1
WCF의 보안 부분에 문제가 있습니다.WCF에서 여러 보호 수준이 작동하지 않습니다.
문제는 다음과 같습니다. 메시지 페이로드에 부분 암호화가 작동하지 않습니다. MessageContract 및 MessageBodyMember 특성에서 ProtectionLevel을 변경할 때 페이로드를 완전히 암호화하거나 전체 페이로드를 암호화되지 않은 상태로 유지합니다.
즉, 페이로드 (메시지 본문 요소)의 루트 태그를 암호화하지 않고 나머지 (즉, 루트 태그의 자식 요소를 암호화해야 함) 부분 암호화가 작동하지 않습니다. 이 동작은 서버에서 spring webservices의 enpoint-mapping에 필요합니다.
이것은 Java (Spring WS에서 개발 된 계약 우선 웹 서비스)로 개발 된 웹 서비스의 닷넷 클라이언트 프로그램입니다. 보안을 위해 상호 인증서를 사용합니다.
messageSecurityVersion, WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10의 사용자 지정 바인딩을 사용하고 있습니다.
이 바인딩에 대한 WS-Addressing 지원과 관련이 있는지 확실하지 않습니다. 여기
가에서는 svcutil[System.CodeDom.Compiler.GeneratedCodeAttribute("svcutil", "4.0.30319.1")]
[System.SerializableAttribute()]
[System.Diagnostics.DebuggerStepThroughAttribute()]
[System.ComponentModel.DesignerCategoryAttribute("code")]
[System.Xml.Serialization.XmlTypeAttribute(AnonymousType = true, Namespace = "http://www.dadesk.com/dis/schema")]
// This is added for bypassing encryption
[System.ServiceModel.MessageContract(ProtectionLevel = System.Net.Security.ProtectionLevel.None)]
public partial class getActualInvoiceOutputRequest
{
// This is added for bypassing encryption
[System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
private string interfaceUniqueReferenceField;
// This is added for bypassing encryption
[System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
private string invoiceIdField;
// This is added for bypassing encryption
[System.ServiceModel.MessageBodyMember(ProtectionLevel = System.Net.Security.ProtectionLevel.EncryptAndSign)]
private string daEventField;
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute(Order = 0)]
public string interfaceUniqueReference
{
get
{
return this.interfaceUniqueReferenceField;
}
set
{
this.interfaceUniqueReferenceField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute(Order = 1)]
public string invoiceId
{
get
{
return this.invoiceIdField;
}
set
{
this.invoiceIdField = value;
}
}
/// <remarks/>
[System.Xml.Serialization.XmlElementAttribute(Order = 2)]
public string daEvent
{
get
{
return this.daEventField;
}
set
{
this.daEventField = value;
}
}
}
예상되는 SOAP 요청
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP-ENV:mustUnderstand="1">
<wsse:BinarySecurityToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="CertId-1BC7C7CC8C1DC237A312742702475786"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIIBoTCCAQqgAwIBAgIES+Jf0jANDA2MjEwNlowFTETMBEGA1UEAxMKZGlzcGFydG5lcjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAiSzYcGY6SZvtyX/HzIT9zgzlf1/stzTo2WN2/zikebOY+K8pOfc8IU2vxsDp+b4Jc/KSMzZIocPejHhyRXKKuf36TckHclkgkqhkiG9w0BAQUFAAOBgQAepQ1pXeyveQCPRQSnjcJKnXBbLiPql+UeScmaqXBqBOrUGFRe8AX4PEh28qmomwWfdJ7abV1yShFvnAcZBP5gM6KrS1fZ2lCQu7sLyk8YW3zBLqs1Bm6bf4GTfywd2+mURJZuTwx/vqe2d5xNsfD9BOEJ6hlxzdzKlZR111O4IQ==
</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
Id="Signature-7">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-8">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>O+wONgrnKflVXuIf/QqMIVPHICg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
cPLtiHI8a3Ay7lCau0wosF7pakNPaOkFdmjC8osUqkUUECjQvSPCoVyWZldPxheWIEEM1qUAR7X2
1cOFNn2YUfTu9c3ElEgfRycDUTpcvF5hs37Er+ssR3QBKQ9Jmd76MHcc8LW12KNGGWZn/grUMhnR
uuOzSrfAtOHYK22wPvE=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-1BC7C7CC8C1DC237A312742702475787">
<wsse:SecurityTokenReference
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="STRId-1BC7C7CC8C1DC237A312742702475788"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#CertId-1BC7C7CC8C1DC237A312742702475786"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-6"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>115394</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">bmkWaU4qDZK7B/DPXqoHysN4LaQ=</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dvSBmtESEOGb96pQIZJZWw==</wsse:Nonce>
<wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
</wsse:UsernameToken>
</wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-8">
<!---- I need the root tag un-encrypted-->
<getActualInvoiceOutputRequest xmlns="http://www.dadesk.com/dis/schema">
<!---- I need the content encrypted-->
<interfaceUniqueReference>aasd</interfaceUniqueReference>
<invoiceId>-1</invoiceId>
<daEvent>1</daEvent>
</getActualInvoiceOutputRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
에 의해 생성 된 프록시 클래스 (단지 관련 부분) 내의 app.config 여기
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<configSections>
<sectionGroup name="userSettings" type="System.Configuration.UserSettingsGroup, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" >
<section name="DISClientLibTest.Properties.Settings" type="System.Configuration.ClientSettingsSection, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" allowExeDefinition="MachineToLocalUser" requirePermission="false" />
</sectionGroup>
</configSections>
<system.diagnostics>
<sources>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="messages"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\logs\messages.svclog" />
</listeners>
</source>
</sources>
</system.diagnostics>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="DISEndPointBehaviour">
<clientCredentials>
<clientCertificate storeLocation="LocalMachine" storeName="Root"
x509FindType="FindBySubjectName" findValue="d-i-s-partner"/>
<serviceCertificate>
<defaultCertificate storeLocation="LocalMachine" storeName="Root"
x509FindType="FindBySubjectName" findValue="dis"/>
<authentication certificateValidationMode="PeerOrChainTrust"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="DISMutualCertificateDuplexBinding">
<!--<security authenticationMode="MutualCertificateDuplex"-->
<security authenticationMode="MutualCertificate"
includeTimestamp="false"
requireDerivedKeys="false"
keyEntropyMode="ClientEntropy"
messageProtectionOrder="EncryptBeforeSign"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"/>
<textMessageEncoding messageVersion="Soap11WSAddressing10"/>
<httpTransport manualAddressing="false"/>
</binding>
</customBinding>
</bindings>
<client>
<endpoint binding="customBinding"
bindingConfiguration="DISMutualCertificateDuplexBinding"
contract="DaDeskDataExchange"
name="DaDeskDataExchangeSoap11_DaDeskDataExchange"
address="http://192.168.0.27:8080/disweb/1.0/spring-ws/"
behaviorConfiguration="DISEndPointBehaviour">
<identity>
<dns value="dis"/>
</identity>
<headers>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="UsernameToken-6"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Username>50001</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">bmkWaU4qDZK7B/DPXqoHysN4LaQ=</wsse:Password>
<wsse:Nonce
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">dvSBmtESEOGb96pQIZJZWw==</wsse:Nonce>
<wsu:Created>2010-05-19T11:57:24.561Z</wsu:Created>
</wsse:UsernameToken>
</headers>
</endpoint>
</client>
<diagnostics>
<messageLogging logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtTransportLevel="true"
logMessagesAtServiceLevel="true"/>
</diagnostics>
</system.serviceModel>
</configuration>
입니다 본문 안의 위의 SOAP 메시지는 getActualInvoiceOutputRequest의 내용을 암호화해야합니다. getActualInvoiceOutputRequest가 암호화되기를 원하지 않습니다. 현재 전체 본문 내용이 암호화되어 렌더링됩니다.
나는 다음 MSDN 웹 페이지 그것은 WS-주소 종속성에 대해 경고 http://msdn.microsoft.com/en-us/library/aa347692.aspx에 주어진 지침을 따랐다. 예를 들어, BasicHttpBinding 클래스는 사양을 지원하지 않거나 WS-Addressing을 지원하지 않는 사용자 지정 바인딩을 만드는 경우입니다.
WS-Addressing이 사용자 정의 바인딩을 지원한다고 생각합니다. 이것에 대해 도움을 줄 수 있습니까?
감사합니다, Shameer
는 불행하게도, WSDL은 보안 설정을 설명하지 않습니다 다음과 같은 요청을 생성합니다. 여기에서 액세스 할 수 있습니다 .. http://83.111.89.230/disweb/1.0/spring-ws/DaDeskDataExchange/dataexchange.wsdl. 공개 IP입니다. –
유효한 요청 및 응답의 예가 있습니까? Btw. 내 게시물을 확인하십시오 : http://stackoverflow.com/questions/3457378/web-service-interoperability-broken-by-developers-incompetence –
큰 XMl 블록을 여기에 추가하려면 어떻게합니까? 그것은 나에게 600 개 이상의 문자를 추가 할 수 없습니다. 조언 해 줄 수 있니? –