关于WCF消息通信的安全性论题。
1. 传输层面的安全性
一般方法:
binding单元中加security单元,security一般含mode属性,一般将其设置为"Transport",随后在security单元中加入transport单元,并对其参数作设置。(配置文件中单元名称为起首小写,对应代码中名称为起首大写)
传输层面安全性能够保证信息私密和完整性,而其能力依赖于支持传输的协议。
| Binding类型 | 使用 | 特性和说明 |
| basicHttpBinding | Security:类型BasicHttpSecurity Securty.Mode:类型BasicHttpSecurityMode,取值Message,None,Transport,TransportCredentialOnly,TransportWithMessageCredential Security.Transport:类型HttpTransportSecurity Security.Transport.ClientCredentialType:类型HttpClientCredentialType,取值Basic(明文发送credentials),Certificate,Digest(credentials传输前hash),None,Ntlm,Windows(客户端Windows帐号) Security.Transport.ProxyCredentialType:类型HttpProxyCredentialType,取值Basic,Digest,None,Ntlm,Windows string Security.Transport.Realm:类型string | 目标服务支持:ASMX v1, WSE apps; Basic Profile (WS-I); basic security profile WS-I。安全传输协议:HTTPS IIS兼容 唯一的默认状态下不开启安全性的内建绑定类型 |
| wsHttpBinding | Security:类型WSHttpSecurity Security.Mode:类型SecurityMode,取值None,Transport,Message,TransportWithMessageCredential Security.Transport同上 | 目标服务支持:SOAP v1.2和WS-Addressing。安全传输协议:HTTPS |
| wsDualHttpBinding | / | 不支持传输层安全性配置(因需要两侧都有支持安全性的监听) |
| netTcpBinding | Security:类型NetTcpSecurity Security.Mode:类型SecurityMode Security.Transport:类型TcpTransportSecurity Security.Transport.ClientCredentialType:类型TcpClientCredentialType,取值Certificate,None,Windows(默认) Security.Transport.ProtectionLevel:类型ProtectionLevel,取值EncryptAndSign(消息加密并签名),None,Sign(仅签名) | 基于TCP协议层 |
| netNamedPipeBinding | Security:类型NetNamedPipeSecurity Security.Mode:类型SecurityMode Security.Transport:类型TcpTransportSecurity | 基于命名管道,其配置类似于TCP绑定 |
| msmqIntegrationBinding | Security:类型MsmqIntegrationSecurit Security.Mode:类型MsmqIntegrationSecurityMode,取值None,Transport Security.Transport:类型MsmqTransportSecurity ~.MsmqAuthenticationMode:类型~,取值Certificate,None,WindowsDomain ~.MsmqEncryptionAlgorithm:类型~,取值Aes, RC4Stream ~.MsmqProtectionLevel:类型ProtectionLevel ~.MsmqSecureHashAlgorithm:类型MsmqSecureHashAlgorithm,取值MDS,Sha1,Sha256,Sha512 | 整合非WCF的MSMQ端点 认证模式:Certificate在非AD DS场合是仅有的提供认证支持的方法 WCF必须能够接入AD DS才能有效地加密信息。 EncryptionAlgorithm指定消息编码算法,HashAlgorithm用于设置签名的散列算法。 |
| netMsmqBinding | Security:类型NetMsmqSecurity Security.Mode:类型NetMsmqSecurityMode,取值None,Both,Message,Transport Security.Transport:类型MsmqTransportSecurity |
基于HTTP的Binding采用SSL保证传输层面安全,其他的如基于TCP的绑定一般用ProtectionLevel属性等设置加密签名等安全特性。
关于SSL配置(详细参考教材和相关文档)
1. binding的security中将mode设为含Transport,其clientCredentialType可设为Windows;address中使用支持SSL的协议
2. 用makecert生成根证书(公/私钥对),-n选项设置x509name,形如CN=…
3. 用certmgr将根证书加入Trusted Root Certificate Authority(在Server 2008尝试,就直接用UI操作即可,其效果类同mmc中Certificates中选取Current User模式)
4. 用makecert根据根证书生成并安装供localhost端口使用的certificate
5. 在mmc的Certificates管理Local Computer模式中找到以上安装的证书,取出thumbprint
6. 用netsh http add sslcert为端口配置SSL,参数包括上述thumbprint和一个随机任意的guid。
至此SSL传输配置完毕。
证书查看
在mmc中可以查看Local Computer(Administrator登录)和User Account的Certificate,也可通过Internet Explorer的选项观看证书。
参考:
Configuring Server Certificates in IIS: http://technet.microsoft.com/en-us/library/cc732230(WS.10).aspx
Install an Inernet Server Certificate (IIS 7): http://technet.microsoft.com/en-us/library/cc771816(WS.10).aspx
How to Configure a Port with an SSL Certificate: http://msdn.microsoft.com/en-us/library/ms733791.aspx
Working with Certificates: http://msdn.microsoft.com/en-us/library/ms731899.aspx
How to Create Temporary Certificates for Use During Development: http://msdn.microsoft.com/en-us/library/ms733813.aspx
Certificate Creation Tool (makecert.exe) http://msdn.microsoft.com/en-us/library/bfsktky3(VS.80).aspx
How to Use Transport Security with Message Credentials: http://msdn.microsoft.com/en-us/library/ms789011.aspx
2. 消息层面的安全性
1. 对消息本身加密,因此在端到端(或中继)之外的流程消息也是加密的。
2. 支持对消息的各部分采用不同的加密策略;可对各部分加密,也可对整体加密。
3. 底层协议为WS-Security,因此具有协议无关性。
4. Credentials和消息一起提供(传输层面安全性则通过外部机制实现Credentials认证,如握手和AD DS)
binding单元中加入security单元,和security单元并列加入message单元并设置其clientCredentialType属性,包括:Certificate, IssueToken, None, UserName, Windows。消息层面安全过程和用户层身份认证联系紧密,详见下一节。
binding中的security设置:
binding的Security属性上的Message属性(呈XXXMessageSecurityYYY类型)和config文件中message对应。
消息层面安全性的加密算法,message的algorithmSuite(WS-SecurityPolicy)
algorithmSuite描述算法属性,包括:
Encryption type; Digest type…
Symmetric (always HmacSha1) / asymmetric (always RsaSha1) key signature
Symmetric / asymmetric key wrap
The computed key (always PSha1)
Maximum (always 256 bits) / minimum key lengths for symmetric key
Maximum (always 4096 bits) / minimum (always 1024) key lengths for asymmetric key
参考:http://fusesource.com/docs/framework/2.2/security/MsgProtect-SOAP-SpecifyAlgorithmSuite.html
algorithmSuite不支持队列和命名管道相关bindings。
message的establishSecurityContext属性(WS-SecureConversation)
默认设置为true,用于C/S来回通信的安全环境保障,仅适用于WS-HTTP系列的部分bindings。
message的negotiateServiceCredential属性
为消息层面安全建立而进行的协商。当设置为true,自动用Windows的SPNEGO协商;设为false时,当clientCredentialType为None, UserName和Certificate时,Client采用Service端提供的certificate(serviceCredentials行为中serviceCertificate定义),当为Windows时,必须在同一个域内,并使用Kerberos认证。
仅适用于WS-HTTP系列的bindings。
绑定所支持的安全性模式:
| Binding | Transport Mode | Message Mode | Transport with MessageCredential |
| basicHttpBinding | Y | Y | Y (an additional ‘transport-credential only’ mode) |
| wsHttpBinding | Y | Y | Y |
| wsDualHttpBinding | N | Y | N |
| netTcpBinding | Y | Y | Y |
| netNamedPipeBinding | Y | N | N |
| netMsmqBinding | Y | Y | N (an additional ‘Both’ mode) |
| msmqIntegrationBinding | Y | N | N |
| wsFederationBinding | N | Y | Y |
参考:见下一节。
3. 身份鉴定 (Authentication)
以下仅列出在配置文件中的声明式配置,代码配置可类似推导。
仅basicHttpBinding只支持UserName和Certificate方式。
| 方式 | 对应凭据类型(MessageCredentialType类型) | 配置方法(service侧配置文件) | 说明 |
| 无认证 | None | ||
| Windows | Windows | 设置binding内消息安全性的credentialType为"Windows" 行为配置(代码为例):proxy.ClientCredentials.Windows .ClientCredential(用户名、密码、域信息), .AllowImpersonationLevel, .AllowNtlm | 当实行(C/S)双向认证时,必须关闭AllowNtlm,因为只有Kerberos支持 是message默认的clientCredentialType |
| 用户名和密码 | UserName | 设置:proxy.ClientCredentials.UserName .UserName, .Password | |
| X.509证书 | Certificate | 设置binding内消息安全性的credentialType为"Certificate" 增加behavior设置(cfg为例)加入<serviceCredentials><serviceCertificate findValue=... x509FindType ... /> 或者调用host.Credentials.ServiceCertificate.SetCertificate (ServiceCertificate类型为X509CertificateRecipient???Credential,ClientCertificate为X509CertificateInitiator???Credential,???在host处为Service,proxy处为Client) | |
| 令牌发行 | IssuedToken | 在端点中增加:<identity><certificateReference findValue="…" x509FindType="FindByThumbprint" storeLocation="LocalMachine" storeName="My" /> 用于证明service的identity。 (storeName的可能值:AddressBook,AuthRoot,CertificateAuthority,Disallowed,My,Root,TrustedPeople,TrustedPublisher;x509FindType中DistinguishedName指严格匹配) 设置binding内消息安全性的credentialType为"IssuedToken" 增加behavior设置,内含<serviceCredentials><serviceCertificate .../>,采用的certificate同以上identity | 由第三方发行令牌,客户端将令牌和请求一同发给服务,服务再从该第三方获得请求者信息 |
| 自定义认证 | n/a | 1. message的clientCredentialType必须设为UserName,service必须因此而附一个含公/私钥的certificate,其中公钥用于让client对UserName进行加密传送 2. 可继承UserNamePasswordValidator创建一个认证类,重载void Validate(un, pwd) throws SecurityTokenValidationException,并将其设置在serviceCredentials的userNameAuthentication中,userNamePasswordValidationMode改为Custom,用以替换Service默认的对其进行Windows认证的行为 |
参考:
Set the Security Mode: http://msdn.microsoft.com/en-us/library/ms731884.aspx
Message Security in WCF: http://msdn.microsoft.com/en-us/library/ms733137.aspx
How to Secure a Service with an X.509 Certificate: http://msdn.microsoft.com/en-us/library/ms788968.aspx
ASP.NET的Membership Provider(不依赖于Windows Domain: http://msdn.microsoft.com/en-us/library/ms731049.aspx
Implementing Transport and Message Layer Security: http://msdn.microsoft.com/en-us/library/aa480582.aspx
Implementing Message Layer Security with Kerberos in WSE 3.0: http://msdn.microsoft.com/en-us/library/aa480577.aspx
Implementing Message Layer Security with X.509 Certificate in WSE 3.0: http://msdn.microsoft.com/en-us/library/aa480581.aspx; <x509> element: http://msdn.microsoft.com/en-us/library/aa529251.aspx
Service Identity and Authentication: http://msdn.microsoft.com/en-us/library/ms733130.aspx; How to Create a Custom Identity Verifier: http://msdn.microsoft.com/en-us/library/ms734778.aspx
How to Use Separate X.509 Certificates for Signing and Encryption: http://msdn.microsoft.com/en-us/library/ms729856.aspx
How to Change the Cryptographic Provider for an X.509 Certificate's Private Key: http://msdn.microsoft.com/en-us/library/ms733772.aspx
How to Configure Credentials on a Federation Service: http://msdn.microsoft.com/en-us/library/ms730131.aspx; Federations and Issued Tokens: http://msdn.microsoft.com/en-us/library/ms731161.aspx; (Federation Overview: http://msdn.microsoft.com/en-us/library/ms730908.aspx)
How to Use a Custom User Name and Password Validator: http://msdn.microsoft.com/en-us/library/aa702565.aspx
UserNamePasswordValidator Classhttp://msdn.microsoft.com/en-us/library/system.identitymodel.selectors.usernamepasswordvalidator.aspx
Overriding the Identity of a Service for Authentication: http://msdn.microsoft.com/en-us/library/bb628618.aspx
4. 授权 (Authorization)
不许可授权均抛出异常:SecurityException
方法1. 基于.NET CLR的Identity/Principal(Identity+Roles)
略
方法2. 基于主张的授权机制(Claims-based Authorization)
1. requester提供的安全令牌
2. administrator设定的配置、记录信息等
3. service authorization manager做出决定
ServiceSecurityContext实例在OperationConext.Current.ServiceSecurityContext上提供。
实现IAuthorizationPolicy提供自定义的authorization policy(参见7. 定制Token)。
在serviceBehaviors中添加behavior,<serviceAuthorization principalPermissionMode=".../Custom" {roleProviderName="..."}><authorizationPolicies><add policyType="例如DemoService.SpecificRoleAuthorizationPolicy, DemoService"/>
Role Provider在<system.web>中添加<roleManager enabled="true" defaultProvider="..."><providers><add name="..." type="System.Web.Security.XXXProvider" .../>
参考:
ASP.NET的Role Provider(不依赖于Windows Domain): http://msdn.microsoft.com/en-us/library/ms734774.aspx
ASP.NET的Authorization Manager Role Provider (AzManRoleProvider): http://msdn.microsoft.com/en-us/library/ms734774.aspx
Access Control Mechanisms: http://msdn.microsoft.com/en-us/library/ms733106.aspx
Managing Claims and Authorization with the Identity Model: http://msdn.microsoft.com/en-us/library/ms729851.aspx
Claims and Tokens: http://msdn.microsoft.com/en-us/library/aa347996.aspx
Claims Creation and Resource Values: http://msdn.microsoft.com/en-us/library/aa347788.aspx
How to Restrict Access with the PrinciplePermissionAttribute Class: http://msdn.microsoft.com/en-us/library/ms731200.aspx
How to Create a Custom Authorization Policy: http://msdn.microsoft.com/en-us/library/ms729794.aspx; ServiceAuthorizationManager Class: http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthorizationmanager.aspx
How to Create a Custom Principal Identity: http://msdn.microsoft.com/en-us/library/aa702720.aspx
5. 模仿(Impersonation)
模仿要求请求(request)具有一个Windows Identity
模仿级别:
None - 未指定级别
Anonymous - 不发生任何模仿行为(服务无法得到客户的身份信息)
Identification - 服务可以得到客户的身份信息,但不能扮演客户访问信息
Impersonation - 服务可以扮演客户访问本地信息
Delegation - 服务可以扮演客户访问本地和远程信息
传输层面模仿
HTTP Authentication和基于SOAP的模仿
Basic - 仅支持Delegate,其余级别均提升到Delegate
Digest - Impersonate和Delegate
NTLM - 仅Delegate
Kerberos - 所有
使用模仿
请求必须具有一个Windows Identity
Declarative方式:
[OperationBehaviorAttribute(Impersonation=ImpersonationOption.???)]
Allowed - 仅在服务权限不够时方援引模仿
Required - 服务总是使用模仿,甚至模仿造成权限下降
Imperative方式:
1. 从ServiceSecurityContext.Current.WindowsIdentity中得到WindowsIdentity实例
2. 调用WindowsIdentity实例上Impersonate()方法,获得WindowsImpersonateContext实例(最好用using)
全局打开(服务行为设置):
1. 在ServiceHost实例中上:调用~.Description.Behavior.Find(),获得ServiceAuthorizationBehavior实例behavior
2. behavior.ImpersionateCallerForAllOperations = true
Cached Token Impersonation: 客户端使用Windows Credential或能映射到Windows Identity(ws...Binding, netTcpBinding ;basic...Binding需将security mode设为TransportWithMessageCredentials;custom binding需要开启requireCancellation)
S4U Impersonation: 客户端credential能映射到Windows Identity提供Kerberos提供的令牌(Token),令牌直接用于提供impersonation信息(ws...Binding, netTcpBinding;custom binding关闭requireCancellation, 用Windows或UserName credentials)。
参考:
How to Impersonate a Client on a Service: http://msdn.microsoft.com/en-us/library/ms731090.aspx
How to Create a Stateful Security Context Token for a Secure Session: http://msdn.microsoft.com/en-us/library/ms731814.aspx (Stateful SCT不支持Impersonation,也必须使用一个含user profile的用户帐号)
WindowsClientCredential.AllowedImpersonationLevel Property: http://msdn.microsoft.com/en-us/library/system.servicemodel.security.windowsclientcredential.allowedimpersonationlevel.aspx
Delegation and Impersonation with WCF: http://msdn.microsoft.com/en-us/library/ms730088.aspx
Impersonating the Client: http://msdn.microsoft.com/en-us/library/ms751513.aspx
6. 定制Credentials
ClientCredentials和SeviceCredentials : abstract SecurityCredentialsManager,需要实现CreateSecurityTokenManager方法。
ClientCredentials实例在client的endpoint behavior即client.ChannelFactory.Endpoint.Behaviors.Add添加;在config文件中添加:
需要先继承ClientCredentialsElement,重载Properties,其中注册自定义的元素属性;重载CreateBehavior,其中调base.ApplyConfiguration应用Credentials。随后在<system.serviceModel><extensions><behaviorExtensions><add name=”%name%” type=”…类型说明…”/>中加入这个类型,然后在<endpointBehaviors><behavior><%name% 自定义元素属性…>加载这个Credentials。
ServiceCredentials实例在service的behavior即ServiceHost实例.Description.Behaviors.Add添加;在config中添加类似,只是这个ServiceCredentialsElement在serviceCredentials中加载。
7. 定制Token
1. 继承SecurityToken,重载SecurityKeys属性,返回SecurityKey集合,SecurityKeys用于加密信息。
(例如:继承X509AsymmetricSecurityKey : .. : SecurityKeys可定制X509证书的加密模式,继承X509SecurityToken : … : SecurityToken包装该Key实例)
2. 继承SecurityTokenParameters,描述SecurityToken,供WCF系统参考。继承CloneCore, Support…,InitializeSecurityTokenRequirement(SecurityToken的类型,用于SecurityTokenProvider生成合适的Token实例),CreateKeyIdentifierClause(WCF引用SecurityToken实例时参考)
3. 继承WSSecurityTokenSerializer创建Serializer已完成Token在通道中的转换(Token随同Message经历Pipeline),重载实现CanRead/WriteTokenCore,Read/WriteTokenCore。
4. 继承SecurityTokenProvider,用于产生Token。重载实现GetTokenCore,提供对应的SecurityToken的实例。
5. 继承SecurityTokenAuthenticator,重载实现CanValidateTokenCore,ValidateTokenCore(返回ReadOnlyCollection<IAuthorizationPolicy>,其中加入Token的ClaimSet),用于鉴定解序列化后的Token。
实现IAuthorizationPolicy接口定制授权策略,即上述需要返回的Policy。实现Id, Issuer属性和Evaluate方法,Evaluate方法中EvaluationContext代表策略的结果,它往往包含一组ClaimSets。
6. 继承ClientCredentialsSecurityTokenManager和ServiceCredentialsSecurityTokenManager,重载CreateSecurityTokenProvider/Authenticator和CreateSecurityTokenSerializer,产生上述的对象。
7. 继承ClientCredentials和ServiceCredentials,重载CloneCore,CreateSecurityTokenManager,产生上述Manager。
8. 集成到Binding中:例如用Service的Certificate公钥加密:
创建SymmetricSecurityBindingElement实例(最终加入Binding):
~.EndpointSupportingTokenParameters.SignedEncrypted.Add(步骤2创建的Parameters对象)
~.ProtectionTokenParameters = X509SecurityTokenParameters实例
~.InclusionMode = SecurityTokenInclusionMode.Never
