想对BasicHttpBinding的安全性做比较全面的了解,最好的办法还是从它的安全属性看起。下面展示的所有源代码通过反编译获得,这里我们根据需要选取关键的代码来分析,先看代码清单11-73。
代码清单11-73 BasicHttpBinding定义
1: public class BasicHttpBinding : Binding, IBindingRuntimePreferences
2:
3: {
4:
5: private HttpTransportBindingElement httpTransport;
6:
7: private HttpsTransportBindingElement httpsTransport;
8:
9: private TextMessageEncodingBindingElement textEncoding;
10:
11: private MtomMessageEncodingBindingElement mtomEncoding;
12:
13: private BasicHttpSecurity security;
14:
15: public BasicHttpBinding(BasicHttpSecurityMode securityMode)
16:
17: {
18:
19: this.security = new BasicHttpSecurity();
20:
21: this.security.Mode = securityMode;
22:
23: }
24:
25: private BasicHttpBinding(BasicHttpSecurity security)
26:
27: {
28:
29: this.security = new BasicHttpSecurity();
30:
31: this.security = security;
32:
33: }
34:
35: }
36:
从代码清单11-73中,我们可以看到关键的对象为BasicHttpSecurity,在构造函数中BasicHttpBinding类对其初始化并设置securityMode。下面我们看BasicHttpSecurity的定义。
代码清单11-74 BasicHttpSecurity定义
1: public sealed class BasicHttpSecurity
2:
3: {
4:
5: internal const BasicHttpSecurityMode DefaultMode = BasicHttpSecurityMode.None;
6:
7: private BasicHttpSecurityMode mode;
8:
9: private HttpTransportSecurity transportSecurity;
10:
11: private BasicHttpMessageSecurity messageSecurity;
12:
13: public BasicHttpSecurityMode Mode
14:
15: {
16:
17: [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]
18:
19: get
20:
21: {
22:
23: return this.mode;
24:
25: }
26:
27: set
28:
29: {
30:
31: if (!BasicHttpSecurityModeHelper.IsDefined(value))
32:
33: {
34:
35: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));
36:
37: }
38:
39: this.mode = value;
40:
41: }
42:
43: }
44:
45: public HttpTransportSecurity Transport
46:
47: {
48:
49: [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]
50:
51: get
52:
53: {
54:
55: return this.transportSecurity;
56:
57: }
58:
59: set
60:
61: {
62:
63: this.transportSecurity = ((value == null) ? new HttpTransportSecurity() : value);
64:
65: }
66:
67: }
68:
69: public BasicHttpMessageSecurity Message
70:
71: {
72:
73: [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]
74:
75: get
76:
77: {
78:
79: return this.messageSecurity;
80:
81: }
82:
83: set
84:
85: {
86:
87: this.messageSecurity = ((value == null) ? new BasicHttpMessageSecurity() : value);
88:
89: }
90:
91: }
92:
93: public BasicHttpSecurity()
94:
95: : this(BasicHttpSecurityMode.None, new HttpTransportSecurity(), new BasicHttpMessageSecurity())
96:
97: {
98:
99: }
100:
101: private BasicHttpSecurity(BasicHttpSecurityMode mode, HttpTransportSecurity transportSecurity, BasicHttpMessageSecurity messageSecurity)
102:
103: {
104:
105: this.Mode = mode;
106:
107: this.transportSecurity = ((transportSecurity == null) ? new HttpTransportSecurity() : transportSecurity);
108:
109: this.messageSecurity = ((messageSecurity == null) ? new BasicHttpMessageSecurity() : messageSecurity);
110:
111: }
112:
113: }
114:
根据代码清单11-74,我们对BasicHttpSecurity做简要的分析。首先看第一个属性——Mode。Mode是BasicHttpSecurityMode枚举值之一,表示安全类型,默认值为None。BasicHttpSecurityMode枚举共提供5种选择:
1) None:OAP 消息在传输过程中并不安全。 这是默认行为。
2) Transport:使用 HTTPS 提供安全性。 此服务必须使用 SSL 证书进行配置。 SOAP 消息是用 HTTPS 作为一个整体进行保护的。 客户端使用服务的 SSL 证书对服务进行身份验证。 通过 ClientCredentialType 可对客户端身份验证进行控制。
3) Message:使用 SOAP 消息安全提供安全性。对于BasicHttpBinding,系统要求向客户端单独提供服务器证书。此绑定的有效客户端凭据类型为UserName和Certificate。
4) TransportWithMessageCredential:完整性、保密性和服务器身份验证均由 HTTPS 提供。 此服务必须使用证书进行配置。 客户端身份验证采用SOAP消息安全方式提供。 如果要使用用户名或证书凭据对用户进行身份验证,并且存在用于保护消息传输的现有HTTPS部署,则适用此模式。
5) TransportCredentialOnly:此模式并不提供消息的完整性和保密性, 而是仅提供基于HTTP 的客户端身份验证。 使用此模式时一定要小心。 在通过其他方式(如IPSec)提供传输安全并且 基础结构只提供客户端身份验证的环境中,应该使用此模式。
可使用如代码清单11-75所示的配置方式配置安全模式。
代码清单11-75 配置安全模式
1: <basicHttpBinding>
2:
3: <binding name="basicBidingConf">
4:
5: <security mode="None">
6:
7: </security>
8:
9: </binding>
10:
11: </basicHttpBinding>
在代码清单11-74中我们看BasicHttpSecurity的第二个属性——Transport,该属性是HttpTransportSecurity实例。HttpTransportSecurity 类定义如代码清单11-75。
代码清单11-75 HttpTransportSecurity 类定义
1: public sealed class HttpTransportSecurity
2:
3: {
4:
5: internal const HttpClientCredentialType DefaultClientCredentialType = HttpClientCredentialType.None;
6:
7: internal const HttpProxyCredentialType DefaultProxyCredentialType = HttpProxyCredentialType.None;
8:
9: internal const string DefaultRealm = "";
10:
11: private HttpClientCredentialType clientCredentialType;
12:
13: private HttpProxyCredentialType proxyCredentialType;
14:
15: private string realm;
16:
17: private ExtendedProtectionPolicy extendedProtectionPolicy;
18:
19: public HttpClientCredentialType ClientCredentialType;
20:
21: public HttpProxyCredentialType ProxyCredentialType;
22:
23: public string Realm;
24:
25: public ExtendedProtectionPolicy ExtendedProtectionPolicy;
26:
27: public HttpTransportSecurity()
28:
29: {
30:
31: this.clientCredentialType = HttpClientCredentialType.None;
32:
33: this.proxyCredentialType = HttpProxyCredentialType.None;
34:
35: this.realm = "";
36:
37: this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy;
38:
39: }
40:
41: }
42:
从代码清单11-75中我们知道HttpTransportSecurity 类包含四个属性:
1) ClientCredentialType属性。获取或设置要用于身份验证的客户端凭据的类型。默认值为HttpClientCredentialType.None。
2) ExtendedProtectionPolicy。获取或设置扩展保护策略,默认值为ChannelBindingUtility.DefaultPolicy。
3) ProxyCredentialType。获取或设置要用于针对代理进行身份验证的客户端凭据的类型。默认值为HttpProxyCredentialType.None。
4) Realm。获取或设置摘要式或基本身份验证的身份验证领域,默认值为空。
BasicHttpSecurity 类的第三个属性为BasicHttpMessageSecurity类,用来配置BasicHttpBinding的消息安全。该类定义如代码清单11-76所示。
代码清单11-76 BasicHttpMessageSecurity类定义
1: public sealed class BasicHttpMessageSecurity
2:
3: {internal const BasicHttpMessageCredentialType DefaultClientCredentialType=BasicHttpMessageCredentialType.UserName;
4:
5: private BasicHttpMessageCredentialType clientCredentialType;
6:
7: private SecurityAlgorithmSuite algorithmSuite;
8:
9: public BasicHttpMessageCredentialType ClientCredentialType
10:
11: {get{return this.clientCredentialType;}
12:
13: set{
14:
15: if (!BasicHttpMessageCredentialTypeHelper.IsDefined(value))
16:
17: {
18:
19: throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));}
20:
21: this.clientCredentialType = value;}
22:
23: }
24:
25: public SecurityAlgorithmSuite AlgorithmSuite
26:
27: {
28:
29: get{return this.algorithmSuite;}
30:
31: set
32:
33: {if (value == null)
34:
35: {
36:
37: throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");}
38:
39: this.algorithmSuite = value;}
40:
41: }
42:
43: public BasicHttpMessageSecurity()
44:
45: {
46:
47: this.clientCredentialType = BasicHttpMessageCredentialType.UserName;
48:
49: this.algorithmSuite = SecurityAlgorithmSuite.Default;
50:
51: }}
52:
从代码清单11-76中我们可以看到BasicHttpMessageSecurity类包含两个属性:
1) AlgorithmSuite。指定要与 BasicHttpMessageSecurity 一起使用的算法组。
2) ClientCredentialType。发送安全消息指定客户端用以进行身份验证的凭据的类型。
那么在配置文件中如何配置BasicHttpSecurity呢?代码清单11-77给出了一般配置选项。
代码清单11-77 配置BasicHttpSecurity
1: <basicHttpBinding>
2:
3: <binding
4:
5: transferMode="Buffered/Streamed/StreamedRequest/StreamedResponse"
6:
7: useDefaultWebProxy="Boolean"
8:
9: <security mode="None/Transport/Message/TransportWithMessageCredential/TransportCredentialOnly">
10:
11: <transport clientCredentialType="None/Basic/Digest/Ntlm/Windows/Certificate" proxyCredentialType="None/Basic/Digest/Ntlm/Windows"
12:
13: realm="string" />
14:
15: <message algorithmSuite="Basic128/Basic192/Basic256/Basic128Rsa15/Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15"
16:
17: clientCredentialType="UserName/Certificate"/>
18:
19: </security>
20:
21: <readerQuotas maxDepth="Integer"
22:
23: maxStringContentLength="Integer"
24:
25: maxByteArrayContentLength="Integer"
26:
27: maxBytesPerRead="Integer"
28:
29: maxNameTableCharCount="Integer" />
30:
31: </binding>
32:
33: </basicHttpBinding>
34:
代码清单11-77所示的配置节中各项的含义读者可以参考BasicHttpSecurity 类的个属性进行解读,这里就不再重复了。下面我们通过实例继续探讨BasicHttpBinding的更多安全特性。
