.net WCF - CXF/WSS4j互操作性
我想从.net c#客户端使用CXF Web服务。我们目前正在使用java-to-java请求,我们通过ws-security(WSS4J库)保护SOAP信封。.net WCF - CXF/WSS4j互操作性
我的问题是:我如何实现一个C#WS客户端,它产生与以下客户端Java代码相同的SOAP请求?
//doc is the original SOAP envelope to process with WSS4J
WSSecHeader secHeader = new WSSecHeader();
secHeader.insertSecurityHeader(doc);
//add username token with password digest
WSSecUsernameToken usrNameTok = new WSSecUsernameToken();
usrNameTok.setPasswordType(WSConstants.PASSWORD_DIGEST);
usrNameTok.setUserInfo("guest",psw_guest);
usrNameTok.prepare(doc);
usrNameTok.appendToHeader(secHeader);
//sign the envelope body with client key
WSSecSignature sign = new WSSecSignature();
sign.setUserInfo("clientx509v1", psw_clientx509v1);
sign.setKeyIdentifierType(WSConstants.BST_DIRECT_REFERENCE);
Document signedDoc = null;
sign.prepare(doc, sigCrypto, secHeader);
signedDoc = sign.build(doc, sigCrypto, secHeader);
//encrypt envelope body with server public key
WSSecEncrypt encrypt = new WSSecEncrypt();
encrypt.setUserInfo("serverx509v1");
// build the encrypted SOAP part
String out = null;
Document encryptedDoc = encrypt.build(signedDoc, encCrypto, secHeader);
return encryptedDoc;
有谁知道我在哪里能找到一个微软如何对或.NET的例子吗?
================================编辑============= =======================
谢谢Ladislav!我申请了你的建议,我想出了喜欢的东西:
X509Certificate2 client_pk, server_cert;
client_pk = new X509Certificate2(@"C:\x509\clientKey.pem", "blablabla");
server_cert = new X509Certificate2(@"C:\x509\server-cert.pfx", "blablabla");
// Create the binding.
System.ServiceModel.WSHttpBinding myBinding = new WSHttpBinding();
myBinding.TextEncoding = ASCIIEncoding.UTF8;
myBinding.MessageEncoding = WSMessageEncoding.Text;
myBinding.Security.Mode = SecurityMode.Message;
myBinding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
myBinding.Security.Message.AlgorithmSuite =
System.ServiceModel.Security.SecurityAlgorithmSuite.Basic128;
// Disable credential negotiation and the establishment of
// a security context.
myBinding.Security.Message.NegotiateServiceCredential = false;
myBinding.Security.Message.EstablishSecurityContext = false;
// Create the endpoint address.
EndpointAddress ea =
new EndpointAddress(new Uri("http://bla.bla.bla"),
EndpointIdentity.CreateDnsIdentity("issuer"));
// configure the username credentials on the channel factory
UsernameClientCredentials credentials = new UsernameClientCredentials(new
UsernameInfo("superadmin", "secret"));
// Create the client.
PersistenceClient client = new PersistenceClient(myBinding, ea);
client.Endpoint.Contract.ProtectionLevel =
System.Net.Security.ProtectionLevel.EncryptAndSign;
// replace ClientCredentials with UsernameClientCredentials
client.Endpoint.Behaviors.Remove(typeof(ClientCredentials));
client.Endpoint.Behaviors.Add(credentials);
// Specify a certificate to use for authenticating the client.
client.ClientCredentials.ClientCertificate.Certificate = client_pk;
// Specify a default certificate for the service.
client.ClientCredentials.ServiceCertificate.DefaultCertificate = server_cert;
// Begin using the client.
client.Open();
clientProxyNetwork[] response = client.GetAllNetwork();
结果我得到(服务器端)以下CXF例外:
java.security.SignatureException: Signature does not match.
at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:421)
at sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:133)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:112)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate (PKIXMasterCertPathValidator.java:117)
因此它似乎是一个关键jks-> PEM转换问题......或者我在上面的客户端代码中丢失了一些东西?
那么,最终解决方案是加密和签署整个用户名令牌。至于互操作性,必须在cxf中激活ws寻址,并且需要在c#中进行自定义绑定。诀窍的自定义绑定基本上是
AsymmetricSecurityBindingElement abe =
(AsymmetricSecurityBindingElement)SecurityBindingElement.
CreateMutualCertificateBindingElement(MessageSecurityVersion.
WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
Wcf标记每个ws寻址元素,因此必须完成相同的服务器端。
这通常是相当大的问题,因为WCF does not support UserNameToken Profile with Digested password。我在几个月前编写了needed it,我们必须实现我们自己的自定义绑定,但该代码尚未准备好发布。 Fortunatelly this blog article描述了其他实施方式,并且包含支持消化密码的具有新的UserNameClientCredentials
类的示例代码。
Btw。对于名为WSE 3.0的较旧的API,应该可以使用相同的安全配置。它被WCF所取代,但仍然有一些WS- *堆栈配置比这个API和旧的ASMX服务更简单。
我知道这是一个非常古老的问题,但我现在正在尝试做类似的事情,但不幸的是我不能。我试过你的代码,但我不能引用`UsernameClientCredentials`这是你的自定义类吗?基本上我必须用UsernameToken,BinarySecurityToken和Signature创建安全标头 – Misiu 2017-02-13 13:36:12