Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
2.4k views
in Technique[技术] by (71.8m points)

vb.net - WCF client binding to sign the body of a request to a Java web service?

I need to send a message from a WCF client to a Java Web Service that requires the body to be signed. There seems to be a lot of information on this subject, but I can't work out what I actually need to do to achieve this.

I've been told the following:

  • The customers certificate provides authentication and is included as a binary security token.
  • The customers certificate and the private key are used to sign the body of the SOAP message.
  • The service decodes the SOAP security header and obtains the customer code.
  • The service response is not signed or encrypted.

I've also been provided with an example request and response which is listed below.

Having generated my client and tried to set up the bindings, I get the request sent back to me (I assume this is in place of an error, I don't know why this happens or think it is relevant). I've tried creating a custom binding to sign only (as suggested here):

Dim asec As AsymmetricSecurityBindingElement = CType(SecurityBindingElement.CreateMutualCertificateBindingElement(ServiceModel.MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10, True), AsymmetricSecurityBindingElement)
asec.SetKeyDerivation(False)
asec.AllowInsecureTransport = True
asec.IncludeTimestamp = True

but this encrypts the message as well and give the error: Endpoint {http://ServiceAddress}ServiceName does not contain operation meta data for: {http://www.w3.org/2001/04/xmlenc#}EncryptedData

Research suggests I need to change the client proxy's Reference.vb file, but when I tried to decorate the request property with protection level = sign, it only enforces this as a minimum, so I suspect that is the wrong approach.

How do I get the binding to set up correctly to be able to communicate with the service?

EDIT: I've used CreateCertificateOverTransportBindingElement which seems to give me the signature I require, however it seems to remove the xml for the properties of the request object. So the service gives me a 500 exception saying it isn't there.

EXAMPLE REQUEST:

<?xml version="1.0"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://[removed]/1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" env:mustUnderstand="1">
      <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1384851101218-1328853118">MIICBjCCAW8CAwLm/jANBgkqhkiG9w0BAQUFADBAMRQwEgYDVQQDDAtGb3JkRXRpcyBDQTEbMBkG
A1UECgwSRm9yZCBNb3RvciBDb21wYW55MQswCQYDVQQGEwJHQjAgFw0xMzA0MTYxMjQ0MThaGA8y
MTEzMDQxNjEyNDQxOFowUzERMA8GA1UEAwwIREVVVEVTVDYxFDASBgNVBAsMC0ZTQSBTZXJ2aWNl
MRswGQYDVQQKDBJGb3JkIE1vdG9yIENvbXBhbnkxCzAJBgNVBAYTAkdCMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC2r/plg8pUmc35Vajc1ji4koYIFgvb5LFUs4GFl/4R0eRspjNwJ7TW1B3s
XyGd272l5oGyNazsGeAZQ88XDRbL5Q60HwrDaKuA/UvT7pKaQufwvIJUWmUwry0K72x7x4jQNWC1
fR3XXzztlrjpf9MmOkbQE1GMdKonldiCu59YcwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIdSHIsq
KrUAlwbD7AMSQ1PfyIRP9pX94416ELpcr6h/+2RnYF40HcZO9/oU1VJIgCJREI+pRpR2DISDFAhA
LhqzxLTy4G45zcuKjaoKSi6UcaOfsqxuagEanga2CXsapHHB/DB84jLES6fGf79z09xYZ+82iEm5
Kgm6eho2Bqgn</wsse:BinarySecurityToken>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#element-1-1384851100999-344078580">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>sArRh/ub3qQBGzBS+W3zeoHNcTk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
T6bNaNlFP0CfMGEOWQUprdufyHN7BhjETw8o1JH/sb8we23c+f5qvTmYIHYNH89ervkkCRSYlaQu
SyES0toWkH9Od6CqTiwmN2uubID71z9RgA3Vw9SlEAwI7iJi9iHRRqyiDXZkastVHmd7lXQRqYjQ
7/03PSvZjv8K42n8XEE=
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsu:Id="reference-3-1384851101219-204425426"><wsse:Reference URI="#token-2-1384851101218-1328853118" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
    </wsse:Security>
  </env:Header>
  <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1384851100999-344078580">
    <ns0:list>
      <String_1>[removed]</String_1>
    </ns0:list>
  </env:Body>
</env:Envelope>

EXAMPLE RESPONSE:

<?xml version="1.0"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Header/>
  <env:Body>
    <ns0:listResponse xmlns:ns0="[removed]/1.0">
      <result xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <value>
          <code>[removed]</code>
          <description>[removed]</description>
        </value>
      </result>
    </ns0:listResponse>
  </env:Body>
</env:Envelope>
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I created a custom binding, and used a TransportSecurityBindingElement as the security binding element:

Dim tsec As TransportSecurityBindingElement = SecurityBindingElement.CreateCertificateOverTransportBindingElement()
tsec.EnableUnsecuredResponse = True
tsec.SetKeyDerivation(False)
tsec.AllowInsecureTransport = True
tsec.IncludeTimestamp = True

Note: The timestamp is set to true by default. I want it set to false, but that throws an error.

With this configured, the message sent, but the only property in the request didn't serialise. To make this happen, I added the following to the member variable in Reference.vb:

<System.ServiceModel.MessageBodyMemberAttribute([Namespace]:="", [order]:=0)> _
Public String_1 As String

This gives the following request, though I can't be sure if it is correct yet as the services response seems to cut the body off (see below request).

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2013-12-04T10:53:13.568Z</u:Created>
                <u:Expires>2013-12-04T10:58:13.568Z</u:Expires>
            </u:Timestamp>
            <o:BinarySecurityToken u:Id="uuid-bc441202-6c02-4eb9-a176-02f2a61a6002-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIICBjCCAW8CAwLm/jANBgkqhkiG9w0BAQUFADBAMRQwEgYDVQQDDAtGb3JkRXRpcyBDQTEbMBkGA1UECgwSRm9yZCBNb3RvciBDb21wYW55MQswCQYDVQQGEwJHQjAgFw0xMzA0MTYxMjQ0MThaGA8yMTEzMDQxNjEyNDQxOFowUzERMA8GA1UEAwwIREVVVEVTVDYxFDASBgNVBAsMC0ZTQSBTZXJ2aWNlMRswGQYDVQQKDBJGb3JkIE1vdG9yIENvbXBhbnkxCzAJBgNVBAYTAkdCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2r/plg8pUmc35Vajc1ji4koYIFgvb5LFUs4GFl/4R0eRspjNwJ7TW1B3sXyGd272l5oGyNazsGeAZQ88XDRbL5Q60HwrDaKuA/UvT7pKaQufwvIJUWmUwry0K72x7x4jQNWC1fR3XXzztlrjpf9MmOkbQE1GMdKonldiCu59YcwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIdSHIsqKrUAlwbD7AMSQ1PfyIRP9pX94416ELpcr6h/+2RnYF40HcZO9/oU1VJIgCJREI+pRpR2DISDFAhALhqzxLTy4G45zcuKjaoKSi6UcaOfsqxuagEanga2CXsapHHB/DB84jLES6fGf79z09xYZ+82iEm5Kgm6eho2Bqgn</o:BinarySecurityToken>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <Reference URI="#_0">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <DigestValue>ePSLYY5UDloSReYYUDe4g+QKONk=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>LJfvWJHgU0jvHp69Zw0ZqN+Y/rJw8wm7/AGKMYCvwfzx3nYLA0nGVprBFtM+LSDTlfeHY5/JpiJc2t/qvwS5oMpkmIJtnvnGx/JxZFMEZALj7JBRam5ZdLAnWH6P/A1QgiaKS9vCnVOBf79nMxvKTpgZq1VyYAlXhr7LVqO6pZg=</SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference><o:Reference URI="#uuid-bc441202-6c02-4eb9-a176-02f2a61a6002-1"/></o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
        </o:Security>
    </s:Header>
    <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <list xmlns="http://hostdomain.com/services/fsa/1.0">
            <String_1 xmlns="">[removed]</String_1>
        </list>
    </s:Body>
</s:Envelope>

Response (for some reason it isn't complete):

<s:Envelope xmlns:s='http://schemas.xmlsoap.org/soap/envelope/' xmlns:u='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
    <s:Header>
        <o:Security s:mustUnderstand='1' xmlns:o='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
            <u:Timestamp u:Id='_0'>
                <u:Created>2013-12-04T10:53:13.568Z</u:Created>
                <u:Expires>2013-12-04T10:58:13.568Z</u:Expires>
            </u:Timestamp>
            <o:BinarySecurityToken ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' u:Id='uuid-bc441202-6c02-4eb9-a176-02f2a61a6002-1'>MIICBjCCAW8CAwLm/jANBgkqhkiG9w0BAQUFADBAMRQwEgYDVQQDDAtGb3JkRXRpcyBDQTEbMBkGA1UECgwSRm9yZCBNb3RvciBDb21wYW55MQswCQYDVQQGEwJHQjAgFw0xMzA0MTYxMjQ0MThaGA8yMTEzMDQxNjEyNDQxOFowUzERMA8GA1UEAwwIREVVVEVTVDYxFDASBgNVBAsMC0ZTQSBTZXJ2aWNlMRswGQYDVQQKDBJGb3JkIE1vdG9yIENvbXBhbnkxCzAJBgNVBAYTAkdCMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2r/plg8pUmc35Vajc1ji4koYIFgvb5LFUs4GFl/4R0eRspjNwJ7TW1B3sXyGd272l5oGyNazsGeAZQ88XDRbL5Q60HwrDaKuA/UvT7pKaQufwvIJUWmUwry0K72x7x4jQNWC1fR3XXzztlrjpf9MmOkbQE1GMdKonldiCu59YcwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBAIdSHIsqKrUAlwbD7AMSQ1PfyIRP9pX94416ELpcr6h/+2RnYF40HcZO9/oU1VJIgCJREI+pRpR2DISDFAhALhqzxLTy4G45zcuKjaoKSi6UcaOfsqxuagEanga2CXsapHHB/DB84jLES6fGf79z09xYZ+82iEm5Kgm6eho2Bqgn</o:BinarySecurityToken>
            <Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>
                <SignedInfo>
                    <CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
                    <SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
                        <Reference URI='#_0'>
                            <Transforms>
                                <Transform Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#'/>
                            </Transforms>
                            <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                            <DigestValue>ePSLYY5UDloSReYYUDe4g+QKONk=</DigestValue>
                        </Reference>
                </SignedInfo>
                <SignatureValue>LJfvWJHgU0jvHp69Zw0ZqN+Y/rJw8wm7/AGKMYCvwfzx3nYLA0nGVprBFtM+LSDTlfeHY5/JpiJc2t/qvwS5oMpkmIJtnvnGx/JxZFMEZALj7JBRam5ZdLAnWH6P/A1QgiaKS9vCnVOBf79nMxvKTpgZq1VyYAlXhr7LVqO6pZg=</SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference xmlns:o='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
                        <o:Reference URI='#uuid-bc441202-6c02-4eb9-a176-02f2a61a6002-1' xmlns:o='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'/>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
        </o:Security>
    </s:Header>
    <s:Body xmlns:xsd='http://www.w3.org/2001/XMLSchema

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...