WCF拒绝带有其他签名元素的消息

时间:2011-01-28 19:39:34

标签: wcf x509certificate ws-security ws-addressing

我们通过https提供WCF 4.0服务,允许客户对邮件进行签名以识别自己。然后,我们可以使用证书为客户端提供后端的适当权限。这在WCF 4.0客户端发送请求时工作正常,但是当非WCF尝试发送请求时,它会失败,并显示以下内容:CryptographicException:无法解析签名中的“#Id- {Guid goes here}”URI计算摘要。在检查客户端请求时,只要签署了To和Timestamp节点以外的任何内容,就会发生此故障。非WCF客户端期望签署正文,Action,MessageID和ReplyTo部分。是否可以将WCF配置为期望并允许这些签名,或者更好的是,如果它们存在则允许它们但如果它们不存在则不会出错?

服务配置文件:

<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
<extensions>
  <behaviorExtensions>
    <add name="wsdlExtensions" type="MyWCFElements" />
  </behaviorExtensions>
  <bindingElementExtensions>
    <add name="httpsViaProxyTransport" type="MyWCFElements" />
  </bindingElementExtensions>
</extensions>
<behaviors>
  <endpointBehaviors>
    <behavior name="WsdlBehavior">
      <wsdlExtensions singleFile="true" />
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="WebServicesServiceBehavior">
      <serviceMetadata httpsGetEnabled="false" httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
      <serviceAuthenticationManager serviceAuthenticationManagerType="MyServiceAuthenticationManager" />
      <serviceAuthorization serviceAuthorizationManagerType="MyServiceAuthorizationManager" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyUserNameValidator" />
        <clientCertificate>
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<bindings>
  <customBinding>
    <binding name="SignedWebServicesF5BindingConfig">
      <textMessageEncoding />
      <security authenticationMode="CertificateOverTransport" allowInsecureTransport="true" requireDerivedKeys="false" securityHeaderLayout="Lax" />
      <httpsViaProxyTransport />
    </binding>
  </customBinding>
</bindings>
<services>
  <service behaviorConfiguration="WebServicesServiceBehavior" name="WebService">
      <endpoint address="signed" binding="customBinding" behaviorConfiguration="WsdlBehavior" bindingConfiguration="SignedWebServicesF5BindingConfig" contract="IWebServicesContract" name="SignedWebServices"/>
      <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
  </service>
</services>

1 个答案:

答案 0 :(得分:0)

与Microsoft合作后,答案似乎是您无法使用CertificateOverTransport并签署邮件正文,这是我们的客户尝试执行的操作。我们转移到MutualCertificateDuplex并更改了我们对ProtectionLevel.None的响应的ProtectionLevel(因为我们对签名响应不感兴趣)。我们现在能够通过https接收请求并获得响应,因此我们仍然可以依靠传输进行加密,同时消息的安全性保持在消息级别,而不是传输级别。

希望这有助于其他人,这似乎在WCF互操作方案中相当常见,但在网络上没有大量关于此的指导。

相关问题
最新问题