开发者

Soap body is not encrypted when X509 security implemented on WCF service

I implemented a WCF service and a client application for one of projects for my employer and currently facing a serious problem due to the soap body element. The issue is the soap body is not getting encrypted and only the header is encrypted. Anyway the soap request, webconfigs and the way how I created the certificates are mentioned for your reference...

WCF server config ......................

<bindings>
  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding" >
      <security>
        <message clientCredentialType="Certificate" establishSecurityContext ="true"  />
      </security>
    </开发者_运维知识库binding>
  </wsHttpBinding>
  <customBinding>
    <binding name="CustomBinding">        
      <textMessageEncoding messageVersion="Soap11" />
      <security authenticationMode="MutualCertificate"  requireDerivedKeys="false"
      includeTimestamp="true" keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign"        messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
      requireSecurityContextCancellation="false">            
        <secureConversationBootstrap />

      </security>
      <httpTransport />

    </binding>
  </customBinding>
</bindings>
<services>
  <service name="mysvc.MySvc" behaviorConfiguration="mysvc.Service1Behavior">
    <endpoint address="" binding="customBinding" bindingConfiguration ="CustomBinding"  contract="mysvc.IMySvc"  />        
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
     <host>
        <baseAddresses>
             <add baseAddress ="http://localhost:8888/" />
        </baseAddresses>
     </host>
  </service>
</services>
<behaviors>
  <endpointBehaviors>
    <behavior name="inspectorBehavior">
       <consoleOutputBehavior />
    </behavior>
  </endpointBehaviors>

  <serviceBehaviors>
    <behavior name="mysvc.Service1Behavior">
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>

      <serviceCredentials>

        <serviceCertificate findValue="WCfServerCert"
        storeLocation="LocalMachine" 
        storeName="My"
        x509FindType="FindBySubjectName" />

        <clientCertificate>              
          <authentication certificateValidationMode="None" />                       
        </clientCertificate>

      </serviceCredentials>

    </behavior>
  </serviceBehaviors>
</behaviors>  

WCF client config .....................

<system.serviceModel>
    <bindings>
        <customBinding>
            <binding name="CustomBinding_IMySvc">
                <security defaultAlgorithmSuite="Default" authenticationMode="MutualCertificate"
                    requireDerivedKeys="false" securityHeaderLayout="Strict" includeTimestamp="true"
                    keyEntropyMode="ClientEntropy" messageProtectionOrder="EncryptBeforeSign"
                    messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                    requireSignatureConfirmation="false">
                    <localClientSettings cacheCookies="true" detectReplays="true"
                        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
                        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                    <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                </security>
                <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                    messageVersion="Soap11" writeEncoding="utf-8">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                </textMessageEncoding>
                <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                    maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                    realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                    useDefaultWebProxy="true" />
            </binding>
        </customBinding>
    </bindings>
    <client>
      <endpoint address="http://localhost:8888/" binding="customBinding" behaviorConfiguration ="CustomBehavior"
          bindingConfiguration="CustomBinding_IMySvc" contract="WCFProxy.IMySvc"
          name="CustomBinding_IMySvc" >

        <identity >
          <dns value ="WCfServerCert"/>
        </identity>

      </endpoint>
    </client>
  <behaviors>
    <endpointBehaviors>
      <behavior name="CustomBehavior">
        <clientCredentials>
          <clientCertificate findValue="WCfClientCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
          <serviceCertificate>
            <defaultCertificate findValue="WCfServerCert" x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="My" />
            <authentication certificateValidationMode="None"/>
          </serviceCertificate>
        </clientCredentials>
      </behavior>
    </endpointBehaviors>
  </behaviors >
</system.serviceModel>

CERTIFICATE creation commands ...............................

makecert -n "CN=WCFServer" -r -sv WCFServer.pvk WCFServer.cer

makecert -n "CN=WCFClient" -r -sv WCFClient.pvk WCFClient.cer

makecert -sk WCFServerCert -iv d:\WCFServer.pvk -n "CN=WCFServerCert " -ic d:\WCFServer.cer -sr LocalMachine -ss My -sky exchange pe

makecert -sk WCFClientCert -iv d:\WCFClient.pvk -n "CN=WCFClientCert " -ic d:\WCFClient.cer -sr LocalMachine -ss My -sky exchange pe


This happened to me. The tool I use to generate my web services (Web Service Software Factory) ALWAYS sets the protection level for the service and the operations, and it sets them to ProtectionLevel.None. The end result was my svcutil config files would contain custom bindings instead of a simple wsHttpBinding.

To solve the unencrypted SOAP body problem I changed all the ProtectionLevel attributes to EncryptAndSign on the operations and the service itself. Now the svcutil output has the desired wsHttpBinding (custom binding is gone). Testing with fiddler shows the body is encrypted.

I could have also removed the Protection Level attribute -- for the wsHttpBinding it has the same effect. But since this code is generated with a tool I'd have to do it every time I generated code.

I hope this helps someone out. This one had me stumped for awhile.


Are you talking about the request or the reply body? In any case, at the least, it looks like your service's binding configuration is setting the mode attribute in the <security> element to Message (i.e.):

  <wsHttpBinding>
    <binding name="wsHttpEndpointBinding" >
      <security mode="Message">
        <message clientCredentialType="Certificate" establishSecurityContext ="true"  />
      </security>
    </binding>
  </wsHttpBinding>
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜