问题
I am trying to configure my WCF client to create a SOAP 1.1 request that includes WS-Addressing, WS-Security and TLS.
The security requirements are that the message includes a Username Token, TimeStamp and that the TimeStamp is signed using an included BinarySecurityToken.
I have used the example from the following link to create my WCF client binding. I have slightly modified the the example (see below) so that HTTPS is used as the transport mechanism and the MessageSecurity is based on UsernameOverTransport.
HttpsTransportBindingElement httpsTransport = new HttpsTransportBindingElement();
// the message security binding element will be configured to require 2 tokens:
// 1) A username-password encrypted with the service token
// 2) A client certificate used to sign the message
// Instantiate a binding element that will require the username/password token in the message (encrypted with the server cert)
TransportSecurityBindingElement messageSecurity = SecurityBindingElement.CreateUserNameOverTransportBindingElement();
// Create supporting token parameters for the client X509 certificate.
X509SecurityTokenParameters clientX509SupportingTokenParameters = new X509SecurityTokenParameters();
// Specify that the supporting token is passed in message send by the client to the service
clientX509SupportingTokenParameters.InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient;
// Turn off derived keys
clientX509SupportingTokenParameters.RequireDerivedKeys = false;
// Augment the binding element to require the client's X509 certificate as an endorsing token in the message
messageSecurity.EndpointSupportingTokenParameters.Endorsing.Add(clientX509SupportingTokenParameters);
// Create a CustomBinding based on the constructed security binding element.
return new CustomBinding(messageSecurity, httpsTransport);
The SOAP messages that are generated by this client are very close to meeting the requirements of the service I am calling, the only issue is that the wsa:To address is being signed as well as the TimeStamp address.
Is there a way to specify exactly which WCF headers are signed? As I need to restrict the client only sign the TimeStamp header.
回答1:
With custom message headers you can do this:
//... rest of MessageContract
[MessageHeader(ProtectionLevel = ProtectionLevel.Sign)]
string MyCustomHeader;
//... rest of MessageContract
But I don't believe that will work with your situation since your attempting to sign a soap header that is inserted by your custom binding. To modify these headers you'll likely need to implement the IClientMessageInspector interface and add a custom behavior to the client configuration to sign the TimeStamp header. Not sure how you would access the certificate to do the signing but this may give you a good start.
回答2:
I know it's an old question but I've been asked about this a couple of times.
I managed to achieve this by specifying the messageVersion as Soap11 instead of Soap11WSAddressing10 and then manually adding the WS-Addresing headers afterwards which avoided the need to manually implement the signing mechanism.
来源:https://stackoverflow.com/questions/5935741/how-can-i-configure-wcf-to-only-sign-the-timestamp-header