我正在创建一个活动STS,该STS使用已颁发的令牌(SAML1、SAML2)对RST进行身份验证,并颁发BinarySecurityTokens。这对.net客户端来说运行良好。然而,RST来自Java客户端(代码、SOAP UI等),我们得到以下异常-
<ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Access is denied.</Message>
at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)...
我怀疑问题出在绑定的serviceAuthorization上。但是,我找不到任何关于为基于声明的身份验证配置授权的文档。这是我的配置-行为-
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="WSTrustServiceBehaviour">
<serviceCredentials useIdentityConfiguration="true" identityConfiguration="STSIDConfig">
<issuedTokenAuthentication audienceUriMode="Never" certificateValidationMode="None">
</issuedTokenAuthentication>
</serviceCredentials>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="Always" />
</behavior>
</serviceBehaviors>
绑定
<ws2007FederationHttpBinding>
<clear/>
<binding name="WS2007FedttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey">
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
服务-
<service behaviorConfiguration="WSTrustServiceBehaviour" name="CustomSTS">
<endpoint name="WSTrust13HttpEndpoint" address="" binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FedttpBinding" contract="System.ServiceModel.Security.IWSTrust13SyncContract" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
请让我知道缺少什么
似乎ws2007FederationHttpBinding要求RST具有WS-Addressing标头,并且由于来自java客户端的请求缺少WS-Addressing头,因此发生了拒绝访问错误。我没有找到为ws2007FederationHttpBinding禁用WS-Addressing的选项,所以目前我们已经请求客户端添加WS-Addressing标头。