我的任务是创建一个将由外部客户端使用的WCF服务。客户端正在使用WSSE安全性,具体来说,它们通过SOAP头传递用户名令牌。
WCF服务托管在启用SSL的IIS服务器上。
在这一点上,我有一个半工作原型。我现在要处理的问题是SOAP报头将mustUnderstand属性设置为1,这会导致流程失败。我想要一些关于如何处理用户名令牌的建议(或者更好的是,一个代码示例smiles),以便在mustUnderstand属性为true时返回正确的响应。
下面是一个失败的SOAP请求示例:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tem="http://tempuri.org/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken>
<wsse:Username>TestUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">TestPWD</wsse:Password>
<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">NzU3MjFhN2YtYTlmYS00ZWZjLTkxNjktY2ExZjlkZDEwNzE5</wsse:Nonce>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2011-10-26T03:04:39Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<tem:Getstuff>
<tem:Arg1>Arg1</tem:Arg1>
<tem:Arg2>Arg2</tem:Arg2>
</tem:Getstuff>
</soapenv:Body>
</soapenv:Envelope>
如果将soapenv:mustUnderstand="1"修改为soapenv:mustUnderstand="0",则处理正常
PS:这是客户发送的修改后的请求示例:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<Action s:mustUnderstand="1" xmlns="http://schemas.microsoft.com/ws/2005/05/addressing/none">http://tempuri.org/WService/Getstuff</Action>
<Security xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="removed" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>TestUser</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">TestPass</wsse:Password>
<wsse:Nonce>2Udx78sh2y2xRJYJpZZ9+w==</wsse:Nonce>
<wsu:Created>2011-09-26T19:12:48Z</wsu:Created>
</wsse:UsernameToken>
</Security>
</s:Header>
<s:Body>
<Getstuff xmlns="http://tempuri.org/">
<Arg1>Arg1</Arg1>
<Arg2>Arg2</Arg2>
</Getstuff>
</s:Body>
</s:Envelope>
我收到以下对上述请求的响应:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<s:Fault>
<faultcode>s:MustUnderstand</faultcode>
<faultstring xml:lang="en-US">The header 'Security' from the namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' was not understood by the recipient of this message, causing the message to not be processed. This error typically indicates that the sender of this message has enabled a communication protocol that the receiver cannot process. Please ensure that the configuration of the client's binding is consistent with the service's binding.</faultstring>
</s:Fault>
</s:Body>
</s:Envelope>
这是绑定:
<bindings>
<basicHttpBinding>
<binding name="TransportBind" maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
<security mode="Transport">
<transport clientCredentialType="None" />
</security>
</binding>
<binding name="basic" maxBufferSize="2147483647" maxBufferPoolSize="2147483647"
maxReceivedMessageSize="2147483647">
<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />
</binding>
</basicHttpBinding>
</bindings>
您的绑定是basicHttpBinding。您需要使用wsHttpBinding
我通过在WCF配置中不使用生成的WS-Security头(当您添加服务引用时)来解决此问题,而是将此注释出来,而不是让。net通过使用客户端凭据并指定"TransportWithMessageCredential"的安全模式来生成头本身:
client.ClientCredentials.UserName.UserName = "UserName";
client.ClientCredentials.UserName.Password = "Password";
<basicHttpBinding>
<binding name="Binding">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
</basicHttpBinding>
(我们正在使用SSL,因此需要此安全设置)。
被注释掉的生成头:
<client>
<endpoint ...>
<!--<headers>
<wsse:Security...>
</wsse:Security>
</headers>-->
</endpoint>
</client>
不幸的是,我不知道足够的WCF来捕获原始soap请求/响应来比较差异,并了解为什么ClientCredentials不会导致"未理解"错误,而生成的标头会。
作为题外话,根据MSDN文档,如果您只使用"Transport",它将不知道使用WS-Security:"将此属性保留其默认值,即System.ServiceModel.SecurityMode.Transport,以不使用WS-Security。"
+1 @JohnSaunders,因为他很可能找对了对象。
您的客户端是。net/wcf吗?如果没有,它可能没有实现WS-Security,或者至少没有以WCF希望的方式实现。
如果客户端是。net,这只是客户端一个不匹配的绑定。
mustUnderstand标志表示必须确认和处理WS-Security报头。一个非WS-Security客户端,无论是因为它不讲WS-Security还是因为它没有配置WS-Security,都将忽略报头,无论如何都尝试使用该消息,服务器将退出。
您的另一个选择是在服务器上启用拒绝。它将停止发送WS-Security头。当然,这样你就不会得到否定。