我正试图通过WCF客户端通过https启用WS-Security来连接外部Java Web服务。该服务使用UserNameToken身份验证。
当客户端调用该服务时,我会得到以下异常:
找不到"System.IdentityModel.Tokens.X509SecurityToken"令牌类型的令牌验证器。根据当前安全设置,不能接受该类型的令牌
我使用此配置的自定义绑定:
端点:
<endpoint address="https://des-afirma.redsara.es/afirmaws/services/ValidarFirma"
binding="customBinding" bindingConfiguration="ValidarFirmaBinding"
contract="AFirma.Firma" name="ValidarFirma" />
</endpoint>
绑定:
<binding name="ValidarFirmaBinding">
<textMessageEncoding messageVersion="Soap11" />
<security
allowSerializedSigningTokenOnReply="true"
authenticationMode="UserNameOverTransport">
<secureConversationBootstrap />
</security>
<httpsTransport>
<extendedProtectionPolicy policyEnforcement="Never" />
</httpsTransport>
</binding>
我读过这个链接http://webservices20.blogspot.co.uk/2010/10/wcf-cannot-find-token-authenticator.html我配置了allowSerializedSigningTokenOnReply值,但它失败了。
这是WCF生成的消息:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<soap:Header>
<wsa:Action />
<wsa:MessageID>urn:uuid:5b36bb8b-4a59-4c5f-9c67-065543db51d5</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://des-afirma.redsara.es/afirmaws/services/ValidarFirma</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp wsu:Id="Timestamp-cef53b94-4432-4ede-89ea-7a42b7a686d2">
<wsu:Created>2012-11-13T13:49:32Z</wsu:Created>
<wsu:Expires>2012-11-13T13:54:32Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken wsu:Id="SecurityToken-40deaa3d-fe02-4462-963e-7705e4648b24">
<wsse:Username>UserName</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">[Password]</wsse:Password>
<wsse:Nonce>G5CU1R6lKSTpBQ0FAF01rA==</wsse:Nonce>
<wsu:Created>2012-11-13T13:49:32Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<ValidarFirma xmlns="http://afirmaws/services/ValidarFirma">
<paramIn xmlns="">[Param value (XML String)]</paramIn>
</ValidarFirma>
</soap:Body>
</soap:Envelope>
这就是响应:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="binaryToken">
MIIG2TCCBcGgAwIBAgIISXHqSo0f+C0wDQYJKoZIhvcNAQEFBQAwUjERMA8GA1UEAxMIQUNDVi1D
[...]
</wsse:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#" Id="Signature-BDFADICIJJIDI81">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SignedBody-BDFADICIJJIDI81">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>TFKLyv9zd1G7RXK4sJV+hG2WfqQ=</DigestValue>
</Reference>
<Reference URI="#keyInfo-BDFADICIJJIDI81">
<Transforms>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>SWO3sIcC16EcT17pBREoGe3CVes=</DigestValue>
</Reference>
<Reference URI="#binaryToken">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>GT+8/UoUzQgUAhvc25bn+DL6T1E=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue Id="SignatureValue-BDFADICIJJIDI81">
sTVgtvYlVuwhQ9XGcTfHh7lKdUcsf8vF6vyJ/5LVxuwarRDAjMzHcQlvFBlZTn8f
[..]
</SignatureValue>
<KeyInfo Id="keyInfo-BDFADICIJJIDI81">
<KeyValue>
<RSAKeyValue>
<Modulus>
tCxb/yk9DgCJmdxshvm6RwQtRMHqTdI2nDzQ2C761KEGmAaz7jrv8PtVSoNMRVr9
[...]
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue>
<X509Data>
<X509Certificate>
MIIG2TCCBcGgAwIBAgIISXHqSo0f+C0wDQYJKoZIhvcNAQEFBQAwUjERMA8GA1UE
[...]
</X509Certificate>
<X509IssuerSerial>
<X509IssuerName>Certificate name</X509IssuerName>
<X509SerialNumber>Serial number</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
<wsse:SecurityTokenReference xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#binaryToken" />
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="SignedBody-BDFADICIJJIDI81">
<ValidarFirmaResponse xmlns="http://afirmaws/services/ValidarFirma">
<ValidarFirmaReturn xmlns="" xsi:type="c0bxsd:string">
[return value (XML String)]
</ValidarFirmaReturn>
</ValidarFirmaResponse>
</soapenv:Body>
</soapenv:Envelope>
我尝试了使用WSE 3.0的web服务,它可以工作,但我无法在服务器中安装程序包,因为它是Windows server 2008,安装失败。
尝试使用MessageSecurityVersion(例如WSSecurity11WTrustFebruary2005WSSecureConversationFebruary 2005WSSecurityPolicy11)和安全标记。看看肥皂包。