我想设置一个模块,该模块将与远程作为服务和客户端的其他模块进行通信。通信应该在SOAP 1.2中进行,它应该使用OASIS WSS 1.1和X.509证书令牌配置文件。 OASIS WSS 1.1 X.509 specs
我已经使用makecert制作了开发证书,并且它已经被信任了。
由于模块基本上是基于C#的,因此所有设置都以代码形式给出。到目前为止,我得到了以下服务代码:
绑定代码:
System.ServiceModel.Channels.AsymmetricSecurityBindingElement asbe = new AsymmetricSecurityBindingElement();
asbe.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12;
asbe.InitiatorTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient };
asbe.RecipientTokenParameters = new System.ServiceModel.Security.Tokens.X509SecurityTokenParameters { InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient };
asbe.MessageProtectionOrder = System.ServiceModel.Security.MessageProtectionOrder.SignBeforeEncrypt;
asbe.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
asbe.EnableUnsecuredResponse = true;
asbe.IncludeTimestamp = false;
asbe.SetKeyDerivation(false);
asbe.DefaultAlgorithmSuite = System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128Rsa15;
asbe.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
asbe.EndpointSupportingTokenParameters.Signed.Add(new X509SecurityTokenParameters());
CustomBinding myBinding = new CustomBinding();
myBinding.Elements.Add(asbe);
myBinding.Elements.Add(new TextMessageEncodingBindingElement(MessageVersion.Soap12, Encoding.UTF8));
HttpsTransportBindingElement httpsBindingElement = new HttpsTransportBindingElement();
httpsBindingElement.RequireClientCertificate = true;
myBinding.Elements.Add(httpsBindingElement);
行为代码:
//Then initiate the service host
_Host = new ServiceHost(typeof(TClass), baseAddress);
//Add the service endpoint we defined
_Host.AddServiceEndpoint(typeof(TInterface), _Binding, typeof(TInterface).ToString());//BindingHelper.GetUserNameBinding(), "");
//Set searching the certificate
_Host.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "MyServerCert");
_Host.Credentials.ClientCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.None;
_Host.Credentials.ClientCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
//Allow the metadata spreading
ServiceMetadataBehavior smb = new ServiceMetadataBehavior();
smb.HttpsGetEnabled = true;
smb.HttpGetEnabled = true;
_Host.Description.Behaviors.Add(smb);
ServiceDebugBehavior sdb = new ServiceDebugBehavior();
sdb.IncludeExceptionDetailInFaults = false; //Should only provide the endpoint property (GP WS-Message profile specs)
//Add the appropriate endpoint
if (baseAddress.AbsoluteUri.Contains("https"))
_Host.AddServiceEndpoint(
typeof(IMetadataExchange),
MetadataExchangeBindings.CreateMexHttpsBinding(),
"mex");
else
_Host.AddServiceEndpoint(
typeof(IMetadataExchange),
MetadataExchangeBindings.CreateMexHttpBinding(),
"mex");
在客户端,我使用相同的代码来创建绑定,另外我使用以下行为:
channelFactory = new ChannelFactory<T>(bindIn, serviceAddress);
if (wsFeature != null)
{
channelFactory.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
channelFactory.Endpoint.Behaviors.Add(wsFeature);
channelFactory.Credentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "MyServerCert");
channelFactory.Credentials.ServiceCertificate.SetScopedCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectName, "MyServerCert",serviceAddress.Uri);
}
_ProxiObject = channelFactory.CreateChannel();
基本上,行为wsFeature是一个简单的类,几乎什么都不做(只为IEndpointBehavior实现空白函数)。
我在 https://localhost.:8084/testhosting4的同一台机器上同时拥有服务和客户端,即使服务和客户端都成功创建,我也只得到了“在向https://localhost.:8084/testhosting4发出HTTP请求时出错”等。 “错误。
我已经设法通过不安全的通道与模块连接(BasicHttpBinding - 没有安全性)并交换消息,因此我确信在定义绑定或分配凭据时我犯了一个错误。显然,我已经在这里浏览了很多,但无法找到一个有效的解决方案。 这是我第一次见到WCF和X509而且我根本就没有进行安全通信。所以有很多场合犯错误。请指出我制作的那些。 谢谢!