如何解决WCF 服务 MessageSecurityException 安全标头元素与 'Timestamp' 和 '' id 必须签名
我们正在创建一个 WCF 服务,它必须符合预定义的 WSDL。其中一项要求是时间戳、所有 WS 寻址和消息正文都应该签名。
为了实现这一点,我们添加了以下 CustomBinding;
var secBE = (asymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateDuplexBindingElement(MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10);
secBE.EnableunsecuredResponse = true;
secBE.MessageProtectionorder = MessageProtectionorder.EncryptBeforeSign;
secBE.IncludeTimestamp = true;
secBE.DefaultAlgorithmSuite = SecurityAlgorithmSuite.TripleDesRsa15;
secBE.AllowSerializedSigningTokenOnReply = true;
secBE.RecipientTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToInitiator;
//Create binding element for encoding
var mtomBE = new MtomMessageEncodingBindingElement(MessageVersion.soap11WSAddressing10,Encoding.UTF8);
//Create binding element for transport
var httpsBE = new HttpsTransportBindingElement();
httpsBE.RequireClientCertificate = false;
httpsBE.AuthenticationScheme = AuthenticationSchemes.Anonymous;
CustomBinding binding = new CustomBinding();
binding.Elements.Add(secBE);
binding.Elements.Add(mtomBE);
binding.Elements.Add(httpsBE);
使用客户端证书,但我们在 Azure 上托管端点,证书将移至“X-ARR-ClientCert”标头,因此我们无法使用启用的内置证书验证器RequireClientCertificate = true。
我已启用跟踪,但在收到来自客户端的请求时抛出以下异常:
<ExceptionType>System.ServiceModel.Security.MessageSecurityException,System.ServiceModel,Version=4.0.0.0,Culture=neutral,PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>The security header element 'Timestamp' with the 'wssecurity_signature_id_1803' id must be signed.</Message>
查看请求消息时,包含以下headers;
<MessageHeaders>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:BinarySecurityToken>
<!-- Removed-->
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="ds soapenc soapenv wsa wsse xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference URI="#wssecurity_signature_id_1799">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1800">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1801">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="p324 soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1802">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1803">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsse wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#wssecurity_signature_id_1804">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenc soapenv wsa wsu xsd xsi "
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue><!-- Removed--></ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!-- Removed--></ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#x509bst_1805" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="wssecurity_signature_id_1803"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2021-04-07T07:25:47.641Z</wsu:Created>
</wsu:Timestamp>
</wsse:Security>
<wsa:To wsu:Id="wssecurity_signature_id_1802"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:To>
<wsa:Action wsu:Id="wssecurity_signature_id_1804"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><!-- Removed--></wsa:Action>
<wsa:MessageID wsu:Id="wssecurity_signature_id_1799"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">uuid:44bf184f-c7af-4efc-9385-cda168692d60</wsa:MessageID>
<wsa:ReplyTo wsu:Id="wssecurity_signature_id_1800"
xmlns:wsa="http://www.w3.org/2005/08/addressing"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
</MessageHeaders>
我无法控制发送到 WCF 服务的请求消息,因此所有内容都必须在服务器端进行修复。为什么没有检测到时间戳是有符号的?
解决方法
我改变了一些东西,它开始工作了。首先是 AsymmetricSecurityBindingElement;
- 将 EnableUnsecuredResponse 设置为 false。
- 添加了默认为“严格”的 SecurityHeaderLayout 并将其设置为“SecurityHeaderLayout.LaxTimestampLast”。
然后,我添加了一个实现自定义 MessageEncoder 的自定义 MessageEncodingBindingElement。该编码器添加了 To 和 MessageID 标头,但我认为这不是问题所在。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。