WCF BasicHttpBinding 安全解析(2)BasicHttpBinding安全项

想对BasicHttpBinding的安全性做比较全面的了解,最好的办法还是从它的安全属性看起。下面展示的所有源代码通过反编译获得,这里我们根据需要选取关键的代码来分析,先看代码清单11-73。

代码清单11-73 BasicHttpBinding定义

   1:  public class BasicHttpBinding : Binding, IBindingRuntimePreferences
   2:   
   3:          {
   4:   
   5:  private HttpTransportBindingElement httpTransport;
   6:   
   7:  private HttpsTransportBindingElement httpsTransport;
   8:   
   9:  private TextMessageEncodingBindingElement textEncoding;
  10:   
  11:  private MtomMessageEncodingBindingElement mtomEncoding;
  12:   
  13:  private BasicHttpSecurity security;
  14:   
  15:  public BasicHttpBinding(BasicHttpSecurityMode securityMode)
  16:   
  17:  {
  18:   
  19:  this.security = new BasicHttpSecurity();
  20:   
  21:  this.security.Mode = securityMode;
  22:   
  23:  }
  24:   
  25:  private BasicHttpBinding(BasicHttpSecurity security)
  26:   
  27:  {
  28:   
  29:  this.security = new BasicHttpSecurity();
  30:   
  31:  this.security = security;
  32:   
  33:  }
  34:   
  35:          }
  36:   

从代码清单11-73中,我们可以看到关键的对象为BasicHttpSecurity,在构造函数中BasicHttpBinding类对其初始化并设置securityMode。下面我们看BasicHttpSecurity的定义。

代码清单11-74 BasicHttpSecurity定义

   1:  public sealed class BasicHttpSecurity
   2:   
   3:      {
   4:   
   5:  internal const BasicHttpSecurityMode DefaultMode = BasicHttpSecurityMode.None;
   6:   
   7:  private BasicHttpSecurityMode mode;
   8:   
   9:  private HttpTransportSecurity transportSecurity;
  10:   
  11:  private BasicHttpMessageSecurity messageSecurity;
  12:   
  13:  public BasicHttpSecurityMode Mode
  14:   
  15:          {
  16:   
  17:              [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]
  18:   
  19:  get
  20:   
  21:              {
  22:   
  23:  return this.mode;
  24:   
  25:              }
  26:   
  27:  set
  28:   
  29:              {
  30:   
  31:  if (!BasicHttpSecurityModeHelper.IsDefined(value))
  32:   
  33:                  {
  34:   
  35:  throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));
  36:   
  37:                  }
  38:   
  39:  this.mode = value;
  40:   
  41:              }
  42:   
  43:          }
  44:   
  45:  public HttpTransportSecurity Transport
  46:   
  47:          {
  48:   
  49:              [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]
  50:   
  51:  get
  52:   
  53:              {
  54:   
  55:  return this.transportSecurity;
  56:   
  57:              }
  58:   
  59:  set
  60:   
  61:              {
  62:   
  63:  this.transportSecurity = ((value == null) ? new HttpTransportSecurity() : value);
  64:   
  65:              }
  66:   
  67:          }
  68:   
  69:  public BasicHttpMessageSecurity Message
  70:   
  71:          {
  72:   
  73:              [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]
  74:   
  75:  get
  76:   
  77:              {
  78:   
  79:  return this.messageSecurity;
  80:   
  81:              }
  82:   
  83:  set
  84:   
  85:              {
  86:   
  87:  this.messageSecurity = ((value == null) ? new BasicHttpMessageSecurity() : value);
  88:   
  89:              }
  90:   
  91:          }
  92:   
  93:  public BasicHttpSecurity()
  94:   
  95:              : this(BasicHttpSecurityMode.None, new HttpTransportSecurity(), new BasicHttpMessageSecurity())
  96:   
  97:          {
  98:   
  99:          }
 100:   
 101:  private BasicHttpSecurity(BasicHttpSecurityMode mode, HttpTransportSecurity transportSecurity, BasicHttpMessageSecurity messageSecurity)
 102:   
 103:          {
 104:   
 105:  this.Mode = mode;
 106:   
 107:  this.transportSecurity = ((transportSecurity == null) ? new HttpTransportSecurity() : transportSecurity);
 108:   
 109:  this.messageSecurity = ((messageSecurity == null) ? new BasicHttpMessageSecurity() : messageSecurity);
 110:   
 111:          }
 112:   
 113:      }
 114:   

根据代码清单11-74,我们对BasicHttpSecurity做简要的分析。首先看第一个属性——Mode。Mode是BasicHttpSecurityMode枚举值之一,表示安全类型,默认值为None。BasicHttpSecurityMode枚举共提供5种选择:

1) None:OAP 消息在传输过程中并不安全。 这是默认行为。

2) Transport:使用 HTTPS 提供安全性。 此服务必须使用 SSL 证书进行配置。 SOAP 消息是用 HTTPS 作为一个整体进行保护的。 客户端使用服务的 SSL 证书对服务进行身份验证。 通过 ClientCredentialType 可对客户端身份验证进行控制。

3) Message:使用 SOAP 消息安全提供安全性。对于BasicHttpBinding,系统要求向客户端单独提供服务器证书。此绑定的有效客户端凭据类型为UserName和Certificate。

4) TransportWithMessageCredential:完整性、保密性和服务器身份验证均由 HTTPS 提供。 此服务必须使用证书进行配置。 客户端身份验证采用SOAP消息安全方式提供。 如果要使用用户名或证书凭据对用户进行身份验证,并且存在用于保护消息传输的现有HTTPS部署,则适用此模式。

5) TransportCredentialOnly:此模式并不提供消息的完整性和保密性, 而是仅提供基于HTTP 的客户端身份验证。 使用此模式时一定要小心。 在通过其他方式(如IPSec)提供传输安全并且 基础结构只提供客户端身份验证的环境中,应该使用此模式。

可使用如代码清单11-75所示的配置方式配置安全模式。

代码清单11-75 配置安全模式

   1:  <basicHttpBinding>
   2:   
   3:          <binding name="basicBidingConf">
   4:   
   5:    <security mode="None">
   6:   
   7:            </security>
   8:   
   9:          </binding>
  10:   
  11:        </basicHttpBinding>

在代码清单11-74中我们看BasicHttpSecurity的第二个属性——Transport,该属性是HttpTransportSecurity实例。HttpTransportSecurity 类定义如代码清单11-75。

代码清单11-75 HttpTransportSecurity 类定义

   1:  public sealed class HttpTransportSecurity
   2:   
   3:  {
   4:   
   5:  internal const HttpClientCredentialType DefaultClientCredentialType = HttpClientCredentialType.None;
   6:   
   7:  internal const HttpProxyCredentialType DefaultProxyCredentialType = HttpProxyCredentialType.None;
   8:   
   9:  internal const string DefaultRealm = "";
  10:   
  11:  private HttpClientCredentialType clientCredentialType;
  12:   
  13:  private HttpProxyCredentialType proxyCredentialType;
  14:   
  15:  private string realm;
  16:   
  17:  private ExtendedProtectionPolicy extendedProtectionPolicy;
  18:   
  19:  public HttpClientCredentialType ClientCredentialType;
  20:   
  21:  public HttpProxyCredentialType ProxyCredentialType;
  22:   
  23:  public string Realm;
  24:   
  25:  public ExtendedProtectionPolicy ExtendedProtectionPolicy;
  26:   
  27:  public HttpTransportSecurity()
  28:   
  29:      {
  30:   
  31:  this.clientCredentialType = HttpClientCredentialType.None;
  32:   
  33:  this.proxyCredentialType = HttpProxyCredentialType.None;
  34:   
  35:  this.realm = "";
  36:   
  37:  this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy;
  38:   
  39:      }
  40:   
  41:  }
  42:   

从代码清单11-75中我们知道HttpTransportSecurity 类包含四个属性:

1) ClientCredentialType属性。获取或设置要用于身份验证的客户端凭据的类型。默认值为HttpClientCredentialType.None。

2) ExtendedProtectionPolicy。获取或设置扩展保护策略,默认值为ChannelBindingUtility.DefaultPolicy。

3) ProxyCredentialType。获取或设置要用于针对代理进行身份验证的客户端凭据的类型。默认值为HttpProxyCredentialType.None。

4) Realm。获取或设置摘要式或基本身份验证的身份验证领域,默认值为空。

BasicHttpSecurity 类的第三个属性为BasicHttpMessageSecurity类,用来配置BasicHttpBinding的消息安全。该类定义如代码清单11-76所示。

代码清单11-76 BasicHttpMessageSecurity类定义

   1:  public sealed class BasicHttpMessageSecurity
   2:   
   3:  {internal const BasicHttpMessageCredentialType DefaultClientCredentialType=BasicHttpMessageCredentialType.UserName;
   4:   
   5:  private BasicHttpMessageCredentialType clientCredentialType;
   6:   
   7:  private SecurityAlgorithmSuite algorithmSuite;
   8:   
   9:  public BasicHttpMessageCredentialType ClientCredentialType
  10:   
  11:  {get{return this.clientCredentialType;}
  12:   
  13:  set{
  14:   
  15:  if (!BasicHttpMessageCredentialTypeHelper.IsDefined(value))
  16:   
  17:  {
  18:   
  19:  throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));}
  20:   
  21:  this.clientCredentialType = value;}
  22:   
  23:  }
  24:   
  25:  public SecurityAlgorithmSuite AlgorithmSuite
  26:   
  27:  {
  28:   
  29:  get{return this.algorithmSuite;}
  30:   
  31:  set
  32:   
  33:  {if (value == null)
  34:   
  35:  {
  36:   
  37:  throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");}
  38:   
  39:  this.algorithmSuite = value;}
  40:   
  41:  }
  42:   
  43:  public BasicHttpMessageSecurity()
  44:   
  45:  {
  46:   
  47:  this.clientCredentialType = BasicHttpMessageCredentialType.UserName;
  48:   
  49:  this.algorithmSuite = SecurityAlgorithmSuite.Default;
  50:   
  51:  }}
  52:   

从代码清单11-76中我们可以看到BasicHttpMessageSecurity类包含两个属性:

1) AlgorithmSuite。指定要与 BasicHttpMessageSecurity 一起使用的算法组。

2) ClientCredentialType。发送安全消息指定客户端用以进行身份验证的凭据的类型。

那么在配置文件中如何配置BasicHttpSecurity呢?代码清单11-77给出了一般配置选项。

代码清单11-77 配置BasicHttpSecurity

   1:  <basicHttpBinding>
   2:   
   3:  <binding 
   4:   
   5:  transferMode="Buffered/Streamed/StreamedRequest/StreamedResponse"
   6:   
   7:  useDefaultWebProxy="Boolean"
   8:   
   9:  <security mode="None/Transport/Message/TransportWithMessageCredential/TransportCredentialOnly">
  10:   
  11:  <transport clientCredentialType="None/Basic/Digest/Ntlm/Windows/Certificate" proxyCredentialType="None/Basic/Digest/Ntlm/Windows"
  12:   
  13:  realm="string" />
  14:   
  15:  <message algorithmSuite="Basic128/Basic192/Basic256/Basic128Rsa15/Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15"
  16:   
  17:  clientCredentialType="UserName/Certificate"/>
  18:   
  19:  </security>
  20:   
  21:  <readerQuotas maxDepth="Integer" 
  22:   
  23:  maxStringContentLength="Integer"
  24:   
  25:  maxByteArrayContentLength="Integer"
  26:   
  27:  maxBytesPerRead="Integer"
  28:   
  29:  maxNameTableCharCount="Integer" />
  30:   
  31:  </binding>
  32:   
  33:  </basicHttpBinding>
  34:   

代码清单11-77所示的配置节中各项的含义读者可以参考BasicHttpSecurity 类的个属性进行解读,这里就不再重复了。下面我们通过实例继续探讨BasicHttpBinding的更多安全特性。

posted @ 2011-06-27 14:03  玄魂  阅读(4925)  评论(2编辑  收藏  举报