我有一个使用NetTcpBinding、消息安全和用户名验证的WCF服务。之前我使用的是WsHttpBinding,但我转换到了NetTcp,因为我可以使用回调函数。
我的服务配置如下:
<service behaviorConfiguration="WcfServiceLibrary1.ServiceBehavior" name="WcfServiceLibrary1.Service">
<endpoint
address="net.tcp://localhost:9000/Design_Time_Addresses/WcfServiceLibrary1/Service/"
binding="netTcpBinding"
bindingConfiguration="NetTCPbinding"
contract="WcfServiceLibrary1.IService"
name="NetTCPBinding">
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost:8732/Design_Time_Addresses/WcfServiceLibrary1/Service/" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<netTcpBinding>
<binding name="NetTCPbinding">
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</netTcpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="WcfServiceLibrary1.ServiceBehavior">
<serviceCredentials>
<serviceCertificate findValue="ServerCert"
storeLocation="CurrentUser"
storeName="TrustedPeople"
x509FindType="FindBySubjectName" />
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="CustomMembershipProvider" />
</serviceCredentials>
<!-- To avoid disclosing metadata information,
set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="True" />
<!-- To receive exception details in faults for debugging purposes,
set the value below to true. Set to false before deployment
to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="MyRoleProvider" />
<!-- Logs when an authentication failure -->
<serviceSecurityAudit auditLogLocation="Application"
suppressAuditFailure="true"
serviceAuthorizationAuditLevel="Failure"
messageAuthenticationAuditLevel="SuccessOrFailure" />
</behavior>
</serviceBehaviors>
</behaviors>
我假设服务凭据- 在这种情况下是证书- 被用于让服务对发送给客户端的所有数据进行签名,以便客户端可以知道它正在与正确的服务通信。
客户端配置如下:
<behaviors>
<endpointBehaviors>
<behavior name="messageSecurityBehavior">
<clientCredentials>
<clientCertificate storeLocation="CurrentUser"
storeName="TrustedPeople"
x509FindType="FindBySubjectName"
findValue="ClientCert" />
<serviceCertificate>
<authentication certificateValidationMode="None" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<netTcpBinding>
<binding name="NetTCPBinding" closeTimeout="00:01:00" openTimeout="00:01:00"
receiveTimeout="00:10:00" sendTimeout="00:01:00" transactionFlow="false"
transferMode="Buffered" transactionProtocol="OleTransactions"
hostNameComparisonMode="StrongWildcard" listenBacklog="10"
maxBufferPoolSize="524288" maxBufferSize="65536" maxConnections="10"
maxReceivedMessageSize="65536">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<transport clientCredentialType="Windows" protectionLevel="EncryptAndSign" />
<message clientCredentialType="UserName" />
</security>
</binding>
</netTcpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:9000/Design_Time_Addresses/WcfServiceLibrary1/Service/"
binding="netTcpBinding" bindingConfiguration="NetTCPBinding"
contract="IService" name="NetTCPBinding" behaviorConfiguration="messageSecurityBehavior">
<identity>
<certificate encodedValue="AwAAAAEAAAAUAAAAQerRMlEg2a66HMxD/8El6LutassgAAAAAQAAAOwBAAAwggHoMIIBVaADAgECAhAzOWVhNWUzM2Y5MzUwNzFhMAkGBSsOAwIdBQAwIjELMAkGA1UEBhMCVVMxEzARBgNVBAMTClNlcnZlckNlcnQwHhcNMTIwMTE3MTk1NDQ2WhcNMjUwOTI1MTk1NDQ2WjAiMQswCQYDVQQGEwJVUzETMBEGA1UEAxMKU2VydmVyQ2VydDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAs6SaYi3pDDIOuXeCe7HgOOTvOpwajKdxM8MzZpkK3l+DqkriMQUx9DT5I9WZvNK5FMuorLueG5adWkTgWpvttC7Sp8CJ//A+PbPewiAU4L3Txln6dX3jHZFd99LY/58/2AzY8ln2NykQFzz1DdmVeyShG9ktVsX82Ogz60lzpeUCAwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQD6AAAAMAkGBSsOAwIdBQADgYEAMGQ7fIW34CYjybCc0gWOLaxeRFiNHmX/dgxqPIWGgg3uc0avz1GHJ3uMHcPAZBKcw9QpbccALpqZxZzkDBxufWjRni+8XCzeAKUqaB7XaJTYYUYBbz7/2+EuaAw7/vF4JTtZGWhPkHZZcX5+Oyo2ktK0z24MfXP2Ggy+IsQJ2JM=" />
</identity>
</endpoint>
</client>
所有这些都运行良好。我已经了解到服务证书用于加密客户端凭据和消息。那么我们为什么需要AlgorithmSuite中指定的算法呢?它加密了什么内容?
我需要充分理解这个问题,这样我才能在我的论文中进行解释。