All geek questions in one place

WCF Credential Implementation Details

I am looking for some technical details about where the actual username + password (credentials) is stored during messaging using the WCF binding, as shown below.

<bindings>
    <wsHttpBinding>
        <binding name="wsHttp">
            <security mode="TransportWithMessageCredential">
                <transport/>
                <message clientCredentialType="UserName" 
                         negotiateServiceCredential="false" 
                         establishSecurityContext="true" />
            </security>
        </binding>
    </wsHttpBinding>
</bindings>

Then, inside the client application, I call this service, passing in a valid set of such as

using (SupplierServiceClient client = new SupplierServiceClient()) {
            client.ClientCredentials.UserName.UserName = "admin";
            client.ClientCredentials.UserName.Password = "password";

            SupplierList = client.GetSupplierCollection();
}

At first, I suggested that WCF takes this data and puts it in the SOAP header, but it doesn’t look like this from the WSDL ... any help?

Edit

The following shows what the security configuration for the client looks like during the manufacturing process.

<security mode="TransportWithMessageCredential">
    <transport clientCredentialType="None" />
    <message clientCredentialType="UserName" establishSecurityContext="false" />
</security>
+3
source share
2 answers

UserNameCredentials, . , SOAP. SOAP :

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
    <env:Header>
        <wsse:UsernameToken>
            <wsse:Username>jdoe</wsse:Username>
            <wsse:Password>passw0rd</wsse:Password>
            <wsse:Nonce><!-- optional nonce here --></wsse:Nonce>
        </wsse:UsernameToken>
    </env:Header>
    <env:Body>
        <!-- body here -->
    </env:Body>
</env:Envelope>

, WSDL. WSDL, WSDL WS-Policy . WSDL , UserPasswordToken .

, - RequestSecurityToken (RST), () RST, UsernameToken. , RST , Secure Token Server (STS) WS-Trust.

+3

SOAP-:

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
    <a:MessageID>urn:uuid:01d3a7d2-dc5a-42cf-acf0-3dd6bd50230e</a:MessageID>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">http://localhost:9999/Service1.svc</a:To>
  </s:Header>
  <s:Body>
    <t:RequestSecurityToken Context="uuid-7c240c06-c14b-42af-82dd-10f44f423928-1" xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
      <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
      <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
      <t:KeySize>256</t:KeySize>
      <t:BinaryExchange ValueType="http://schemas.xmlsoap.org/ws/2005/02/trust/spnego" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">YGsGBisGAQUFAqBhMF+gJDAiBgorBgEEAYI3AgIKBgkqhkiC9xIBAgIGCSqGSIb3EgECAqI3BDVOVExNU1NQAAEAAAC3shjiBgAGAC8AAAAHAAcAKAAAAAUBKAoAAAAPU0cyMjA1Nk1BVE1VVA==</t:BinaryExchange>
    </t:RequestSecurityToken>
  </s:Body>
</s:Envelope>
0

Source: https://habr.com/ru/post/1721296/

More articles:


All Articles