WCF Active STS (WS-Trust):JAVA 客户端的 System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize 访问被拒绝
WCF Active STS (WS-Trust) : Access is denied at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize for JAVA clients
我正在创建一个活动 STS,它使用颁发的令牌(SAML1、SAML2)验证 RST 并颁发 BinarySecurityTokens。
这适用于 .net 客户端。但是,来自 Java 客户端的 RST(代码、SOAP UI 等),我们 得到以下异常 -
<ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Access is denied.</Message>
at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)...
我怀疑问题出在绑定的 serviceAuthorization 上。但是,我找不到任何关于为基于声明的身份验证配置授权的文档。这是我的配置 -
行为-
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="WSTrustServiceBehaviour">
<serviceCredentials useIdentityConfiguration="true" identityConfiguration="STSIDConfig">
<issuedTokenAuthentication audienceUriMode="Never" certificateValidationMode="None">
</issuedTokenAuthentication>
</serviceCredentials>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="Always" />
</behavior>
</serviceBehaviors>
绑定
<ws2007FederationHttpBinding>
<clear/>
<binding name="WS2007FedttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey">
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
服务-
<service behaviorConfiguration="WSTrustServiceBehaviour" name="CustomSTS">
<endpoint name="WSTrust13HttpEndpoint" address="" binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FedttpBinding" contract="System.ServiceModel.Security.IWSTrust13SyncContract" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
请让我知道缺少什么
似乎 ws2007FederationHttpBinding 要求 RST 具有 WS-Addressing headers 并且由于 WS-Addressing headers 缺少来自 [= 的请求而发生访问被拒绝错误16=] 客户。
我没有找到为 ws2007FederationHttpBinding 禁用 WS-Addressing 的选项,所以现在我们要求客户添加 WS-Addressing headers.
我正在创建一个活动 STS,它使用颁发的令牌(SAML1、SAML2)验证 RST 并颁发 BinarySecurityTokens。 这适用于 .net 客户端。但是,来自 Java 客户端的 RST(代码、SOAP UI 等),我们 得到以下异常 -
<ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Access is denied.</Message>
at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp; rpc)
at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)...
我怀疑问题出在绑定的 serviceAuthorization 上。但是,我找不到任何关于为基于声明的身份验证配置授权的文档。这是我的配置 - 行为-
<serviceBehaviors>
<behavior name="">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="WSTrustServiceBehaviour">
<serviceCredentials useIdentityConfiguration="true" identityConfiguration="STSIDConfig">
<issuedTokenAuthentication audienceUriMode="Never" certificateValidationMode="None">
</issuedTokenAuthentication>
</serviceCredentials>
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceAuthorization principalPermissionMode="Always" />
</behavior>
</serviceBehaviors>
绑定
<ws2007FederationHttpBinding>
<clear/>
<binding name="WS2007FedttpBinding">
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false" issuedKeyType="BearerKey">
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
服务-
<service behaviorConfiguration="WSTrustServiceBehaviour" name="CustomSTS">
<endpoint name="WSTrust13HttpEndpoint" address="" binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FedttpBinding" contract="System.ServiceModel.Security.IWSTrust13SyncContract" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
请让我知道缺少什么
似乎 ws2007FederationHttpBinding 要求 RST 具有 WS-Addressing headers 并且由于 WS-Addressing headers 缺少来自 [= 的请求而发生访问被拒绝错误16=] 客户。 我没有找到为 ws2007FederationHttpBinding 禁用 WS-Addressing 的选项,所以现在我们要求客户添加 WS-Addressing headers.