUN53uBYs3XxRkW30IRUGg==</c:Nonce>
</c:DerivedKeyToken>
<c:DerivedKeyToken u:Id="uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-e4d1e34d-0fe2-4a44-a5f7-b94ab0e4d33c-5"/>
</o:SecurityTokenReference>
<c:Nonce>cJDYx++Xl28SaS57RPr/Og==</c:Nonce>
</c:DerivedKeyToken>
<e:ReferenceList xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:DataReference URI="#_1"/>
<e:DataReference URI="#_6"/>
</e:ReferenceList>
<e:EncryptedData Id="_6" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>Awdg0bBuWmrYzddiVm2TztRIvytluR/wUVfe329DiPk2kNVO1NI5RE4/Gol/3dyObGXbvBO9eFR1Y84gOAw6gwVue+BVRMqIlYxuVkSijXsWzp/Cz84nJN+paGnKtXMIlefdRC3y3G3AcN3TX8hzwoPM1BQttJ8YJQV8PK7Lbgv2YXX/9XzgIteeIgz5KzMWp+rJ0egGxdsKLkwE3jFbj+ncfiKX7qWoFhQgCz53FbNXvPMQ/QE7LBaqhEereX/U2+Dc8ku+D/eep9g5i6v9p0RPv2g5K4dT5UeLXIh5Whqh8fx9xSZY1WsV+RegePNIyXEf/meeN3FnnC8dyJENoxfKny0tWfkiXyLxtF6SHHAUh50VKPnsrdpJh+9yIfprCpLRSLqIAaRGPjiK+oZEnDSNI7q/ipFB8KHeJKi+b38VrfBC/4IqUL+BQ+AHfWyRS2yYsAXGBWsIBLzUU7AFsslpJb3Z5Q2Z7g5FpRNUKiIbvhPZ+1dLBdthYAP0JuiawX4WCq4Ew0UB6Rh6bH1OD5eqfEbetRzr4KJt/9VW585x/Opx24wAfP2ktC5Tl//Az6jz1PAOhotHDXUN6FCW5oG9ah93S2i/fHNpqeiJoVCWEOBR+v8ExJcgbC/EtH01TaoyMHS+UlpbzWZk1h5sC21rtqHVrWjy4s0ZupBiPWabfVwKzz0VJ4DCTbnnHdNcyryvAM6kS+6qOgZbf6pWDx5MqRp00l2+N3yFJWoOCjPWzCqRcL0WUHucrJhRvCzpzKy16mQuFyFrZwXJjYmSBFv41V1lP/uyV+1+WMRcAdezqDDaYOyRb15jizMXZD9YYRau89nre64UzsCDNpmt4heD+tqOIivsId4tteKg64umY3xPRRaD0beZDrfBm8SpXsgt7U1K/wd2R2Q4U0fVFKgYJPH/1W6ZgONd/skg6AZ1tRK4y2nDiQk+yV8F99j9ipk2iMgjhDxlNN20yA2Svz85i3wJqUp3Qh+Eksmre2rcuClE1GZPadAOWumJVuL8FsNjZ50jeTWwYUE3jYKxCFIs+05jeiRbBRrbhVCDSze/47to9sNNXyGrR0yxIYE5QI+fE7zbjalWXdSISD68cpuGUg+ne/+ABa3DMlxmj1DOD3DwlHpWFxWC4F2E/nQvd5cDczyru+hpEw6kObR1RhlZR8AWY1FDP7YotugGM3imPelrRR91+vYPjY74pz0XZX6KqIlUS70as8tKodrZejMxqK542pmsc1r1/NyOmr669++6EEt1U5gikO8LLuUyKw7IpI6cxqyIN1aKoMhpZktS3NS4paQdWxtJqS1mT0FgvpyxVurPliWh5nreb8/5/txrfVxvNjmbEEVDTdHIa4IzefPpX19ZQwYnWea5hGGBSS7q20VA3gXkQGmHxjyZl9Vm6xCqTXqI8HLk7+zOncUuzo8rsk6k/LoEhLKkVpSliwrMMZdOvAyY9mgpn55KWDpD4cTxli4KhosltOmZ4S+8cErMSwBUVqiB2DEMj2nPsOjM9wA1LnPsWj7yva84Fc5/zwLS+hUN40MFohtsu3+wj5eyXnoIbDmTGTLq4W/p8DFxZfgE50DLtNmy06TAz06lOzpXYViFwC/gJnhNrmn/a3l79QCIl+ldyOqbrsosSSCXqk7aLx6IvLiw5AugiH3lQXH6bjtPd3KoYXZiTbSdTNNDy+Q8d1uO8lDAsXClXdRqUuss8pPQJhVHUdvffr0AF//mpfiC1O5kSppTpJCjyhpZ7B+uHLKeehXuhvuGxyIsdb4NzPD+cjDhxwwdEFH2nUCOYLdIsqzSCluF3hovAFnCQ00wdqS2s/GTu+p+8d7VrYaau6Fv+B8/N3pBLBWIPjmEbKlmX70KaBAT2y3CEUG+nGmiqI649UXJ492A7s0bdTBVmetdTyAyvRsFucDi/ZswbTr4D4LrDNouYn+cI0cUoXOAJ5zv3xFGuYdeqsyaLIHP2y06P9RSHCACBvjZHwW3Kl4BUZOneTCAquFPgFdc8gcwXmx8uGaIgwdTx9H20FOq+VIacpr2sThZ4yxZdz6SPIejlOOyrL/oxgaqRi9Rkt+N91Z6U7/dK3Rl8SHjc0LQT3czL0MOtzwY5lq05FXhnSzpkXauQ9K8Qy83Nxfx5s8DT3tOyFOdTe308melK/3uRlvyQ5wJFqcd6u7+fQNqCsDJ3hQmHJqZCwRawJPcS1B9zlpo+9sT86Gz0HwUpSILHEHF0iBLg9X1yz6jZfeWc8qW1noFvnRI0aNkiypQSEbC/nR4AJp7KPsaD6bwK7+H3yX+p6Tqydyj4ckVQBP9jV3w0dfk5wQNaQIXyVEzr4/x9Jg4fb4CGK8gCTSFx8jPta8vjWRirf/LpYoFwF02S6llSGRJERIc/hR1FPLTn3gfx5sl5bqkpmk2U3hHSO0OR1fYU8Dcw2YJduxC3e8aHXOMVrkHx4N6hLT6a5EJy8N4W79vqo+6964ZC9nKxQk/l7UkgcEtogw5pnuZZn39elk4pAK51FsrAgnzNIpFoepOfBP3hLj3xGFSUDHmt50G+cAlxgl04Y2i/isecXDOxzMxWN7wpJjcgr25tju93Y2Bt+sR4Zs+mg4A2cSQ4LSrXrfQSPuKL0KeU60u9wJmQda/zT5NNOIVFL4fTl9yNOBugpESbTIF/ceg4KW9rOeyqJJQg16GRVLG1Xayu6GXdjSuxVfoInccNJQJZpzaeMZolYeHnQVWcP9D1QmBBuJL/OnKrsvDpZt61qn9lCXcYF+UiTl+tZOOQry9ASKnNZFHIIymUyFb26Gzgydzud5b/HCfy6T4YxKO</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</o:Security>
</s:Header>
<s:Body u:Id="_0">
<e:EncryptedData Id="_1" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/dk" URI="#uuid-fcbcbde5-ec92-4e46-9a7b-f541ed9e62c8-10"/>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>xgJK91cn2sLm4FvnVJZoueexPXVExJaA/gCoBdZK2nLlBLvIFnQz/Y6okzRfh0jugF6Vrx5aj+0i3T6V6TfNnBkFuLsKnDeyL2D/cawlBqM=</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>