我正在尝试使用此规范从WCF客户端使用java Web服务:
通过HTTPS进行通信(我的计算机上安装了证书)。
这是客户端的配置:
端点:
<endpoint address="https://..."
binding="customBinding" bindingConfiguration="SincronSoapCustom" behaviorConfiguration="webEndpointExtern"
contract="Proves.Service.SincronSoap" name="SincronSoap">
<identity>
<dns value="Test app"/>
</identity>
</endpoint>
自定义绑定:
<customBinding>
<binding name="SincronSoapCustom" >
<security authenticationMode="MutualCertificate" allowSerializedSigningTokenOnReply="true" requireSignatureConfirmation="false" requireDerivedKeys="false" includeTimestamp="true" securityHeaderLayout="LaxTimestampLast" messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10">
</security>
<textMessageEncoding messageVersion="Soap11" writeEncoding="utf-8" ></textMessageEncoding>
<httpsTransport transferMode="Buffered" ></httpsTransport>
</binding>
</customBinding>
行为:
<behavior name="webEndpointExtern">
<clientCredentials>
<clientCertificate findValue="19cab2cd6bc982fb" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<serviceCertificate>
<defaultCertificate findValue="311a360557c1056c5367435e7dad3866" storeLocation="CurrentUser"
storeName="My" x509FindType="FindBySerialNumber" />
<authentication certificateValidationMode="PeerOrChainTrust" />
</serviceCertificate>
</clientCredentials>
</behavior>
仅签署消息(并避免加密)我在服务合同中设置保护级别:
<System.CodeDom.Compiler.GeneratedCodeAttribute("System.ServiceModel", "4.0.0.0"),
System.ServiceModel.ServiceContract([Namespace]:="http://xxxx/", ProtectionLevel:=Net.Security.ProtectionLevel.Sign)>
Public Interface SincronSoap
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*", ProtectionLevel:=Net.Security.ProtectionLevel.Sign),
System.ServiceModel.XmlSerializerFormatAttribute(SupportFaults:=True)>
Function procesa(ByVal request As Service.procesaRequest) As Service.procesaResponse
<System.ServiceModel.OperationContractAttribute(Action:="http://xxxxxx", ReplyAction:="*")>
Function procesaAsync(ByVal request As PdibService.procesaRequest) As System.Threading.Tasks.Task(Of Service.procesaResponse)
End Interface
使用此配置,我的请求由服务器正确处理,但我的客户端在处理响应时抛出错误:
无法使用'ValueType'的BinarySecretSecurityToken的'http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd'命名空间从'SignatureConfirmation'元素读取令牌。如果预期此元素有效,请确保将安全性配置为使用指定了名称,名称空间和值类型的标记。
好的,我的客户端使用WS-Security 1.0,并且只允许在WS-Security 1.1中使用SignatureConfirmation元素。该服务的提供者向我确认正确的版本是1.1。 所以我改变了:
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
为:
WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
但是当我使用此配置发出请求时,远程服务器返回错误:
WSDoAllReceiver:安全处理失败;嵌套异常是: org.apache.ws.security.WSSecurityException:一般安全性错误(WSSecurityEngine:没有为解密提供的加密文件)
在这种情况下,我的客户端似乎在请求中包含了一些加密,而服务器并不期望它。这是请求:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="868039bc-362d-4d3b-93fa-afb7ccdaf7e9">8160d724-54b3-4aa5-acbd-82d26abbf3b5</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#" Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod xmlns="http://www.w3.org/2000/09/xmldsig#" Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">M0m/j9IjdvtsfXoboTzGX4jRw5I=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>..removed..</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="_0">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>m6K+Htbhimq+ncV9cu48xtaHCXU=</DigestValue>
</Reference>
<Reference URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>DptGdl9nICPuR7ym4VB4DAsT05o=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>b7kn3APi45hTIGgnbhSvwInLmMP=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<o:Reference ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" URI="#uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>80Q2miLGWvPm9Tl8qN2CwPHwbIA=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-20121b2c-b772-4bc9-83fe-f422d6a80a0b-1" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-caa9c9fc-8225-403e-b844-fffa7e439ec6-2">
<u:Created>2017-01-23T11:48:37.635Z</u:Created>
<u:Expires>2017-01-23T11:53:37.635Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
.................. removed ............................
</s:Body>
</s:Envelope>
这是我使用WS-Security 1.0时的请求:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<ActivityId xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics" CorrelationId="8797dc6e-b03a-4681-ab6f-6d52c561a79a">3e959f6f-2b84-4aca-a024-b5b50f429730</ActivityId>
<o:Security xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" s:mustUnderstand="1">
<o:BinarySecurityToken>
<!--Removed-->
</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>frO7LOsocv71gm5QWTGhfem0VQY=</DigestValue>
</Reference>
<Reference URI="#uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>/FLwiT1IYuqSWdrthZRebVeql0c=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>..removed..</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-2cf2ba54-442a-422c-a2e7-b6861431c23b-2" />
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
<u:Timestamp u:Id="uuid-5768e670-1786-4c0c-b563-0306ac7fc3eb-1">
<u:Created>2017-01-23T11:36:11.128Z</u:Created>
<u:Expires>2017-01-23T11:41:11.128Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" u:Id="_1">
... removed ...
</s:Body>
</s:Envelope>
在这种情况下,请求中不包含加密。 问题是,为什么我的客户端在从WS-Security 1.0更改为1.1时使用加密?
我该如何避免这种情况?
感谢。