C# 用户名安全性不工作的WCF服务_C#_Web Services_Wcf_Soap_Ws Security

C# 用户名安全性不工作的WCF服务

c# web-services wcf soap

C# 用户名安全性不工作的WCF服务,c#,web-services,wcf,soap,ws-security,C#,Web Services,Wcf,Soap,Ws Security,我以前很少创建wcf服务，但从未实现过安全性。现在我正在尝试为我的wcf服务实现用户名安全性。经过研究，使用wsHttpBinding在服务上实现了安全性。但是，当我尝试使用SOAPUI工具测试服务时，我收到一些奇怪的消息，无法找到问题所在。请帮我找出这里出了什么问题这是我的验证课 namespace WDARProductsService { public class MyAuthentication : UserNamePasswordValidator {

我以前很少创建wcf服务，但从未实现过安全性。现在我正在尝试为我的wcf服务实现用户名安全性。经过研究，使用wsHttpBinding在服务上实现了安全性。但是，当我尝试使用SOAPUI工具测试服务时，我收到一些奇怪的消息，无法找到问题所在。请帮我找出这里出了什么问题

这是我的验证课

namespace WDARProductsService
{
    public class MyAuthentication : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            if (string.IsNullOrWhiteSpace(userName))
                throw new SecurityTokenException("userName required");

            if (string.IsNullOrWhiteSpace(password))
                throw new SecurityTokenException("password required");

            if (userName.ToLower() != "someusername" && password != "somepassword")
                throw new FaultException("userName and/or password is invalid.");
        }
    }
}

这是我的wcf配置

 <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="svcbhvr1">
          <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false"/>
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WDARProductsService.MyAuthentication, WDARProductsService"/>
            <serviceCertificate findValue="WDARProdService"
                          storeLocation="LocalMachine"
                          storeName="Root"
                          x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <bindings>
      <wsHttpBinding>
        <binding name="wshbinding">
          <security mode="Message">
            <message clientCredentialType="UserName"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <services>
      <service name="WDARProductsService.ProductService" behaviorConfiguration="svcbhvr1">
        <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wshbinding" contract="WDARProductsService.IProductService" ></endpoint>
      </service>
    </services>

    <serviceHostingEnvironment aspNetCompatibilityEnabled="false" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>

这是我从SOAPUI发送的SOAP消息

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tem="http://tempuri.org/">
  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
      <wsse:UsernameToken wsu:Id="UsernameToken-38DE8B83BF5FAA37EE13984444482027">
        <wsse:Username>someusername</wsse:Username>
        <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">somepassword</wsse:Password>
        <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">vkis9SvbH3lnvdNWR/L5nA==</wsse:Nonce>
        <wsu:Created>2014-04-25T16:47:28.202Z</wsu:Created>
      </wsse:UsernameToken>
    </wsse:Security>
  </soap:Header>
  <soap:Body>
    <tem:GetProducts>
    </tem:GetProducts>
  </soap:Body>
</soap:Envelope>

这是来自服务器的响应

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
   <s:Header>
      <a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
   </s:Header>
   <s:Body>
      <s:Fault>
         <s:Code>
            <s:Value>s:Sender</s:Value>
            <s:Subcode>
               <s:Value xmlns:a="http://schemas.xmlsoap.org/ws/2005/02/sc">a:BadContextToken</s:Value>
            </s:Subcode>
         </s:Code>
         <s:Reason>
            <s:Text xml:lang="en-US">The message could not be processed. This is most likely because the action 'http://tempuri.org/IProductService/GetProducts' is incorrect or because the message contains an invalid or expired security context token or because there is a mismatch between bindings. The security context token would be invalid if the service aborted the channel due to inactivity. To prevent the service from aborting idle sessions prematurely increase the Receive timeout on the service endpoint's binding.</s:Text>
         </s:Reason>
      </s:Fault>
   </s:Body>
</s:Envelope>

有人能帮我找出问题所在吗。感谢大家。

默认情况下，安全设置为Message的WsHttpBinding将启用安全上下文：见：

因此，在您发送包含用户名令牌的消息之前。你需要建立安全的对话。我不知道SoapUI是否支持它，但您可以在那里找到一些提示：

如果不想使用安全对话，请将establishSecurityContext设置为false。如果您打算在生产中使用它，请考虑使用StuttWoMeMeaGraceError使用SSL加密消息。