我需要使用来自 ASP.NET 的受 WS-Security 保护的 Web 服务。
我正在使用 SoapUI 测试服务,作为信封请求:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://aduana.gov.py/webservices">
<soapenv:Header/>
<soapenv:Body>
<web:agregarGuia>
<!--Optional:-->
<guia>?</guia>
<!--Optional:-->
<autenticacion>
<!--Optional:-->
<codAduana>?</codAduana>
<!--Optional:-->
<firmaWSAA>?</firmaWSAA>
<!--Optional:-->
<idUsuario>?</idUsuario>
<!--Optional:-->
<ticketWSAA>?</ticketWSAA>
</autenticacion>
</web:agregarGuia>
</soapenv:Body>
</soapenv:Envelope>
我得到的回应是:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header/>
<env:Body>
<env:Fault>
<faultcode>env:Server</faultcode>
<faultstring>org.jboss.ws.core.CommonSOAPFaultException: This service requires <wsse:Security>, which is missing.</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
所以我联系了服务提供商,他们告诉我必须使用 WS-Security 才能调用该服务。因此,发送到服务器的 SOAP 消息必须使用我的证书进行数字签名。
问题是我不知道该怎么做。到目前为止,我添加了一个服务引用,并在代码中传递了上述证书:
var srvRef = new DnaSoapClient();
srvRef.ClientCredentials.ClientCertificate.Certificate = theCert;
var response = srvRef.agregarManifiesto( dnaManifiesto );
我用谷歌搜索了一下,有些人推荐使用 WCF。我正在构建一个 ASP.NET 4.5 应用程序。在这种情况下我有什么选择? 我需要知道如何使用我的证书对消息进行签名。
EDIT 1: I was able to advance the issue, now I can send the SOAP message signed with the certificate and I'm close to finish my task. Now I fail in setting the correct elements in Security tag, I edited the question to show both envelope, the correct one and mine.
Correct: this is an sample envelope for a correct request
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="X509-B259DAB3D28E48CB6A140000796019094">MIIC9TCCAd2gAwIBAgIIUiM4nWs8kfcwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTkxMTIwWhcNMTgxMjIwMTQzNzEzWjBBMRQwEgYDVQQDDAtjb3VyaWVyLnRudDEOMAwGA1UECwwFc29maWExDDAKBgNVBAoMA2RuYTELMAkGA1UEBhMCcHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOS71x5+ChwGzWs4VlLgkePbU8/zFHUrrE8nFNVsukMCc5q5hCK8/CeNM+mxImilLdJrGoC2/000lQetB9B3AqIrAdOfBFU4/qsAlgWI+kt2jnUsJMLRjQfxhAKMeX4RUb0CmTcsnXtWlFvYFFjiUi9nUJVSxCsmldVFgLIAHRPjAgMBAAGjfzB9MB0GA1UdDgQWBBTCwBBmU7f/4SmNz7GNJ25ILkPuhjAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFDF+1hOSdgg2DFOUofnnXdx9TxjeMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAALVVGGNsTSMcfDBwkkNQH3MpfiNTo/mhH8ahqUVN1+5BIwWstv8fH0Sl9ea1XShKLPDfDIx8WSzUUIt/93f74B3a3oMpBtbVEiku2BKUp5cJfkYe2c5zPOxk3nzmQwcEoB++RgX9DJOtUkKA/It2IM9/8ggUyjceJQCpBRiA9Kg7+h3HfmOKNn+9/pNu498JXhSRKa8Jr4pp/1udYRk+W8sKGEBtAU9MvL3y0AbvLhUD+MZyvpHGB17fslC8Nnd5EBQH8hQD+DWGepyCBIlb0NA13YEoLMcRKDcWvSPd0UGWo2G0IOeUZaGuzzIz2n04QrXvnqQKAOFd9yH2VfGtWE=</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-96" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ec:InclusiveNamespaces PrefixList="soapenv web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:SignatureMethod>
<ds:Reference URI="#id-95" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ec:InclusiveNamespaces PrefixList="web" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"></ec:InclusiveNamespaces>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:DigestMethod>
<ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">whvAdAkypsWVXHXbIz/T54n0dBw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
MdHy5mceNtQWUD5WmVOzZU8roxD3EQkQmcZA9LsfhBcp3cFAD3P1qJJ9EyrRFBs5yCiYDY716Wzh
M+tFybt1+EujXZZ3ytk4XaahkexNAG51iup1wvw0Km+nsj4u/x8DzTA/J9EG3ZdTSUrIVBsFcEQa
TF4BwUAgGBS87xqL5zc=
</ds:SignatureValue>
<ds:KeyInfo Id="KI-B259DAB3D28E48CB6A140000796019095">
<wsse:SecurityTokenReference wsu:Id="STR-B259DAB3D28E48CB6A140000796019096" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:Reference URI="#X509-B259DAB3D28E48CB6A140000796019094" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"></wsse:Reference>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp wsu:Id="TS-94">
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-05-13T19:06:00.188Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-05-13T19:07:00.188Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
Mine, this is not working
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<VsDebuggerCausalityData xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPowmum40QT95GqsY7XPKT7LIAAAAAvMwgorinWU+AVOWH+3TPjP6NBU03AZtHqle8GLRYcYAACQAA</VsDebuggerCausalityData>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-05-15T21:30:20.723Z</u:Created>
<u:Expires>2014-05-15T21:35:20.723Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIC9jCCAd6gAwIBAgIINNZyZplkQHgwDQYJKoZIhvcNAQEFBQAwNzERMA8GA1UEAwwIQWRtaW5DQTExFTATBgNVBAoMDEVKQkNBIFNhbXBsZTELMAkGA1UEBhMCU0UwHhcNMTQwMzIwMTgzMjQ3WhcNMTgxMjIwMTQzNzEzWjBCMRUwEwYDVQQDDAxjb3Vycmllci5kaGwxDDAKBgNVBAsMA09QUzEOMAwGA1UECgwFREhMUFkxCzAJBgNVBAYTAlBZMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCGoP0dxByIfto/hqJCOhobTdwQJ3AxJkqUeSNFnprAH8zi6HjBJhzkXptqXiR9GZR1H4U3UaN6aczKVh2PaPqU8ooTxjST0ywWBgXA1WP3ukrybUKxpSvqmiRJ/cANAYLovL+gmh2v/fqPiLs7vsgT+zj1330wRGqtrokYPMjlbQIDAQABo38wfTAdBgNVHQ4EFgQU6IHB4XfP7+rbryy1Ru8kFcfSDqcwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBQxftYTknYINgxTlKH5513cfU8Y3jAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQB3NQC+0/VmC7A1MStKdc2NctTo7P+mhvIBe54U/Vs8I5vXiatKz01BzHIbl7chjP063V4YTtehDCGkwUTtARqpkua7RfdlMqsmcr1s3qnD4lUpGuAeVW0Wsrhu1xGjPf02fTBdD3yyGWCeUiNvKuoweeATlGyB/VlHJaZHN4HuJCnWlPic6uUUMBYqrOOa+wJr/OCFHqkEiBsUihD6ergj7AeAAFcG41GI2ZjVWK/PEB71sbQqqGgLpigAS9f8PNMm+TnQuizrvLPKm3hanOKYr9ORrbWjZCL3dva1YobK4ykvUYpncj6YsOtuDi62RcHYjT7IF9UoeZHBE2vePc+K</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>pM8KraJSLZumo77gD9+JF2f8eBU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>MZ9ZTKeGj5KNUEn4R6cQhRhOdK0frNK1O5KRGbM+YqfvzlVwVKQ6n7p9rncbtrdGsLg3CVwUVwB7PBF78tDx3p0LjF/Eg015t6qouSyK/92qL3oRz/8TbqLKpe/1uySdmGhrqPrVlTDF2rHuFGwmQVSILyUVLg/nW7K+EDwS/Lg=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-16d1441d-2f30-40a0-ae4e-ec5d557d2261-2"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
</s:Envelope>
最佳答案
我设法让这个工作成功,我在这里为其他人发布了解决方案。
总而言之,手头的任务是使用具有 ws-security 功能的 java 编写的 Web 服务。让我澄清一下,如果 Web 服务开发人员有意识地编写良好的 wsdl 和/或他们是协作人员,这应该是一项容易的任务。不幸的是,它们都不是。
如果你在这种情况下,你必须武装 SoapUI和 Fiddler自行接受服务。
第一件事是使用 SoapUI 获取服务使用的 Soap 版本,这将定义您可以使用的绑定(bind)类型,在我的例子中它是 Soap 1.1 并且在 ws-security 的说服下强制我使用 customBinding 因为 wsHttpBinding 只支持 Soap 1.2 和 basicBinding 不能灵活地使用启用 WS-Security 的服务。
经过多次测试错误和大量 Fiddler 读取服务器响应后,我终于得出了以下绑定(bind)。全部通过配置完成,不涉及代码:
<system.serviceModel>
<bindings>
<binding name="MyBinding" >
<textMessageEncoding messageVersion="Soap11"/>
<security authenticationMode="MutualCertificate" enableUnsecuredResponse="true" allowSerializedSigningTokenOnReply="true"
messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
includeTimestamp="false">
</security>
<httpsTransport />
</binding>
</customBinding>
</bindings>
<behaviors>
<endpointBehaviors>
<behavior name="ClientCertificateBehavior">
<clientCredentials>
<clientCertificate findValue="xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindByThumbprint" />
<serviceCertificate>
<defaultCertificate findValue="xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx"
storeLocation="CurrentUser" storeName="My"
x509FindType="FindByThumbprint"/>
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="https://secure.aduana.gov.py/test/tere/serviciotere"
binding="customBinding" bindingConfiguration="MyBinding"
contract="serviciotereSoap" name="serviciotereSoap" behaviorConfiguration="ClientCertificateBehavior">
<identity>
<dns value="tere_test"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
关于c# - 从 .NET 调用带有 WS Security 的 Web 服务,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23663007/