问题
I am creating a WCF client for a Java web service that is out of my control, and have run into a problem, in that the service returns an InvalidSecurity fault if the Timestamp header element is signed.
I am currently using the following SecurityBindingElement, but this automatically signs the Timestamp element. How can I stop this behaviour? More generally, how can I control which elements are signed and which aren't?
var version = MessageSecurityVersion.WSSecurity10WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
var sec = (AsymmetricSecurityBindingElement)SecurityBindingElement.CreateMutualCertificateBindingElement(version);
sec.EndpointSupportingTokenParameters.Signed.Add(new UserNameSecurityTokenParameters());
sec.MessageSecurityVersion = version;
sec.IncludeTimestamp = true;
sec.MessageProtectionOrder = MessageProtectionOrder.EncryptBeforeSign;
回答1:
In general you can control which elements get signed by implementing a custom endpoint behavior and in AddBindingParameters() do something like this:
ChannelProtectionRequirements requirements = bindingParameters.Find<ChannelProtectionRequirements>();
requirements.IncomingSignatureParts...
However I don't see a way to remove an element in this api - only to add some. Maybe you can hack this with private reflection.
Also I'm not sure this will work for security. I think your only way is to either set "includeTimestamp" to false, in which case you will not send a timestamp to the client. If you must send a timestamp (unsigned) then still keep it false and create the timestamp yourself via a custom encoder. Should not be hard. Just watch out not to changes anything else in the message if it is signed.
回答2:
Each element in your header can be tagged with [MessageHeader] - with this you can set the protection level.
回答3:
I'm unable to vote up the answer, but Chris's suggestion worked for me. I wanted to prevent signing the body (and thus expecting a signed response body). I went to my interface, and added the ProtectionLevel=None to every instance of the MessageBody attribute in my MessageContracts. Because none of the parts need to be signed, WCF skips signing the request body and doesn't expect the response body to be signed either. It still signs my header fields.
来源:https://stackoverflow.com/questions/10393541/how-can-i-control-which-elements-are-signed-in-a-wcf-soap-request