问题描述
限时送ChatGPT账号..我正在为不受我控制的 Java Web 服务创建 WCF 客户端,并且遇到了一个问题,即如果 Timestamp 标头元素已签名,该服务将返回 InvalidSecurity 错误.
I am creating a WCF client for a Java web service that is out of my control, and have run into a problem, in that the service returns an InvalidSecurity fault if the Timestamp header element is signed.
我目前正在使用以下 SecurityBindingElement
,但这会自动对 Timestamp 元素进行签名.我怎样才能阻止这种行为?更一般地说,我如何控制哪些元素已签名,哪些未签名?
I am currently using the following SecurityBindingElement
, but this automatically signs the Timestamp element. How can I stop this behaviour? More generally, how can I control which elements are signed and which aren't?
var version = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(version);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion = version;
sec.IncludeTimestamp = true;
sec.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
推荐答案
通常,您可以通过实现自定义端点行为来控制哪些元素被签名,并在 AddBindingParameters() 中执行以下操作:
In general you can control which elements get signed by implementing a custom endpoint behavior and in AddBindingParameters() do something like this:
ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();
requirements.IncomingSignatureParts...
但是我没有看到删除此 api 中的元素的方法 - 只是添加一些.也许你可以通过私人反射来破解它.
However I don't see a way to remove an element in this api - only to add some. Maybe you can hack this with private reflection.
此外,我不确定这对安全性是否有效.我认为您唯一的方法是将includeTimestamp"设置为 false,在这种情况下,您不会向客户端发送时间戳.如果您必须发送时间戳(未签名),则仍将其保留为 false 并通过 自定义编码器.应该不难.如果消息已签名,请注意不要更改消息中的任何其他内容.
Also I'm not sure this will work for security. I think your only way is to either set "includeTimestamp" to false, in which case you will not send a timestamp to the client. If you must send a timestamp (unsigned) then still keep it false and create the timestamp yourself via a custom encoder. Should not be hard. Just watch out not to changes anything else in the message if it is signed.
这篇关于如何控制 WCF SOAP 请求中签名的元素?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
更多推荐
[db:关键词]
发布评论