WCF 安全

服务器端与客户端都安装证书，双方通过证书加密通讯。

配置wsHttpBinding，使用基于消息的用户名验证。首先配置为Windows账户库验证。

服务器端配置：

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <system.serviceModel>
    <services>
      <service name="Server.EchoClaims" behaviorConfiguration="echoClaimsBehavior">
        <endpoint address="EchoClaims"
                  binding="wsHttpBinding" bindingConfiguration="echoClaimsBinding"
                  contract="Server.IEchoClaims"></endpoint>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="echoClaimsBinding">
          <security mode="Message">
            <message clientCredentialType="UserName"
                     negotiateServiceCredential="true"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="echoClaimsBehavior">
          <serviceCredentials>
            <serviceCertificate
              findValue="CN=WCFServer"
              storeLocation="LocalMachine"
              storeName="My"
              x509FindType="FindBySubjectDistinguishedName"/>

            <userNameAuthentication userNamePasswordValidationMode="Windows"/>

          </serviceCredentials>
          <serviceMetadata httpGetEnabled="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

</configuration>

客户端配置：

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
    </startup>
    <system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="WSHttpBinding_IEchoClaims">
                    <security mode="Message">
                        <message clientCredentialType="UserName" negotiateServiceCredential="true" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
      <behaviors>
        <endpointBehaviors>
          <behavior name="echoClaimsBehavior">
            <clientCredentials>
              <serviceCertificate>
                <authentication certificateValidationMode="None" revocationMode="NoCheck"/>
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
        <client>
            <endpoint address="http://localhost:8000/EchoClaims" binding="wsHttpBinding"
                bindingConfiguration="WSHttpBinding_IEchoClaims" contract="EchoService.IEchoClaims"
                name="WSHttpBinding_IEchoClaims"
                      behaviorConfiguration="echoClaimsBehavior">
                <identity>
                    <certificate encodedValue="AwAAAAEAAAAUAAAAfrv857e8xZLzhuCQyO7qa/0wCkIgAAAAAQAAAPcCAAAwggLzMIIB36ADAgECAhAaodle1qkYlUXIdQ/PwC7IMAkGBSsOAwIdBQAwEjEQMA4GA1UEAxMHV0NGUm9vdDAeFw0xNDA0MDkwMjQ0MTlaFw0zOTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMTCVdDRlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyruHtFKP3kZCLphXZo3/an9RcWAZ/bDi0pNBL1wQOAXQqz+IWNYIAcL3Yu6+gTouOhEufhoeLSi6dqflxmGZ932hofR7riukGyJbOsHKCRcXuJTPXw0NvMTrJfCB6kD2nkOVgATrJfBazGQIb1OTj7kFYq2IJDIw5+M3toooaNWvF6z/ggL6DyxYuZ0rUf+bQpAhiKjBS49Ci7/LrVtnY9NxCoUTfgGbcg6A5PKf8eC0Cm2yLxnAt0yuCalWm2RlZQuMwfx1QIWV9IVla+aI5FiM2CoiVzumYp9nivZ2isy3Na2zqa0jp0Ik8Pg7c4kh1oSKLezbKYSo8ogvg2wzMCAwEAAaNLMEkwRwYDVR0BBEAwPoAQ7yxNpv71Jf0+UvKX5DgORaEYMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5ghA1FBocsiV2iUdFzYL/JyWnMAkGBSsOAwIdBQADggEBAIIXE9oU7K/6qPD1kKNXwruT5YYmHu/ogCpo5JD3keODMjakDBn7gr5wuqZsqoyvmKH8eNrTjP80crbUrdmh10Tr1V7JpbELTDFWLCyj4A/aS8a2DhpB0rksKd/sxtFu0nVJWKb/16+NZsBH6mjPYRui8id1QMDEPG29oPr0gJRuvPYtCJajgmMFGPlCanNN5diteiKf+OCWBu5D4y7Gypo2KgHXVgMz8+DkJU3e1AdGyeY3jrGzge42eM0xq2itbVL/t9FdnIeYDcUBIRiQlbDgWQIkpq6aH3G/WGFEVhbg6I0I9N4hANLTehsSe0YMfrN+8EB42BhwnYlMjFuh11k=" />
                  <dns value="WCFServer"/>
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>
</configuration>

2， 自定义的成员提供程序最为身份库：
任何成员提供程序都必须派生自System.Web.MembershipProvider 基类，并且需要实现它的几个方法，以验证和管理应用程序中的用户。在WCF中只需要ValidateUser方法，用它来验证证书。

namespace Server
{
    public class MyMembershipProvider : UserNamePasswordValidator
    {
        public override void Validate(string userName, string password)
        {
            //throw new NotImplementedException();
            if (userName != "joe" || password != "bar")
            {
                throw new SecurityTokenValidationException("The user could not be authenticated.");
            }
        }
    }
}

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
  </startup>
  <system.serviceModel>
    <services>
      <service name="Server.EchoClaims" behaviorConfiguration="echoClaimsBehavior">
        <endpoint address="EchoClaims" binding="wsHttpBinding" bindingConfiguration="echoClaimsBinding" contract="Server.IEchoClaims"></endpoint>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="echoClaimsBinding">
          <security mode="Message">
            <message clientCredentialType="UserName" negotiateServiceCredential="true"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="echoClaimsBehavior">
          <serviceCredentials>
            <serviceCertificate findValue="CN=WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>

            <userNameAuthentication userNamePasswordValidationMode="Custom"
                                    customUserNamePasswordValidatorType="Server.MyMembershipProvider, Server"/>

          </serviceCredentials>
          <serviceMetadata httpGetEnabled="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

</configuration>

8.3.2 建立在传输层安全至上的用户名验证