如何为wso2安全令牌服务创建.NET客户端

时间:2014-11-10 09:29:48

标签: vb.net wcf wso2 soapui wso2is

我需要为wso2安全令牌服务创建一个.NET客户端。

通常我会创建一个简单的控制台或WinForm项目,为它添加一个服务引用。暴露的WSDL将被转换为一组类,我可以用它来查询服务并正确管理它的响应。

不幸的是,生成的请求和响应类是空的:只是没有任何属性或方法的类声明。这与此其他(未答复的)Stack Overflow问题https://stackoverflow.com/q/22049080/2131913

中描述的行为类似

我在此论坛帖子中找到了该服务的示例请求:http://cxf.547215.n5.nabble.com/Sample-STS-Client-tp4643980p4664175.html我使其与SOAP UI一起使用。

是否有适当的,可能是自动的方式来重新创建查询安全令牌服务所需的复杂数据结构?

修改

好的,经过多次尝试后,我已将上述论坛帖子中的SOAP请求减少到仍然从STS服务获取RequestSecurityTokenResponse所需的最小结构。

    <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
  <soap:Header xmlns:wsa="http://www.w3.org/2005/08/addressing">
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-6D35592DCDDA26FFF3141578725699577">
        <wsse:Username>USERNAME HERE</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">PASSWORD HERE</wsse:Password>
      </wsse:UsernameToken>
      <wsu:Timestamp wsu:Id="TS-6D35592DCDDA26FFF3141578725699576">
        <wsu:Created>2014-11-12T10:14:16.995Z</wsu:Created>
        <wsu:Expires>2014-11-12T10:16:16.995Z</wsu:Expires>
      </wsu:Timestamp>
    </wsse:Security>
    <wsa:Action soap:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</wsa:Action>
    <wsa:MessageID soap:mustUnderstand="1">uuid:6d4eab69-77f9-42b7-8d6b-1f710020fb0b</wsa:MessageID>
    <wsa:To soap:mustUnderstand="1">STS ENDPOINT ADDRESS HERE</wsa:To>
  </soap:Header>
  <soap:Body>
    <wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
      <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
      <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
      <wst:Claims>
        <wsid:ClaimType Uri="http://wso2.org/claims/userid" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity"/>
      </wst:Claims>
    </wst:RequestSecurityToken>
  </soap:Body>
</soap:Envelope>

我已经获得了部分成功,在我的项目的app.config中定义了单个wsHttpBinding,如下所示:

  <wsHttpBinding>
    <binding name="SendUsername"  messageEncoding="Text">
      <security mode ="TransportWithMessageCredential">
        <message clientCredentialType ="UserName"/>
        <transport clientCredentialType ="Basic" />
      </security>
    </binding>
  </wsHttpBinding>

添加或不添加如下所示的CustomBinding:

<customBinding>
     <binding name="wso2carbon-stsSoap12Binding">
      <security defaultAlgorithmSuite="Default" authenticationMode="IssuedToken"
        requireDerivedKeys="true" securityHeaderLayout="Lax" includeTimestamp="true">
        <localClientSettings detectReplays="false" />
        <localServiceSettings detectReplays="false" />
        <issuedTokenParameters keyType ="SymmetricKey" tokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
          <issuer address =STS ENDPOINT ADDRESS HERE binding ="wsHttpBinding" bindingConfiguration ="SendUsername"/>
          <claimTypeRequirements>
            <add claimType ="http://wso2.org/claims/userid"/>
          </claimTypeRequirements>
        </issuedTokenParameters>
      </security>
      <textMessageEncoding messageVersion="Soap12" />
      <httpsTransport />
    </binding>
  </customBinding>

但是在这两种情况下,请求都会抛出超时异常,并且使用WCF跟踪已发出的请求进行检查,我可以看到它缺少Claims元素。任何提示?

2 个答案:

答案 0 :(得分:4)

答案 1 :(得分:2)

经过多天努力与WCF配置选项,我获得了部分成功。

允许我从安全令牌服务获得响应的关键是我意识到,从长远来看,我需要在联合安全方案中运行。我本身并不需要令牌,但我需要它来获得对其他服务进行身份验证的意思。

考虑到这个选项,我开始探索WCF为这种场景提供的内容,并构建了以下配置选项:

  <wsFederationHttpBinding>
    <binding name="fs">
      <security mode="TransportWithMessageCredential">
        <message issuedKeyType="SymmetricKey" issuedTokenType ="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
          <issuer address = <!-- STS address here --> binding ="customBinding" bindingConfiguration ="StsBinding"/>
          <claimTypeRequirements>
            <add claimType="http://wso2.org/claims/userid" />
          </claimTypeRequirements>
        </message>
      </security>
    </binding>
  </wsFederationHttpBinding>

以上绑定用于联系需要令牌身份验证的服务,而以下内容则添加了有关如何联系安全令牌颁发者的进一步说明:

  <customBinding>
    <binding name="StsBinding">
      <textMessageEncoding messageVersion="Soap12WSAddressingAugust2004"/>
      <useManagedPresentation/>
      <security authenticationMode="UserNameOverTransport" includeTimestamp ="true" keyEntropyMode ="ServerEntropy" securityHeaderLayout ="Lax"   
                messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10" >
      </security>
      <httpsTransport authenticationScheme ="Basic"/>
    </binding>
  </customBinding>

通过这种配置,在Fiddler和WCF跟踪的帮助下,我可以看到我从STS发行者处获得安全令牌响应。

正如我所说,在开始时,这只是部分成功,因为WCF基础设施在处理令牌时表示它有错误的操作......但这可能是另一个问题的子图; - )< / p>

我希望这可以被认为是一个有效的答案,尽管我对令牌认证的追求还没有结束