DotNet关键知识点——WCF篇(六)
關(guān)于WCF消息通信的安全性論題。
1. 傳輸層面的安全性
一般方法:
binding單元中加security單元,security一般含mode屬性,一般將其設(shè)置為"Transport",隨后在security單元中加入transport單元,并對其參數(shù)作設(shè)置。(配置文件中單元名稱為起首小寫,對應(yīng)代碼中名稱為起首大寫)
傳輸層面安全性能夠保證信息私密和完整性,而其能力依賴于支持傳輸?shù)膮f(xié)議。
| Binding類型 | 使用 | 特性和說明 |
| basicHttpBinding | Security:類型BasicHttpSecurity Securty.Mode:類型BasicHttpSecurityMode,取值Message,None,Transport,TransportCredentialOnly,TransportWithMessageCredential Security.Transport:類型HttpTransportSecurity Security.Transport.ClientCredentialType:類型HttpClientCredentialType,取值Basic(明文發(fā)送credentials),Certificate,Digest(credentials傳輸前hash),None,Ntlm,Windows(客戶端Windows帳號) Security.Transport.ProxyCredentialType:類型HttpProxyCredentialType,取值Basic,Digest,None,Ntlm,Windows string Security.Transport.Realm:類型string | 目標(biāo)服務(wù)支持:ASMX v1, WSE apps; Basic Profile (WS-I); basic security profile WS-I。安全傳輸協(xié)議:HTTPS IIS兼容 唯一的默認(rèn)狀態(tài)下不開啟安全性的內(nèi)建綁定類型 |
| wsHttpBinding | Security:類型WSHttpSecurity Security.Mode:類型SecurityMode,取值None,Transport,Message,TransportWithMessageCredential Security.Transport同上 | 目標(biāo)服務(wù)支持:SOAP v1.2和WS-Addressing。安全傳輸協(xié)議:HTTPS |
| wsDualHttpBinding | / | 不支持傳輸層安全性配置(因需要兩側(cè)都有支持安全性的監(jiān)聽) |
| netTcpBinding | Security:類型NetTcpSecurity Security.Mode:類型SecurityMode Security.Transport:類型TcpTransportSecurity Security.Transport.ClientCredentialType:類型TcpClientCredentialType,取值Certificate,None,Windows(默認(rèn)) Security.Transport.ProtectionLevel:類型ProtectionLevel,取值EncryptAndSign(消息加密并簽名),None,Sign(僅簽名) | 基于TCP協(xié)議層 |
| netNamedPipeBinding | Security:類型NetNamedPipeSecurity Security.Mode:類型SecurityMode Security.Transport:類型TcpTransportSecurity | 基于命名管道,其配置類似于TCP綁定 |
| msmqIntegrationBinding | Security:類型MsmqIntegrationSecurit Security.Mode:類型MsmqIntegrationSecurityMode,取值None,Transport Security.Transport:類型MsmqTransportSecurity ~.MsmqAuthenticationMode:類型~,取值Certificate,None,WindowsDomain ~.MsmqEncryptionAlgorithm:類型~,取值A(chǔ)es, RC4Stream ~.MsmqProtectionLevel:類型ProtectionLevel ~.MsmqSecureHashAlgorithm:類型MsmqSecureHashAlgorithm,取值MDS,Sha1,Sha256,Sha512 | 整合非WCF的MSMQ端點(diǎn) 認(rèn)證模式:Certificate在非AD DS場合是僅有的提供認(rèn)證支持的方法 WCF必須能夠接入AD DS才能有效地加密信息。 EncryptionAlgorithm指定消息編碼算法,HashAlgorithm用于設(shè)置簽名的散列算法。 |
| netMsmqBinding | Security:類型NetMsmqSecurity Security.Mode:類型NetMsmqSecurityMode,取值None,Both,Message,Transport Security.Transport:類型MsmqTransportSecurity | ? |
基于HTTP的Binding采用SSL保證傳輸層面安全,其他的如基于TCP的綁定一般用ProtectionLevel屬性等設(shè)置加密簽名等安全特性。
關(guān)于SSL配置(詳細(xì)參考教材和相關(guān)文檔)
1. binding的security中將mode設(shè)為含Transport,其clientCredentialType可設(shè)為Windows;address中使用支持SSL的協(xié)議
2. 用makecert生成根證書(公/私鑰對),-n選項設(shè)置x509name,形如CN=…
3. 用certmgr將根證書加入Trusted Root Certificate Authority(在Server 2008嘗試,就直接用UI操作即可,其效果類同mmc中Certificates中選取Current User模式)
4. 用makecert根據(jù)根證書生成并安裝供localhost端口使用的certificate
5. 在mmc的Certificates管理Local Computer模式中找到以上安裝的證書,取出thumbprint
6. 用netsh http add sslcert為端口配置SSL,參數(shù)包括上述thumbprint和一個隨機(jī)任意的guid。
至此SSL傳輸配置完畢。
證書查看
在mmc中可以查看Local Computer(Administrator登錄)和User Account的Certificate,也可通過Internet Explorer的選項觀看證書。
參考:
Configuring Server Certificates in IIS: http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx
Install an Inernet Server Certificate (IIS 7): http://technet.microsoft.com/en-us/library/cc771816(WS.10).aspx
How to Configure a Port with an SSL Certificate: http://msdn.microsoft.com/en-us/library/ms733791.aspx
Working with Certificates: http://msdn.microsoft.com/en-us/library/ms731899.aspx
How to Create Temporary Certificates for Use During Development: http://msdn.microsoft.com/en-us/library/ms733813.aspx
Certificate Creation Tool (makecert.exe) http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx
How to Use Transport Security with Message Credentials: http://msdn.microsoft.com/en-us/library/ms789011.aspx
2. 消息層面的安全性
1. 對消息本身加密,因此在端到端(或中繼)之外的流程消息也是加密的。
2. 支持對消息的各部分采用不同的加密策略;可對各部分加密,也可對整體加密。
3. 底層協(xié)議為WS-Security,因此具有協(xié)議無關(guān)性。
4. Credentials和消息一起提供(傳輸層面安全性則通過外部機(jī)制實(shí)現(xiàn)Credentials認(rèn)證,如握手和AD DS)
binding單元中加入security單元,和security單元并列加入message單元并設(shè)置其clientCredentialType屬性,包括:Certificate, IssueToken, None, UserName, Windows。消息層面安全過程和用戶層身份認(rèn)證聯(lián)系緊密,詳見下一節(jié)。
binding中的security設(shè)置:
binding的Security屬性上的Message屬性(呈XXXMessageSecurityYYY類型)和config文件中message對應(yīng)。
消息層面安全性的加密算法,message的algorithmSuite(WS-SecurityPolicy)
algorithmSuite描述算法屬性,包括:
Encryption type; Digest type…
Symmetric (always HmacSha1) / asymmetric (always RsaSha1) key signature
Symmetric / asymmetric key wrap
The computed key (always PSha1)
Maximum (always 256 bits) / minimum key lengths for symmetric key
Maximum (always 4096 bits) / minimum (always 1024) key lengths for asymmetric key
參考:http://fusesource.com/docs/framework/2.2/security/MsgProtect-SOAP-SpecifyAlgorithmSuite.html
algorithmSuite不支持隊列和命名管道相關(guān)bindings。
message的establishSecurityContext屬性(WS-SecureConversation)
默認(rèn)設(shè)置為true,用于C/S來回通信的安全環(huán)境保障,僅適用于WS-HTTP系列的部分bindings。
message的negotiateServiceCredential屬性
為消息層面安全建立而進(jìn)行的協(xié)商。當(dāng)設(shè)置為true,自動用Windows的SPNEGO協(xié)商;設(shè)為false時,當(dāng)clientCredentialType為None, UserName和Certificate時,Client采用Service端提供的certificate(serviceCredentials行為中serviceCertificate定義),當(dāng)為Windows時,必須在同一個域內(nèi),并使用Kerberos認(rèn)證。
僅適用于WS-HTTP系列的bindings。
綁定所支持的安全性模式:
| Binding | Transport Mode | Message Mode | Transport with MessageCredential |
| basicHttpBinding | Y | Y | Y (an additional ‘transport-credential only’ mode) |
| wsHttpBinding | Y | Y | Y |
| wsDualHttpBinding | N | Y | N |
| netTcpBinding | Y | Y | Y |
| netNamedPipeBinding | Y | N | N |
| netMsmqBinding | Y | Y | N? (an additional ‘Both’ mode) |
| msmqIntegrationBinding | Y | N | N |
| wsFederationBinding | N | Y | Y |
參考:見下一節(jié)。
3. 身份鑒定 (Authentication)
以下僅列出在配置文件中的聲明式配置,代碼配置可類似推導(dǎo)。
僅basicHttpBinding只支持UserName和Certificate方式。
| 方式 | 對應(yīng)憑據(jù)類型(MessageCredentialType類型) | 配置方法(service側(cè)配置文件) | 說明 |
| 無認(rèn)證 | None | ? | ? |
| Windows | Windows | 設(shè)置binding內(nèi)消息安全性的credentialType為"Windows" 行為配置(代碼為例):proxy.ClientCredentials.Windows .ClientCredential(用戶名、密碼、域信息), .AllowImpersonationLevel, .AllowNtlm | 當(dāng)實(shí)行(C/S)雙向認(rèn)證時,必須關(guān)閉AllowNtlm,因為只有Kerberos支持 是message默認(rèn)的clientCredentialType |
| 用戶名和密碼 | UserName | 設(shè)置:proxy.ClientCredentials.UserName .UserName, .Password | ? |
| X.509證書 | Certificate | 設(shè)置binding內(nèi)消息安全性的credentialType為"Certificate" 增加behavior設(shè)置(cfg為例)加入<serviceCredentials><serviceCertificate findValue=... x509FindType ... /> 或者調(diào)用host.Credentials.ServiceCertificate.SetCertificate (ServiceCertificate類型為X509CertificateRecipient???Credential,ClientCertificate為X509CertificateInitiator???Credential,???在host處為Service,proxy處為Client) | ? |
| 令牌發(fā)行 | IssuedToken | 在端點(diǎn)中增加:<identity><certificateReference findValue="…" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" /> 用于證明service的identity。 (storeName的可能值:AddressBook,AuthRoot,CertificateAuthority,Disallowed,My,Root,TrustedPeople,TrustedPublisher;x509FindType中DistinguishedName指嚴(yán)格匹配) 設(shè)置binding內(nèi)消息安全性的credentialType為"IssuedToken" 增加behavior設(shè)置,內(nèi)含<serviceCredentials><serviceCertificate .../>,采用的certificate同以上identity | 由第三方發(fā)行令牌,客戶端將令牌和請求一同發(fā)給服務(wù),服務(wù)再從該第三方獲得請求者信息 |
| 自定義認(rèn)證 | n/a | 1. message的clientCredentialType必須設(shè)為UserName,service必須因此而附一個含公/私鑰的certificate,其中公鑰用于讓client對UserName進(jìn)行加密傳送 2. 可繼承UserNamePasswordValidator創(chuàng)建一個認(rèn)證類,重載void Validate(un, pwd) throws SecurityTokenValidationException,并將其設(shè)置在serviceCredentials的userNameAuthentication中,userNamePasswordValidationMode改為Custom,用以替換Service默認(rèn)的對其進(jìn)行Windows認(rèn)證的行為 | ? |
參考:
Set the Security Mode: http://msdn.microsoft.com/en-us/library/ms731884.aspx
Message Security in WCF: http://msdn.microsoft.com/en-us/library/ms733137.aspx
How to Secure a Service with an?X.509 Certificate: http://msdn.microsoft.com/en-us/library/ms788968.aspx
ASP.NET的Membership Provider(不依賴于Windows Domain: http://msdn.microsoft.com/en-us/library/ms731049.aspx
Implementing Transport and Message Layer Security: http://msdn.microsoft.com/en-us/library/aa480582.aspx
Implementing Message Layer Security with Kerberos in WSE 3.0: http://msdn.microsoft.com/en-us/library/aa480577.aspx
Implementing Message Layer Security with X.509 Certificate in WSE 3.0: http://msdn.microsoft.com/en-us/library/aa480581.aspx; <x509> element:?http://msdn.microsoft.com/en-us/library/aa529251.aspx
Service Identity and Authentication: http://msdn.microsoft.com/en-us/library/ms733130.aspx; How to?Create a Custom Identity Verifier: http://msdn.microsoft.com/en-us/library/ms734778.aspx
How to Use?Separate X.509 Certificates for Signing and Encryption: http://msdn.microsoft.com/en-us/library/ms729856.aspx
How to Change the Cryptographic Provider for an X.509 Certificate's Private Key: http://msdn.microsoft.com/en-us/library/ms733772.aspx
How to Configure Credentials on a Federation Service: http://msdn.microsoft.com/en-us/library/ms730131.aspx; Federations and Issued Tokens: http://msdn.microsoft.com/en-us/library/ms731161.aspx; (Federation Overview: http://msdn.microsoft.com/en-us/library/ms730908.aspx)
How to?Use a Custom User Name and Password Validator: http://msdn.microsoft.com/en-us/library/aa702565.aspx
UserNamePasswordValidator Classhttp://msdn.microsoft.com/en-us/library/system.identitymodel.selectors.usernamepasswordvalidator.aspx
Overriding the Identity of a Service for Authentication: http://msdn.microsoft.com/en-us/library/bb628618.aspx
?4. 授權(quán) (Authorization)
不許可授權(quán)均拋出異常:SecurityException
方法1. 基于.NET CLR的Identity/Principal(Identity+Roles)
略
方法2. 基于主張的授權(quán)機(jī)制(Claims-based Authorization)
1. requester提供的安全令牌
2. administrator設(shè)定的配置、記錄信息等
3. service authorization manager做出決定
ServiceSecurityContext實(shí)例在OperationConext.Current.ServiceSecurityContext上提供。
實(shí)現(xiàn)IAuthorizationPolicy提供自定義的authorization policy(參見7. 定制Token)。
在serviceBehaviors中添加behavior,<serviceAuthorization principalPermissionMode=".../Custom" {roleProviderName="..."}><authorizationPolicies><add policyType="例如DemoService.SpecificRoleAuthorizationPolicy, DemoService"/>
Role Provider在<system.web>中添加<roleManager enabled="true" defaultProvider="..."><providers><add name="..." type="System.Web.Security.XXXProvider"?.../>
參考:
ASP.NET的Role Provider(不依賴于Windows Domain): http://msdn.microsoft.com/en-us/library/ms734774.aspx
ASP.NET的Authorization Manager Role Provider (AzManRoleProvider): http://msdn.microsoft.com/en-us/library/ms734774.aspx
Access Control Mechanisms: http://msdn.microsoft.com/en-us/library/ms733106.aspx
Managing Claims and Authorization with the Identity Model: http://msdn.microsoft.com/en-us/library/ms729851.aspx
Claims and Tokens: http://msdn.microsoft.com/en-us/library/aa347996.aspx
Claims Creation and Resource Values: http://msdn.microsoft.com/en-us/library/aa347788.aspx
How to Restrict Access with the PrinciplePermissionAttribute Class: http://msdn.microsoft.com/en-us/library/ms731200.aspx
How to Create a Custom Authorization Policy: http://msdn.microsoft.com/en-us/library/ms729794.aspx; ServiceAuthorizationManager Class: http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthorizationmanager.aspx
How to Create a Custom Principal Identity: http://msdn.microsoft.com/en-us/library/aa702720.aspx
5. 模仿(Impersonation)
模仿要求請求(request)具有一個Windows Identity
模仿級別:
None? - 未指定級別
Anonymous - 不發(fā)生任何模仿行為(服務(wù)無法得到客戶的身份信息)
Identification - 服務(wù)可以得到客戶的身份信息,但不能扮演客戶訪問信息
Impersonation - 服務(wù)可以扮演客戶訪問本地信息
Delegation - 服務(wù)可以扮演客戶訪問本地和遠(yuǎn)程信息
傳輸層面模仿
HTTP Authentication和基于SOAP的模仿
Basic - 僅支持Delegate,其余級別均提升到Delegate
Digest - Impersonate和Delegate
NTLM - 僅Delegate
Kerberos - 所有
使用模仿
請求必須具有一個Windows Identity
Declarative方式:
[OperationBehaviorAttribute(Impersonation=ImpersonationOption.???)]
Allowed - 僅在服務(wù)權(quán)限不夠時方援引模仿
Required - 服務(wù)總是使用模仿,甚至模仿造成權(quán)限下降
Imperative方式:
1. 從ServiceSecurityContext.Current.WindowsIdentity中得到WindowsIdentity實(shí)例
2. 調(diào)用WindowsIdentity實(shí)例上Impersonate()方法,獲得WindowsImpersonateContext實(shí)例(最好用using)
全局打開(服務(wù)行為設(shè)置):
1. 在ServiceHost實(shí)例中上:調(diào)用~.Description.Behavior.Find(),獲得ServiceAuthorizationBehavior實(shí)例behavior
2. behavior.ImpersionateCallerForAllOperations = true
Cached Token Impersonation: 客戶端使用Windows Credential或能映射到Windows Identity(ws...Binding, netTcpBinding?;basic...Binding需將security mode設(shè)為TransportWithMessageCredentials;custom binding需要開啟requireCancellation)
S4U Impersonation: 客戶端credential能映射到Windows Identity提供Kerberos提供的令牌(Token),令牌直接用于提供impersonation信息(ws...Binding, netTcpBinding;custom binding關(guān)閉requireCancellation, 用Windows或UserName credentials)。
參考:
How to Impersonate a Client on a Service: http://msdn.microsoft.com/en-us/library/ms731090.aspx
How to Create a Stateful Security Context Token for a Secure Session: http://msdn.microsoft.com/en-us/library/ms731814.aspx?(Stateful SCT不支持Impersonation,也必須使用一個含user profile的用戶帳號)
WindowsClientCredential.AllowedImpersonationLevel Property: http://msdn.microsoft.com/en-us/library/system.servicemodel.security.windowsclientcredential.allowedimpersonationlevel.aspx
Delegation and Impersonation with WCF: http://msdn.microsoft.com/en-us/library/ms730088.aspx
Impersonating the Client: http://msdn.microsoft.com/en-us/library/ms751513.aspx
6. 定制Credentials
ClientCredentials和SeviceCredentials : abstract SecurityCredentialsManager,需要實(shí)現(xiàn)CreateSecurityTokenManager方法。
ClientCredentials實(shí)例在client的endpoint behavior即client.ChannelFactory.Endpoint.Behaviors.Add添加;在config文件中添加:
需要先繼承ClientCredentialsElement,重載Properties,其中注冊自定義的元素屬性;重載CreateBehavior,其中調(diào)base.ApplyConfiguration應(yīng)用Credentials。隨后在<system.serviceModel><extensions><behaviorExtensions><add name=”%name%” type=”…類型說明…”/>中加入這個類型,然后在<endpointBehaviors><behavior><%name% 自定義元素屬性…>加載這個Credentials。
ServiceCredentials實(shí)例在service的behavior即ServiceHost實(shí)例.Description.Behaviors.Add添加;在config中添加類似,只是這個ServiceCredentialsElement在serviceCredentials中加載。
7. 定制Token
1. 繼承SecurityToken,重載SecurityKeys屬性,返回SecurityKey集合,SecurityKeys用于加密信息。
? (例如:繼承X509AsymmetricSecurityKey : .. : SecurityKeys可定制X509證書的加密模式,繼承X509SecurityToken : … : SecurityToken包裝該Key實(shí)例)
2. 繼承SecurityTokenParameters,描述SecurityToken,供WCF系統(tǒng)參考。繼承CloneCore, Support…,InitializeSecurityTokenRequirement(SecurityToken的類型,用于SecurityTokenProvider生成合適的Token實(shí)例),CreateKeyIdentifierClause(WCF引用SecurityToken實(shí)例時參考)
3. 繼承WSSecurityTokenSerializer創(chuàng)建Serializer已完成Token在通道中的轉(zhuǎn)換(Token隨同Message經(jīng)歷Pipeline),重載實(shí)現(xiàn)CanRead/WriteTokenCore,Read/WriteTokenCore。
4. 繼承SecurityTokenProvider,用于產(chǎn)生Token。重載實(shí)現(xiàn)GetTokenCore,提供對應(yīng)的SecurityToken的實(shí)例。
5. 繼承SecurityTokenAuthenticator,重載實(shí)現(xiàn)CanValidateTokenCore,ValidateTokenCore(返回ReadOnlyCollection<IAuthorizationPolicy>,其中加入Token的ClaimSet),用于鑒定解序列化后的Token。
??? 實(shí)現(xiàn)IAuthorizationPolicy接口定制授權(quán)策略,即上述需要返回的Policy。實(shí)現(xiàn)Id, Issuer屬性和Evaluate方法,Evaluate方法中EvaluationContext代表策略的結(jié)果,它往往包含一組ClaimSets。
6. 繼承ClientCredentialsSecurityTokenManager和ServiceCredentialsSecurityTokenManager,重載CreateSecurityTokenProvider/Authenticator和CreateSecurityTokenSerializer,產(chǎn)生上述的對象。
7. 繼承ClientCredentials和ServiceCredentials,重載CloneCore,CreateSecurityTokenManager,產(chǎn)生上述Manager。
8. 集成到Binding中:例如用Service的Certificate公鑰加密:
??? 創(chuàng)建SymmetricSecurityBindingElement實(shí)例(最終加入Binding):
?????? ~.EndpointSupportingTokenParameters.SignedEncrypted.Add(步驟2創(chuàng)建的Parameters對象)
?????? ~.ProtectionTokenParameters = X509SecurityTokenParameters實(shí)例
?????? ~.InclusionMode = SecurityTokenInclusionMode.Never
轉(zhuǎn)載于:https://www.cnblogs.com/quanben/archive/2010/04/09/3128922.html
總結(jié)
以上是生活随笔為你收集整理的DotNet关键知识点——WCF篇(六)的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 同花顺的数据格式总览(转帖)
- 下一篇: 最近在招标中评审出一个政府信息化软件