如何设置WCF安全性以要求客户端证书？-Java 学习之路

我有WCF服务 . 我要求客户使用证书进行身份验证 . 这是服务配置：

<system.serviceModel>
        <services>
            <service name="FilmLibrary.FilmManager" behaviorConfiguration="FilmService.Service1Behavior">
                <endpoint address="manager" name="certBinding" binding="basicHttpBinding" contract="FilmContract.IFilmManager" />
            </service>            
        </services>
        <bindings>
            <basicHttpBinding>
                <binding name="certBinding">
                    <security mode="Message">
                        <message clientCredentialType="Certificate" />
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <behaviors>
            <serviceBehaviors>
                <behavior name="FilmService.Service1Behavior">
                    <serviceCredentials>
                        <clientCertificate>
                            <authentication trustedStoreLocation="LocalMachine" 
                            certificateValidationMode="PeerTrust" />
                        </clientCertificate>                                               
                    </serviceCredentials>    
            </behavior>
            </serviceBehaviors>
        </behaviors>
    </system.serviceModel>
</configuration>

公钥安装在LocalMachine，Trusted People中

客户端配置如下：

<system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="certBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
                    receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
                    useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <security mode="Message">
                        <message clientCredentialType="Certificate"/>
                    </security>
                </binding>
            </basicHttpBinding>
        </bindings>
        <behaviors>
            <endpointBehaviors>
                <behavior name="certBehaviour">
                    <clientCredentials> 
                        <clientCertificate findValue="SubjectKey" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectName"/>
                    </clientCredentials>
                </behavior>
            </endpointBehaviors>
        </behaviors>
        <client>
            <endpoint address="[...]/Service1.svc/manager"
                binding="basicHttpBinding" bindingConfiguration="certBinding" behaviorConfiguration="certBehaviour"
                contract="FilmsService.IFilmManager" name="certBinding" />
        </client>
    </system.serviceModel>

私钥安装在Personal，当前用户中 .

没有安全性，服务就有效 . 启用安全性后 - 它没有启用 . 我尝试了几种配置，我遇到了身份验证失败或我必须在clientCredentials元素中设置服务证书的错误 . 我不明白，因为我根本不想验证服务 .

3 回答

代替

<serviceCredentials>
                <clientCertificate>
                    <authentication trustedStoreLocation="LocalMachine" 
                    certificateValidationMode="PeerTrust" />
                </clientCertificate>                                               
            </serviceCredentials>

我想你应该有

<serviceCredentials>
                <serviceCertificate  findValue="SubjectKey" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName"/>                                              
            </serviceCredentials>

您没有通过此身份验证服务，而是告诉服务如何对客户端进行身份验证 .

回复于 2024-04-29T04:10:27+08:00

我发现以下指南非常有用且非常详细 . https://notgartner.wordpress.com/2007/09/06/using-certificate-based-authentication-and-protection-with-windows-communication-foundation-wcf/

它包括创建服务，客户端，证书和调整2配置 .

服务器：

<bindings>
  <basicHttpBinding>
    <binding name="secureHttpBinding">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="Certificate" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

<behaviors>
  <serviceBehaviors>
    <behavior>
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <clientCertificate>
          <!--only accept certificates in "Trusted People"-->
          <authentication certificateValidationMode="PeerTrust" trustedStoreLocation="LocalMachine" />
        </clientCertificate>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

客户：

<bindings>
  <basicHttpBinding>
    <binding name="customBinding1">
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="Certificate" />
      </security>
    </binding>
  </basicHttpBinding>
</bindings>

<behaviors>
  <endpointBehaviors>
    <behavior name="customBehavior1">
      <clientCredentials>
        <!--fabrkam-->
        <clientCertificate storeName="My" storeLocation="CurrentUser" x509FindType="FindByThumbprint" findValue="d2 31 6a 73 1b 59 68 3e 74 41 09 27 8c 80 e2 61 45 03 b1 7e"/>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

我们将任何HTTP请求自动重定向到HTTPS，因此我们必须使用TransportWithMessageCredential类型的安全性 . 对于普通的Http，只使用Message作为安全类型也应该有效 .

回复于 2024-04-29T04:10:27+08:00

2
我能够通过使用customBinding来完成同样的事情，如下所示：
```
<customBinding>
    <binding name="bindingName">
      <security authenticationMode="UserNameOverTransport" />
      <httpsTransport requireClientCertificate="true"/>
    </binding>
  </customBinding>
```
（我省略了与你的案子无关的属性 . ）

至于 authenticationMode ，我认为你可以使用它们中的任何一个 - httpsTransport 与 requireClientCertificate 是这里的重要部分 .
回复于 2024-04-29T04:10:27+08:00

如何设置WCF安全性以要求客户端证书？

3 回答

相关问题