匿名客户端的消息安全

下面的方案演示通过 Windows Communication Foundation (WCF) 消息安全进行保护的客户端和服务。其设计目的是使用消息安全而非传输安全,以便将来可支持更加丰富的基于声明的模型。有关将丰富声明用于授权的更多信息,请参见使用标识模型管理声明和授权

有关示例应用程序,请参见匿名消息安全

匿名客户端的消息安全

特征 说明

安全模式

消息

互操作性

仅 WCF

身份验证(服务器)

初始协商要求服务器身份验证,而不是客户端身份验证

身份验证(客户端)

完整性

是,使用共享安全上下文

保密性

是,使用共享安全上下文

传输

HTTP

服务

下面的代码和配置应独立运行。执行下列操作之一:

  • 使用代码(而不使用配置)创建独立服务。

  • 使用提供的配置创建服务,但不定义任何终结点。

代码

下面的代码演示如何创建使用消息安全的服务终结点。

' Create the binding. 
Dim binding As New WSHttpBinding()
binding.Security.Mode = SecurityMode.Message
binding.Security.Message.ClientCredentialType = _
    MessageCredentialType.None

' Create the URI for the endpoint.
Dim httpUri As New Uri("https://localhost/Calculator")

' Create the service host and add an endpoint.
Dim myServiceHost As New ServiceHost(GetType(ServiceModel.Calculator), httpUri)
myServiceHost.AddServiceEndpoint(GetType(ServiceModel.ICalculator), binding, "")

' Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate(StoreLocation.LocalMachine, _
StoreName.My, X509FindType.FindByThumbprint, "00000000000000000000000000000000")

' Open the service.
myServiceHost.Open()
Console.WriteLine("Listening...")
Console.ReadLine()

' Close the service.
myServiceHost.Close()
// Create the binding. 
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.Message;
binding.Security.Message.ClientCredentialType =
    MessageCredentialType.None;

// Create the URI for the endpoint.
Uri httpUri = new Uri("https://localhost/Calculator");

// Create the service host and add an endpoint.
ServiceHost myServiceHost =
    new ServiceHost(typeof(ServiceModel.Calculator), httpUri);
myServiceHost.AddServiceEndpoint(
    typeof(ServiceModel.ICalculator), binding, "");

// Specify a certificate to authenticate the service.
myServiceHost.Credentials.ServiceCertificate.SetCertificate(
    StoreLocation.LocalMachine,
    StoreName.My,
    X509FindType.FindByThumbprint,
    "00000000000000000000000000000000");

// Open the service.
myServiceHost.Open();
Console.WriteLine("Listening...");
Console.ReadLine();

// Close the service.
myServiceHost.Close();

配置

以下配置可代替代码使用。服务行为元素用于指定用来向客户端验证服务身份的证书。服务元素必须使用 behaviorConfiguration 属性指定行为。绑定元素指定客户端凭据类型为 None,这将允许匿名客户端使用该服务。

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceCredentialsBehavior">
          <serviceCredentials>
            <serviceCertificate findValue="contoso.com" 
                                storeLocation="LocalMachine"
                                storeName="My" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service behaviorConfiguration="ServiceCredentialsBehavior" 
               name="ServiceModel.Calculator">
        <endpoint address="https://localhost/Calculator" 
                  binding="wsHttpBinding"
                  bindingConfiguration="WSHttpBinding_ICalculator" 
                  name="CalculatorService"
                  contract="ServiceModel.ICalculator" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_ICalculator" >
          <security mode="Message">
            <message clientCredentialType="None" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client />
  </system.serviceModel>
</configuration>

客户端

下面的代码和配置将独立运行。执行下列操作之一:

  • 使用代码(和客户端代码)创建独立客户端。

  • 创建不定义任何终结点地址的客户端。而使用将配置名称作为参数的客户端构造函数。例如:

    Dim cc As New CalculatorClient("EndpointConfigurationName")
    
    CalculatorClient cc = new CalculatorClient("EndpointConfigurationName");
    

代码

下面的代码创建客户端的一个实例。绑定使用消息模式安全,客户端凭据类型设置为 None。

' Create the binding.
Dim myBinding As New WSHttpBinding()
myBinding.Security.Mode = SecurityMode.Message
myBinding.Security.Message.ClientCredentialType = MessageCredentialType.None

' Create the endpoint address. 
Dim ea As New EndpointAddress("https://localhost/Calculator")

' Create the client. 
Dim cc As New CalculatorClient(myBinding, ea)

' Begin using the client.
Try
    cc.Open()

    Console.WriteLine(cc.Add(100, 11))
    Console.ReadLine()

    ' Close the client.
    cc.Close()
Catch tex As TimeoutException
    Console.WriteLine(tex.Message)
    cc.Abort()
Catch cex As CommunicationException
    Console.WriteLine(cex.Message)
    cc.Abort()
Finally
    Console.WriteLine("Closed the client")
    Console.ReadLine()
End Try
// Create the binding.
WSHttpBinding myBinding = new WSHttpBinding();
myBinding.Security.Mode = SecurityMode.Message;
myBinding.Security.Message.ClientCredentialType =
    MessageCredentialType.None;

// Create the endpoint address. 
EndpointAddress ea = new
    EndpointAddress("https://localhost/Calculator");

// Create the client. 
CalculatorClient cc =
    new CalculatorClient(myBinding, ea);

// Begin using the client.
try
{
    cc.Open();
    Console.WriteLine(cc.Add(200, 1111));
    Console.ReadLine();

    // Close the client.
    cc.Close();
}

配置

下面的代码将配置客户端。

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="WSHttpBinding_ICalculator" >
          <security mode="Message">
            <message clientCredentialType="None" />
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <client>
      <endpoint address="http://machineName/Calculator"
        binding="wsHttpBinding"
        bindingConfiguration="WSHttpBinding_ICalculator" 
        contract="ICalculator"
        name="WSHttpBinding_ICalculator">
        <identity>
          <dns value="contoso.com" />
        </identity>
      </endpoint>
    </client>
  </system.serviceModel>
</configuration>

另请参见

任务

匿名消息安全

概念

安全性概述
分布式应用程序安全
服务标识和身份验证

其他资源

Windows Server App Fabric 的安全模型