通过

如何:使用 WCF 客户端访问 WSE 3.0 服务

  • 项目

当 WCF 客户端配置为使用 2004 年 8 月版的 WS-Addressing 规范时,Windows Communication Foundation (WCF) 客户端在网络级别与 Web Services Enhancements (WSE) 3.0 for Microsoft .NET 服务兼容。但是,由于 WSE 3.0 服务不支持元数据交换 (MEX) 协议,因此,在使用ServiceModel 元数据实用工具 (Svcutil.exe) 创建 WCF 客户端类时,安全设置不会应用于生成的 WCF 客户端。因此,在生成 WCF 客户端后,必须指定 WSE 3.0 服务要求的安全设置。

您可以在考虑 WSE 3.0 服务的要求以及 WSE 3.0 服务和 WCF 客户端之间的互操作要求的情况下,使用自定义绑定来应用这些安全设置。这些互操作性要求包括前面提到的使用 2004 年 8 月版的 WS-Addressing 规范和 SignBeforeEncrypt 的 WSE 3.0 默认消息保护。WCF 的默认消息保护为 SignBeforeEncryptAndEncryptSignature。本主题详细说明如何创建与 WSE 3.0 服务互操作的 WCF 绑定。WCF 还提供了体现此绑定的示例。有关此示例的更多信息,请参见Interoperating with WSE

使用 WCF 客户端访问 WSE 3.0 Web 服务

  1. 运行ServiceModel 元数据实用工具 (Svcutil.exe) 以创建用于 WSE 3.0 Web 服务的 WCF 客户端。

    对于 WSE 3.0 Web 服务,会创建一个 WCF 客户端。因为 WSE 3.0 不支持 MEX 协议,因此不能使用该工具检索 Web 服务的安全要求。应用程序开发人员必须为客户端添加安全设置。

    有关创建 WCF 客户端的更多信息,请参见如何:创建 Windows Communication Foundation 客户端

  2. 创建一个类,表示可与 WSE 3.0 Web 服务进行通信的绑定。

    下面的类是Interoperating with WSE示例的一部分:

    1. 创建一个从 Binding 类派生的类。

      下面的代码示例创建一个从 Binding 类派生的名为 WseHttpBinding 的类。

      Public Class WseHttpBinding
    Inherits Binding

      public class WseHttpBinding : Binding
{

    2. 向该类中添加属性,用以指定 WSE 服务使用的 WSE 完整断言、是否需要派生密钥、是否使用安全会话、是否需要签名确认以及消息保护设置。在 WSE 3.0 中,完整断言指定客户端或 Web 服务的安全要求,它类似于 WCF 中绑定的身份验证模式。

      下面的代码示例定义了 SecurityAssertionRequireDerivedKeysEstablishSecurityContextMessageProtectionOrder 属性,这些属性分别指定 WSE 完整断言、是否需要派生密钥、是否使用安全会话、是否需要签名确认以及消息保护设置。

      Public Property SecurityAssertion() As WseSecurityAssertion

    Get

        Return assertion

    End Get
    Set(ByVal value As WseSecurityAssertion)

        assertion = value

    End Set

End Property

Private m_requireDerivedKeys As Boolean
Public Property RequireDerivedKeys() As Boolean

    Get

        Return m_requireDerivedKeys

    End Get
    Set(ByVal value As Boolean)

        m_requireDerivedKeys = value

    End Set

End Property

Private m_establishSecurityContext As Boolean
Public Property EstablishSecurityContext() As Boolean

    Get

        Return m_establishSecurityContext

    End Get
    Set(ByVal value As Boolean)

        m_establishSecurityContext = value

    End Set

End Property

Private m_requireSignatureConfirmation As Boolean
Public Property RequireSignatureConfirmation() As Boolean

    Get

        Return m_requireSignatureConfirmation

    End Get
    Set(ByVal value As Boolean)

        m_requireSignatureConfirmation = value

    End Set

End Property

Private m_messageProtectionOrder As MessageProtectionOrder
Public Property MessageProtectionOrder() As MessageProtectionOrder

    Get

        Return m_messageProtectionOrder

    End Get
    Set(ByVal value As MessageProtectionOrder)

        m_messageProtectionOrder = value

    End Set

End Property

      private WseSecurityAssertion assertion;
public WseSecurityAssertion SecurityAssertion
{
    get { return assertion; }
    set { assertion = value; }
}

private bool requireDerivedKeys;
public bool RequireDerivedKeys
{
    get { return requireDerivedKeys; }
    set { requireDerivedKeys = value; }
}

private bool establishSecurityContext;
public bool EstablishSecurityContext
{
    get { return establishSecurityContext; }
    set { establishSecurityContext = value; }
}

private bool requireSignatureConfirmation;
public bool RequireSignatureConfirmation
{
    get { return requireSignatureConfirmation; }
    set { requireSignatureConfirmation = value; }
}

private MessageProtectionOrder messageProtectionOrder;
public MessageProtectionOrder MessageProtectionOrder
{
    get { return messageProtectionOrder; }
    set { messageProtectionOrder = value; }
}

    3. 重写 CreateBindingElements 方法以设置绑定属性。

      下面的代码示例通过获取 SecurityAssertionMessageProtectionOrder 属性的值来指定传输协议、消息编码和消息保护设置。

      Public Overloads Overrides Function CreateBindingElements() As BindingElementCollection

    'SecurityBindingElement sbe = bec.Find<SecurityBindingElement>();
    Dim bec As New BindingElementCollection()
    ' By default http transport is used
    Dim securityBinding As SecurityBindingElement
    Dim transport As BindingElement

    Select Case assertion

        Case WseSecurityAssertion.UsernameOverTransport
            transport = New HttpsTransportBindingElement()
            securityBinding = DirectCast(SecurityBindingElement.CreateUserNameOverTransportBindingElement(), TransportSecurityBindingElement)
            If m_establishSecurityContext = True Then
                Throw New InvalidOperationException("Secure Conversation is not supported for this Security Assertion Type")
            End If
            If m_requireSignatureConfirmation = True Then
                Throw New InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type")
            End If
            Exit Select
        Case WseSecurityAssertion.MutualCertificate10
            transport = New HttpTransportBindingElement()
            securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10)
            If m_requireSignatureConfirmation = True Then
                Throw New InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type")
            End If
            DirectCast(securityBinding, AsymmetricSecurityBindingElement).MessageProtectionOrder = m_messageProtectionOrder
            Exit Select
        Case WseSecurityAssertion.UsernameForCertificate
            transport = New HttpTransportBindingElement()
            securityBinding = DirectCast(SecurityBindingElement.CreateUserNameForCertificateBindingElement(), SymmetricSecurityBindingElement)
            ' We want signatureconfirmation on the bootstrap process 
            ' either for the application messages or for the RST/RSTR
            DirectCast(securityBinding, SymmetricSecurityBindingElement).RequireSignatureConfirmation = m_requireSignatureConfirmation
            DirectCast(securityBinding, SymmetricSecurityBindingElement).MessageProtectionOrder = m_messageProtectionOrder
            Exit Select
        Case WseSecurityAssertion.AnonymousForCertificate
            transport = New HttpTransportBindingElement()
            securityBinding = DirectCast(SecurityBindingElement.CreateAnonymousForCertificateBindingElement(), SymmetricSecurityBindingElement)
            DirectCast(securityBinding, SymmetricSecurityBindingElement).RequireSignatureConfirmation = m_requireSignatureConfirmation
            DirectCast(securityBinding, SymmetricSecurityBindingElement).MessageProtectionOrder = m_messageProtectionOrder
            Exit Select
        Case WseSecurityAssertion.MutualCertificate11
            transport = New HttpTransportBindingElement()
            securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11)
            DirectCast(securityBinding, SymmetricSecurityBindingElement).RequireSignatureConfirmation = m_requireSignatureConfirmation
            DirectCast(securityBinding, SymmetricSecurityBindingElement).MessageProtectionOrder = m_messageProtectionOrder
            Exit Select
        Case WseSecurityAssertion.Kerberos
            transport = New HttpTransportBindingElement()
            securityBinding = DirectCast(SecurityBindingElement.CreateKerberosBindingElement(), SymmetricSecurityBindingElement)
            DirectCast(securityBinding, SymmetricSecurityBindingElement).RequireSignatureConfirmation = m_requireSignatureConfirmation
            DirectCast(securityBinding, SymmetricSecurityBindingElement).MessageProtectionOrder = m_messageProtectionOrder
            Exit Select
        Case Else
            Throw New NotSupportedException("This supplied Wse security assertion is not supported")

    End Select

    'Set defaults for the security binding
    securityBinding.IncludeTimestamp = True

    ' Derived Keys
    ' Set the preference for derived keys before creating the binding for SecureConversation.
    securityBinding.SetKeyDerivation(m_requireDerivedKeys)

    'Secure Conversation 
    If m_establishSecurityContext = True Then

        Dim secureconversation As SymmetricSecurityBindingElement = DirectCast(SymmetricSecurityBindingElement.CreateSecureConversationBindingElement(securityBinding, False), SymmetricSecurityBindingElement)
        ' This is the default
        'secureconversation.DefaultProtectionLevel = ProtectionLevel.EncryptAndSign;        

        'Set defaults for the secure conversation binding
        secureconversation.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256
        ' We do not want signature confirmation on the application level messages 
        ' when secure conversation is enabled.
        secureconversation.RequireSignatureConfirmation = False
        secureconversation.MessageProtectionOrder = m_messageProtectionOrder
        secureconversation.SetKeyDerivation(m_requireDerivedKeys)
        securityBinding = secureconversation

    End If

    ' Add the security binding to the binding collection
    bec.Add(securityBinding)

    ' Add the message encoder. 
    Dim textelement As New TextMessageEncodingBindingElement()
    textelement.MessageVersion = System.ServiceModel.Channels.MessageVersion.Soap11WSAddressingAugust2004
    'These are the defaults required for WSE
    'textelement.MessageVersion = MessageVersion.Soap11Addressing1;
    'textelement.WriteEncoding = System.Text.Encoding.UTF8;
    bec.Add(textelement)

    ' Add the transport
    bec.Add(transport)

    ' return the binding elements
    Return bec

End Function

      public override BindingElementCollection CreateBindingElements()
{
    //SecurityBindingElement sbe = bec.Find<SecurityBindingElement>();
    BindingElementCollection bec = new BindingElementCollection();
    // By default http transport is used
    SecurityBindingElement securityBinding;
    BindingElement transport;

    switch (assertion)
    {
        case WseSecurityAssertion.UsernameOverTransport:
            transport = new HttpsTransportBindingElement();
            securityBinding = (TransportSecurityBindingElement)SecurityBindingElement.CreateUserNameOverTransportBindingElement();
            if (establishSecurityContext == true)
                throw new InvalidOperationException("Secure Conversation is not supported for this Security Assertion Type");
            if (requireSignatureConfirmation == true)
                throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
            break;
        case WseSecurityAssertion.MutualCertificate10:
            transport = new HttpTransportBindingElement();
            securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10);
            if (requireSignatureConfirmation == true)
                throw new InvalidOperationException("Signature Confirmation is not supported for this Security Assertion Type");
            ((AsymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
            break;
        case WseSecurityAssertion.UsernameForCertificate:
            transport = new HttpTransportBindingElement();
            securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateUserNameForCertificateBindingElement();
            // We want signatureconfirmation on the bootstrap process 
            // either for the application messages or for the RST/RSTR
            ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
            ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
            break;
        case WseSecurityAssertion.AnonymousForCertificate:
            transport = new HttpTransportBindingElement();
            securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateAnonymousForCertificateBindingElement();
            ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
            ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
            break;
        case WseSecurityAssertion.MutualCertificate11:
            transport = new HttpTransportBindingElement();
            securityBinding = SecurityBindingElement.CreateMutualCertificateBindingElement(MessageSecurityVersion.WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11);
            ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
            ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
            break;
        case WseSecurityAssertion.Kerberos:
            transport = new HttpTransportBindingElement();
            securityBinding = (SymmetricSecurityBindingElement)SecurityBindingElement.CreateKerberosBindingElement();
            ((SymmetricSecurityBindingElement)securityBinding).RequireSignatureConfirmation = requireSignatureConfirmation;
            ((SymmetricSecurityBindingElement)securityBinding).MessageProtectionOrder = messageProtectionOrder;
            break;
        default:
            throw new NotSupportedException("This supplied Wse security assertion is not supported");
    }
    //Set defaults for the security binding
    securityBinding.IncludeTimestamp = true;

    // Derived Keys
    // set the preference for derived keys before creating SecureConversationBindingElement
    securityBinding.SetKeyDerivation(requireDerivedKeys);

    //Secure Conversation 
    if (establishSecurityContext == true)
    {
        SymmetricSecurityBindingElement secureconversation =
                (SymmetricSecurityBindingElement)SymmetricSecurityBindingElement.CreateSecureConversationBindingElement(
                                            securityBinding, false);
        // This is the default
        //secureconversation.DefaultProtectionLevel = ProtectionLevel.EncryptAndSign;                

        //Set defaults for the secure conversation binding
        secureconversation.DefaultAlgorithmSuite = SecurityAlgorithmSuite.Basic256;
        // We do not want signature confirmation on the application level messages 
        // when secure conversation is enabled.
        secureconversation.RequireSignatureConfirmation = false;
        secureconversation.MessageProtectionOrder = messageProtectionOrder;
        secureconversation.SetKeyDerivation(requireDerivedKeys);
        securityBinding = secureconversation;
    }

    // Add the security binding to the binding collection
    bec.Add(securityBinding);

    // Add the message encoder. 
    TextMessageEncodingBindingElement textelement = new TextMessageEncodingBindingElement();
    textelement.MessageVersion = MessageVersion.Soap11WSAddressingAugust2004;
    //These are the defaults required for WSE
    //textelement.MessageVersion = MessageVersion.Soap11Addressing1;
    //textelement.WriteEncoding = System.Text.Encoding.UTF8;
    bec.Add(textelement);

    // Add the transport
    bec.Add(transport);


    // return the binding elements
    return bec;
}

  3. 在客户端应用程序代码中,添加设置绑定属性的代码。

    下面的代码示例指定 WCF 客户端必须使用 WSE 3.0 AnonymousForCertificate 完整安全断言定义的消息保护和身份验证。此外,还需要安全会话和派生密钥。

    Private Shared Sub CallWseService(ByVal usePolicyFile As Boolean)

    Dim address As New EndpointAddress(New Uri("https://localhost/WSSecurityAnonymousPolicy/WSSecurityAnonymousService.asmx"), EndpointIdentity.CreateDnsIdentity("WSE2QuickStartServer"))

    Dim binding As New WseHttpBinding()
    If Not usePolicyFile Then

        binding.SecurityAssertion = WseSecurityAssertion.AnonymousForCertificate
        binding.EstablishSecurityContext = True
        binding.RequireDerivedKeys = True
        binding.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt

    Else
        binding.LoadPolicy("..\wse3policyCache.config", "ServerPolicy")
    End If

    Dim client As New WSSecurityAnonymousServiceSoapClient(binding, address)

    static void CallWseService(bool usePolicyFile)
{
    EndpointAddress address = new EndpointAddress(new Uri("https://localhost/WSSecurityAnonymousPolicy/WSSecurityAnonymousService.asmx"),
                                                  EndpointIdentity.CreateDnsIdentity("WSE2QuickStartServer"));

    WseHttpBinding binding = new WseHttpBinding();
    if (!usePolicyFile)
    {
        binding.SecurityAssertion = WseSecurityAssertion.AnonymousForCertificate;
        binding.EstablishSecurityContext = true;
        binding.RequireDerivedKeys = true;
        binding.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
    }
    else
        binding.LoadPolicy("..\\wse3policyCache.config", "ServerPolicy");

    WSSecurityAnonymousServiceSoapClient client = new WSSecurityAnonymousServiceSoapClient(binding, address);

示例

下面的代码示例定义了一个自定义绑定,该绑定公开对应于 WSE 3.0 完整安全断言的各个属性的属性。之后,使用该自定义绑定(名为 WseHttpBinding)来指定与 WSSecurityAnonymous WSE 3.0 QuickStart 示例通信的 WCF 客户端的绑定属性。

Imports System
Imports System.Collections.Generic
Imports System.Text
Imports System.Security.Cryptography.X509Certificates
Imports System.ServiceModel
Imports System.ServiceModel.Security
Imports System.ServiceModel.Channels
Imports Microsoft.VisualBasic

Namespace Microsoft.ServiceModel.Samples

    ' The service contract is defined in generatedClient.vb, generated from the service by

    ' the svcutil tool.
    Class Program

        Public Shared Sub Main(ByVal args As String())

            CallWseService(True)

        End Sub

        Private Shared Sub CallWseService(ByVal usePolicyFile As Boolean)

            Dim address As New EndpointAddress(New Uri("https://localhost/WSSecurityAnonymousPolicy/WSSecurityAnonymousService.asmx"), EndpointIdentity.CreateDnsIdentity("WSE2QuickStartServer"))

            Dim binding As New WseHttpBinding()
            If Not usePolicyFile Then

                binding.SecurityAssertion = WseSecurityAssertion.AnonymousForCertificate
                binding.EstablishSecurityContext = True
                binding.RequireDerivedKeys = True
                binding.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt

            Else
                binding.LoadPolicy("..\wse3policyCache.config", "ServerPolicy")
            End If

            Dim client As New WSSecurityAnonymousServiceSoapClient(binding, address)

            ' Need to supply the credentials depending on the type of WseSecurityAssertion used.
            ' Anonymous only requires server certificate. UsernameForCertificate would also require
            ' a username and password to be supplied.
            client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindBySubjectDistinguishedName, "CN=WSE2QuickStartServer")
            Dim symbols As String() = New String() {"FABRIKAM", "CONTOSO"}
            Dim quotes As StockQuote() = client.StockQuoteRequest(symbols)

            client.Close()

            ' Success!
            For Each quote As StockQuote In quotes

                Console.WriteLine("")
                Console.WriteLine("Symbol: " + quote.Symbol)
                Console.WriteLine("" & Chr(9) & "Name:" & Chr(9) & "" & Chr(9) & "" & Chr(9) & "" + quote.Name)
                Console.WriteLine("" & Chr(9) & "Last Price:" & Chr(9) & "" & Chr(9) & "" & quote.Last)
                Console.WriteLine("" & Chr(9) & "Previous Change:" & Chr(9) & "" & quote.PreviousChange & "%")

            Next

            Console.WriteLine("Press <ENTER> to terminate client.")
            Console.ReadLine()

        End Sub

    End Class

End Namespace

using System;
using System.Collections.Generic;
using System.Text;
using System.Security.Cryptography.X509Certificates;
using System.ServiceModel;
using System.ServiceModel.Security;
using System.ServiceModel.Channels;

namespace Microsoft.ServiceModel.Samples
{
    // The service contract is defined in generatedClient.cs, generated from the service by
    // the svcutil tool.

    class Program
    {
        static void Main(string[] args)
        {
            CallWseService(true);
        }
        static void CallWseService(bool usePolicyFile)
        {
            EndpointAddress address = new EndpointAddress(new Uri("https://localhost/WSSecurityAnonymousPolicy/WSSecurityAnonymousService.asmx"),
                                                          EndpointIdentity.CreateDnsIdentity("WSE2QuickStartServer"));

            WseHttpBinding binding = new WseHttpBinding();
            if (!usePolicyFile)
            {
                binding.SecurityAssertion = WseSecurityAssertion.AnonymousForCertificate;
                binding.EstablishSecurityContext = true;
                binding.RequireDerivedKeys = true;
                binding.MessageProtectionOrder = MessageProtectionOrder.SignBeforeEncrypt;
            }
            else
                binding.LoadPolicy("..\\wse3policyCache.config", "ServerPolicy");

            WSSecurityAnonymousServiceSoapClient client = new WSSecurityAnonymousServiceSoapClient(binding, address);

            // Need to supply the credentials depending on the type of WseSecurityAssertion used.
            // Anonymous only requires server certificate. UsernameForCertificate would also require
            // a username and password to be supplied.
            client.ClientCredentials.ServiceCertificate.SetDefaultCertificate(
                                                                 StoreLocation.LocalMachine,
                                                                 StoreName.My,
                                                                 X509FindType.FindBySubjectDistinguishedName,
                                                                 "CN=WSE2QuickStartServer");
            string[] symbols = new string[] { "FABRIKAM", "CONTOSO" };
            StockQuote[] quotes = client.StockQuoteRequest(symbols);

            client.Close();

            // Success!
            foreach (StockQuote quote in quotes)
            {
                Console.WriteLine("");
                Console.WriteLine("Symbol: " + quote.Symbol);
                Console.WriteLine("\tName:\t\t\t" + quote.Name);
                Console.WriteLine("\tLast Price:\t\t" + quote.Last);
                Console.WriteLine("\tPrevious Change:\t" + quote.PreviousChange + "%");
            }

            Console.WriteLine("Press <ENTER> to terminate client.");
            Console.ReadLine();
        }
    }
}

另请参见

参考

Binding

其他资源

Interoperating with WSE