我有一个需要使用的 Java 服务,并且安全要求规定消息需要签名和时间戳,但不需要加密。
我尝试采用自定义绑定(bind)并成功添加了签名时间戳,但消息正文始终被加密,如下所示:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo2ZxfrkBGk9AsTA8KWukb2AAAAAADLwbydLv0kmqZo1361cxb7JSYAqPOP5HmzAGAtf6H7MACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="uuid-f761d810-63b1-485b-a89f-1d3da446f273-1">
<u:Created>2016-05-11T14:34:10.237Z</u:Created>
<u:Expires>2016-05-11T14:39:10.237Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-76114032-1c65-4a4d-9f54-9d5d68e0dc2b-2">...</o:BinarySecurityToken>
<e:EncryptedKey Id="_0" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns="http://www.w3.org/2000/09/xmldsig#"/>
</e:EncryptionMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<o:SecurityTokenReference>
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">WLVP0ah+F2LGQm9mvqQfPJ/sA4w=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>...</e:CipherData>
<e:ReferenceList>
<e:DataReference URI="#_2"/>
</e:ReferenceList>
</e:EncryptedKey>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>2PRP+JjT6OhZcHo9QUMtvwNltY4=</DigestValue>
</Reference>
<Reference URI="#uuid-f761d810-63b1-485b-a89f-1d3da446f273-1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>zkmVC2HFZxdBV03114Ije8gAQE0=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-76114032-1c65-4a4d-9f54-9d5d68e0dc2b-2"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body u:Id="_1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<e:CipherData>
<e:CipherValue>...</e:CipherValue>
</e:CipherData>
</e:EncryptedData>
</s:Body>
</s:Envelope>
这是我的配置:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="SignTimestampOnly">
<security messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11"
authenticationMode="MutualCertificate" requireDerivedKeys="false" includeTimestamp="true" keyEntropyMode="ClientEntropy" securityHeaderLayout="LaxTimestampFirst"
requireSignatureConfirmation="false" messageProtectionOrder="SignBeforeEncrypt" enableUnsecuredResponse="true" requireSecurityContextCancellation="false"
allowInsecureTransport="true" />
<textMessageEncoding messageVersion="Soap12" writeEncoding="utf-8"/>
<httpTransport />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="http://localhost/myurl" binding="customBinding" bindingConfiguration="SignTimestampOnly" contract="IService" name="Service">
<identity>
<dns value="Service" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<behavior>
<clientCredentials>
<clientCertificate findValue="..." storeLocation="CurrentUser"
storeName="My" x509FindType="FindByThumbprint" />
<serviceCertificate>
<authentication certificateValidationMode="PeerTrust" />
<defaultCertificate findValue="..." storeLocation="CurrentUser"
storeName="My" x509FindType="FindByThumbprint" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
</system.serviceModel>
如何关闭加密但保留签名和时间戳?
最佳答案
本页介绍如何禁用加密。
您可以在 ServiceContract 接口(interface)属性中设置此行为。
// Set the ProtectionLevel on the whole service to Sign.
[ServiceContract(ProtectionLevel = ProtectionLevel.Sign)]
public interface Calculator
关于java - WCF 客户端禁用加密,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37166368/