问题
I am using WSBinding with "TransportWithMessageCredential" to secure my WCF web service, I am using it without any problems using .NET clients.
But when trying to use it from Android or non-.Net client, I can't tell where to provide the message credentials!!
I have intercepted the SOAP message being sent by the .NET client, it doesn't contain any thing related to the credentials, but it is working perfectly, but when using the same syntax for the SOAP request from and Android client, we are facing this error:
The message could not be processed. This is most likely because the action 'http://tempuri.org/XXX/YYY' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.
The SOAP request that is being sent by .NET client and working as intercepted:
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/XXX/YYY</a:Action>
<a:MessageID>urn:uuid:XX-XX-XX-XX-XX</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
</s:Header>
<s:Body>
<XXXXXX xmlns="http://tempuri.org/">
<request xmlns:d4p1="http://schemas.datacontract.org/2004/07/XXX.XXX.XXX" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<d4p1:Prop1 i:nil="true" />
<d4p1:Prop2 i:nil="true" />
<d4p1:Prop3 i:nil="true" />
</request>
</XXXXXX >
</s:Body>
</s:Envelope>
My WCF confing for the service:
<wsHttpBinding>
<binding name="wsHttpBindingExt" maxReceivedMessageSize="4096000">
<readerQuotas maxDepth="32" maxStringContentLength="409600" maxArrayLength="4096000" maxBytesPerRead="4096000" />
<security mode="TransportWithMessageCredential" >
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
For the working .NET Client:
Client code to call the service from .NET and working correctly:
XXXXXServiceClient client = new XXXXXServiceClient ();
client.ClientCredentials.UserName.UserName = "XXXX";
client.ClientCredentials.UserName.Password = "YYYY";
var res = client.DoXXXXX(a,b,c);
EDIT
It is exists, that interceptor is not giving me the whole request, but I have another problem.
Using fiddler, I have found that there are two requests, the first one is to request a security token:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
<a:MessageID>urn:uuid:b7c8d134-ec01-48cd-abb6-81988e7270b1</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://XXX.XXX.com/XXX.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-04-25T10:31:13.686Z</u:Created>
<u:Expires>2014-04-25T10:36:13.686Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-4d51d9cc-f621-48af-96a7-1fa541c18ea1-1">
<o:Username>XXX</o:Username>
<o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">YYY</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:Entropy>
<t:BinarySecret u:Id="uuid-c32043fe-d4fb-4802-b15a-ba2691c2b3d8-1" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">XXXXXXXXXXXXXXXXXXXXXXXXX</t:BinarySecret>
</t:Entropy>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
And the response of this request is:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
<a:RelatesTo>urn:uuid:b7c8d134-ec01-48cd-abb6-81988e7270b1</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-04-25T10:31:02.106Z</u:Created>
<u:Expires>2014-04-25T10:36:02.106Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestedSecurityToken>
<c:SecurityContextToken u:Id="uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:e2562052-1de3-496d-b455-e36958692176</c:Identifier>
</c:SecurityContextToken>
</t:RequestedSecurityToken>
<t:RequestedAttachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8"/>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:Reference URI="urn:uuid:e2562052-1de3-496d-b455-e36958692176" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"/>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:RequestedProofToken>
<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKey>
</t:RequestedProofToken>
<t:Entropy>
<t:BinarySecret u:Id="uuid-67a62dc5-2ce5-45d2-af88-371d06243652-9" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">JrVuueyiE55P172GX97vM3KM/oo26pN71wQ4B4C5dbo=</t:BinarySecret>
</t:Entropy>
<t:Lifetime>
<u:Created>2014-04-25T10:31:02.106Z</u:Created>
<u:Expires>2014-04-26T01:31:02.106Z</u:Expires>
</t:Lifetime>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
And then, I can use these information in this response in the main second request:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">http://tempuri.org/XXX/YYY</a:Action>
<a:MessageID>urn:uuid:e2ec7944-a6b8-46f1-b021-270cea67c205</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://XXXX.YYYY.com/ZZZZ.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-04-25T10:31:14.905Z</u:Created>
<u:Expires>2014-04-25T10:36:14.905Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken u:Id="uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
<c:Identifier>urn:uuid:e2562052-1de3-496d-b455-e36958692176</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>YYYYYYYYYYYYYYYYYYYYYY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>XXXXXXXXXXXXXXXXXXXXX=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" URI="#uuid-67a62dc5-2ce5-45d2-af88-371d06243652-8"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<XXXXXX xmlns="http://tempuri.org/">
<request xmlns:d4p1="http://schemas.datacontract.org/2004/07/XXX.XXX.XXX" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<d4p1:Prop1 i:nil="true" />
<d4p1:Prop2 i:nil="true" />
<d4p1:Prop3 i:nil="true" />
</request>
</XXXXXX >
</s:Body>
</s:Envelope>
The big question here is, where to find: BinarySecret, DigestValue, SignatureValue!!! and the other huge amount of values and ids!!!
回答1:
The message exchanage that you see is Ws-SecureConversation. Here you can find the the full specification of those messages: http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/ws-secureconversation-1.3-os.html
Most likely you don't want to implement or use it in your Android client, so you can disable it in binding by setting establishSecurityContext to false in message element.
More info: What are the impacts of setting establishSecurityContext="False" if i use https?
来源:https://stackoverflow.com/questions/23290204/how-to-pass-message-credentials-transportwithmessagecredential-no-credential