How to configure WCF client for WS-Security (UsernameToken + Encrypted body SOAP (no signature))

百般思念 提交于 2020-06-17 02:18:09

问题


I need to configure my WCF client for consuming a JAX service with WS-Security UsernameToken + Timestamp + Encryption BODY Soap message with certificate.

For the request I need a SOAP message as below:

<soapenv:Header>
  <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <xenc:EncryptedKey Id="EK-8653216552B106D28F13688042014758"
    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference>
          <ds:X509Data>
            <ds:X509IssuerSerial>
              <ds:X509IssuerName>
              CN=joe,OU=joe,O=joe,L=joe,ST=joe,C=US</ds:X509IssuerName>
              <ds:X509SerialNumber>1262035674</ds:X509SerialNumber>
            </ds:X509IssuerSerial>
          </ds:X509Data>
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData><xenc:CipherValue>R14juoEJtNL1F8.........</xenc:CipherValue>
      </xenc:CipherData>
      <xenc:ReferenceList>
        <xenc:DataReference URI="#ED-28" />
      </xenc:ReferenceList>
    </xenc:EncryptedKey>
    <wsu:Timestamp wsu:Id="TS-27">
      <wsu:Created>2013-05-17T15:23:21.472Z</wsu:Created>
      <wsu:Expires>2013-05-17T18:10:01.472Z</wsu:Expires>
    </wsu:Timestamp>
    <wsse:UsernameToken wsu:Id="UsernameToken-26">
      <wsse:Username>test</wsse:Username>
      <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
      secret</wsse:Password>
      <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
      avvRRapCKKjmGAeg9bRX/g==</wsse:Nonce>
      <wsu:Created>2013-05-17T15:23:21.472Z</wsu:Created>
    </wsse:UsernameToken>
  </wsse:Security>
</soapenv:Header>
<soapenv:Body>
  <xenc:EncryptedData Id="ED-5"
  Type="http://www.w3.org/2001/04/xmlenc#Content"
  xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
    <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
    <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
        <wsse:Reference URI="#EK-1FEEFE8E1D48513E9413690595467661" />
      </wsse:SecurityTokenReference>
    </ds:KeyInfo>
    <xenc:CipherData>
      <xenc:CipherValue>OuEL9072pqJqoTegnqZvkYBvM+05gpMgkfs0unDiTGM5IQVm...............</xenc:CipherValue>
    </xenc:CipherData>
  </xenc:EncryptedData>
</soapenv:Body>

Exists a specific bindig for this configuration or I must create a custom binding (and how configure it..)? Anybody can help me? Thanks

Michele


回答1:


I found the solution. It's not possible to have Encrypt without Signature, then I modified the WS Axis to have a ws-security action timestamp + UsernameToken + Encrypt + Signature. The WCF client is configured (programmaticaly) as below:

/// <summary>
/// Custom bindind. WS-Security: timestamp + usernameToken + encrypted + signature
/// </summary>
/// <returns>Obj custom binding</returns>
private CustomBinding GetCustomHttpBinding()
{
    CustomBinding binding = new CustomBinding();
        // Open and Close = 20s 
    binding.OpenTimeout = new TimeSpan(0, 0, 20);
    binding.CloseTimeout = new TimeSpan(0, 0, 20);
        // Send and Receive = 300s
    binding.SendTimeout = new TimeSpan(0, 5, 0);
    binding.ReceiveTimeout = new TimeSpan(0, 5, 0);
    // ++ Setting security binding ++
    var userNameToken = new UserNameSecurityTokenParameters();
    userNameToken.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;

    var securityElement = new AsymmetricSecurityBindingElement();

    securityElement.EnableUnsecuredResponse = true;
    securityElement.IncludeTimestamp = true;
    securityElement.RecipientTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.Never);
    securityElement.InitiatorTokenParameters = new X509SecurityTokenParameters(X509KeyIdentifierClauseType.IssuerSerial, SecurityTokenInclusionMode.AlwaysToRecipient);
    securityElement.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic128Rsa15;
    securityElement.SecurityHeaderLayout = SecurityHeaderLayout.Strict;
    securityElement.SetKeyDerivation(false);
    securityElement.EndpointSupportingTokenParameters.Signed.Add(userNameToken);
    securityElement.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
    securityElement.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10;
    binding.Elements.Add(securityElement);

    // ++ Setting message encoding binding ++
    var encodingElement = new TextMessageEncodingBindingElement();
    encodingElement.MessageVersion = MessageVersion.Soap11;
    encodingElement.WriteEncoding = Encoding.UTF8;
    //encodingElement.MaxReadPoolSize = 50000000;
    //encodingElement.MaxWritePoolSize = 50000000;
    encodingElement.ReaderQuotas.MaxArrayLength = 50000000;
    encodingElement.ReaderQuotas.MaxStringContentLength = 50000000;

    binding.Elements.Add(encodingElement);

    // ++ Setting https transport binding ++
    var httpsElement = new HttpsTransportBindingElement();
        // Messagge buffer size
    httpsElement.MaxBufferSize = 50000000;
    httpsElement.MaxReceivedMessageSize = 50000000;
    httpsElement.MaxBufferPoolSize = 50000000;

        // Others
    httpsElement.UseDefaultWebProxy = true;
    binding.Elements.Add(httpsElement);

    return binding;
}


来源:https://stackoverflow.com/questions/16718621/how-to-configure-wcf-client-for-ws-security-usernametoken-encrypted-body-soap

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!