匿名客户端的消息安全
下面的方案演示通过 Windows Communication Foundation (WCF) 消息安全进行保护的客户端和服务。其设计目的是使用消息安全而非传输安全,以便将来可支持更加丰富的基于声明的模型。有关将丰富声明用于授权的更多信息,请参见使用标识模型管理声明和授权。
有关示例应用程序,请参见匿名消息安全。
.gif "匿名客户端的消息安全")
| 特征 | 说明 |
|---|---|
安全模式 |
消息 |
互操作性 |
仅 WCF |
身份验证(服务器) |
初始协商要求服务器身份验证,而不是客户端身份验证 |
身份验证(客户端) |
无 |
完整性 |
是,使用共享安全上下文 |
保密性 |
是,使用共享安全上下文 |
传输 |
HTTP |
服务
下面的代码和配置应独立运行。执行下列操作之一:
使用代码(而不使用配置)创建独立服务。
使用提供的配置创建服务,但不定义任何终结点。
代码
下面的代码演示如何创建使用消息安全的服务终结点。
' Create the binding.
Dim binding As New WSHttpBinding()
binding.Security.Mode = SecurityMode.Message
binding.Security.Message.ClientCredentialType = _
MessageCredentialType.None
' Create the URI for the endpoint.
Dim httpUri As New Uri("https://localhost/Calculator")
' Create the service host and add an endpoint.
Dim myServiceHost As New ServiceHost(GetType(ServiceModel.Calculator), httpUri)
myServiceHost.AddServiceEndpoint(GetType(ServiceModel.ICalculator), binding, "")
' Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, _
StoreName.My, X509FindType.FindByThumbprint, "00000000000000000000000000000000")
' Open the service.
myServiceHost.Open()
Console.WriteLine("Listening...")
Console.ReadLine()
' Close the service.
myServiceHost.Close()
// Create the binding.
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
MessageCredentialType.None;
// Create the URI for the endpoint.
Uri httpUri = new Uri("https://localhost/Calculator");
// Create the service host and add an endpoint.
ServiceHost myServiceHost =
new ServiceHost(typeof(ServiceModel.Calculator), httpUri);
myServiceHost.AddServiceEndpoint(
typeof(ServiceModel.ICalculator), binding, "");
// Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate(
StoreLocation.LocalMachine,
StoreName.My,
X509FindType.FindByThumbprint,
"00000000000000000000000000000000");
// Open the service.
myServiceHost.Open();
Console.WriteLine("Listening...");
Console.ReadLine();
// Close the service.
myServiceHost.Close();
配置
以下配置可代替代码使用。服务行为元素用于指定用来向客户端验证服务身份的证书。服务元素必须使用 behaviorConfiguration 属性指定行为。绑定元素指定客户端凭据类型为 None,这将允许匿名客户端使用该服务。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceCredentialsBehavior">
<serviceCredentials>
<serviceCertificate findValue="contoso.com"
storeLocation="LocalMachine"
storeName="My" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="ServiceCredentialsBehavior"
name="ServiceModel.Calculator">
<endpoint address="https://localhost/Calculator"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
name="CalculatorService"
contract="ServiceModel.ICalculator" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client />
</system.serviceModel>
</configuration>
客户端
下面的代码和配置将独立运行。执行下列操作之一:
使用代码(和客户端代码)创建独立客户端。
创建不定义任何终结点地址的客户端。而使用将配置名称作为参数的客户端构造函数。例如:
Dim cc As New CalculatorClient("EndpointConfigurationName")CalculatorClient cc = new CalculatorClient("EndpointConfigurationName");
代码
下面的代码创建客户端的一个实例。绑定使用消息模式安全,客户端凭据类型设置为 None。
' Create the binding.
Dim myBinding As New WSHttpBinding()
myBinding.Security.Mode = SecurityMode.Message
myBinding.Security.Message.ClientCredentialType = MessageCredentialType.None
' Create the endpoint address.
Dim ea As New EndpointAddress("https://localhost/Calculator")
' Create the client.
Dim cc As New CalculatorClient(myBinding, ea)
' Begin using the client.
Try
cc.Open()
Console.WriteLine(cc.Add(100, 11))
Console.ReadLine()
' Close the client.
cc.Close()
Catch tex As TimeoutException
Console.WriteLine(tex.Message)
cc.Abort()
Catch cex As CommunicationException
Console.WriteLine(cex.Message)
cc.Abort()
Finally
Console.WriteLine("Closed the client")
Console.ReadLine()
End Try
// Create the binding.
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Message;
myBinding.Security.Message.ClientCredentialType =
MessageCredentialType.None;
// Create the endpoint address.
EndpointAddress ea = new
EndpointAddress("https://localhost/Calculator");
// Create the client.
CalculatorClient cc =
new CalculatorClient(myBinding, ea);
// Begin using the client.
try
{
cc.Open();
Console.WriteLine(cc.Add(200, 1111));
Console.ReadLine();
// Close the client.
cc.Close();
}
配置
下面的代码将配置客户端。
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="WSHttpBinding_ICalculator" >
<security mode="Message">
<message clientCredentialType="None" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://machineName/Calculator"
binding="wsHttpBinding"
bindingConfiguration="WSHttpBinding_ICalculator"
contract="ICalculator"
name="WSHttpBinding_ICalculator">
<identity>
<dns value="contoso.com" />
</identity>
</endpoint>
</client>
</system.serviceModel>
</configuration>