憑證用戶端的訊息安全性
下列案例示範使用訊息安全性模式,保護 Windows Communication Foundation (WCF) 用戶端與服務。 用戶端與服務皆以憑證驗證。 如需詳細資訊,請參閱分散式應用程式安全性。
如需應用程式範例,請參閱訊息安全性憑證。
| 特性 | 描述 |
|---|---|
| 安全性模式 | 訊息 |
| 互通性 | 僅限 WCF |
| 驗證 (伺服器) | 使用服務憑證 |
| 驗證 (用戶端) | 使用用戶端憑證 |
| 完整性 | Yes |
| 保密 | Yes |
| 傳輸 | HTTP |
| 繫結 | WSHttpBinding |
服務
下列程式碼和組態要獨立執行。 執行下列其中一項動作:
使用不含組態的程式碼建立獨立服務。
使用提供的組態建立服務,但不要定義任何端點。
代碼
下列程式碼顯示如何建立使用訊息安全性產生安全內容的服務端點。
// Create the binding.
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;
// Create the URI for the endpoint.
Uri httpUri = new Uri("http://localhost/Calculator");
// Create the service host.
ServiceHost myServiceHost =
new ServiceHost(typeof(Calculator), httpUri);
myServiceHost.AddServiceEndpoint(typeof(ICalculator), binding, "");
// Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.
SetCertificate(StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindBySubjectName,
"Contoso.com");
// Open the service.
myServiceHost.Open();
Console.WriteLine("Listening...");
Console.ReadLine();
// Close the service.
myServiceHost.Close();
' Create the binding.
Dim binding As New WSHttpBinding()
binding.Security.Mode = SecurityMode.Message
binding.Security.Message.ClientCredentialType = _
MessageCredentialType.Certificate
' Create the URI for the endpoint.
Dim httpUri As New Uri("http://localhost/Calculator")
' Create the service host.
Dim myServiceHost As New ServiceHost(GetType(ServiceModel.Calculator), httpUri)
myServiceHost.AddServiceEndpoint(GetType(ICalculator), binding, "")
' Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate( _
StoreLocation.LocalMachine, StoreName.My, _
X509FindType.FindBySubjectName, "Contoso.com")
' Open the service.
myServiceHost.Open()
Console.WriteLine("Listening...")
Console.ReadLine()
' Close the service.
myServiceHost.Close()
組態
可以使用以下組態來取代程式碼。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceCredentials>
<serviceCertificate findValue="Contoso.com"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior"
name="ServiceModel.Calculator">
<endpoint address="http://localhost/Calculator"
binding="wsHttpBinding"
bindingConfiguration="MessageAndCertificateClient"
name="SecuredByClientCertificate"
contract="ServiceModel.ICalculator" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator">
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client />
</system.serviceModel>
</configuration>
用戶端
下列程式碼和組態要獨立執行。 執行下列其中一項動作:
使用此程式碼 (和用戶端程式碼) 建立獨立用戶端。
建立未定義任何端點位址的用戶端, 然後改用可接受組態名稱當做引數的用戶端建構函式。 例如:
CalculatorClient cc = new CalculatorClient("EndpointConfigurationName");Dim cc As New CalculatorClient("EndpointConfigurationName")
代碼
下列程式碼會建立用戶端。 繫結會使用訊息模式安全性,而且用戶端認證類型設為 Certificate。
// Create the binding.
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Message;
myBinding.Security.Message.ClientCredentialType =
MessageCredentialType.Certificate;
// Create the endpoint address.
EndpointAddress ea = new
EndpointAddress("http://machineName/Calculator");
// Create the client.
CalculatorClient cc =
new CalculatorClient(myBinding, ea);
// Specify a certificate to use for authenticating the client.
cc.ClientCredentials.ClientCertificate.SetCertificate(
StoreLocation.CurrentUser,
StoreName.My,
X509FindType.FindBySubjectName,
"Cohowinery.com");
// Begin using the client.
try
{
cc.Open();
Console.WriteLine(cc.Add(200, 1111));
Console.ReadLine();
// Close the client.
cc.Close();
}
' Create the binding.
Dim myBinding As New WSHttpBinding()
myBinding.Security.Mode = SecurityMode.Message
myBinding.Security.Message.ClientCredentialType = _
MessageCredentialType.Certificate
' Create the endpoint address.
Dim ea As New EndpointAddress("http://machineName/Calculator")
' Create the client.
Dim cc As New CalculatorClient(myBinding, ea)
' Specify a certificate to use for authenticating the client.
cc.ClientCredentials.ClientCertificate.SetCertificate( _
StoreLocation.CurrentUser, StoreName.My, _
X509FindType.FindBySubjectName, "Cohowinery.com")
' Begin using the client.
Try
cc.Open()
Console.WriteLine(cc.Add(100, 11))
Console.ReadLine()
' Close the client.
cc.Close()
Catch tex As TimeoutException
Console.WriteLine(tex.Message)
cc.Abort()
Catch cex As CommunicationException
Console.WriteLine(cex.Message)
cc.Abort()
Finally
Console.WriteLine("Closed the client")
Console.ReadLine()
End Try
組態
下列組態指定使用端點行為的用戶端憑證。 如需憑證的詳細資訊,請參閱使用憑證。 程式碼也使用 <identity> 元素指定預期伺服器識別的網域名稱系統 (DNS)。 如需識別的詳細資訊,請參閱服務識別與驗證。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="endpointCredentialsBehavior">
<clientCredentials>
<clientCertificate findValue="Cohowinery.com"
storeLocation="LocalMachine"
x509FindType="FindBySubjectName" />
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="Certificate" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://machineName/Calculator"
behaviorConfiguration="endpointCredentialsBehavior"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
contract="ICalculator"
name="WSHttpBinding_ICalculator">
<identity>
<dns value="Contoso.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>