背景:全站HTTPS的時代來了
全站HTTPS,請參考: http://www.cnblogs.com/bugly/p/5075909.html
1. 設定BasicHttpBinding的BasicHttpSecurity模型。
create Binding時通過URI的Scheme來判斷是HTTPS還是HTTP.
internal class AtomBinding { private AtomBinding() { } internal static BasicHttpBinding Create(bool isHttps) { return new BasicHttpBinding { MaxReceivedMessageSize = 65536000, ReaderQuotas = new XmlDictionaryReaderQuotas {MaxStringContentLength = 65536000}, // 設定BasicHttpBinding的安全(BasicHttpSecurity型別) Security = { // 安全模型:如果是訪問的HTTPS svc,則安全模型設定為Transport,HTTP設定為None(預設) Mode = isHttps ? BasicHttpSecurityMode.Transport : BasicHttpSecurityMode.None, // 資訊傳輸等級安全設定,客戶端憑證採用預設的匿名認證 Transport = new HttpTransportSecurity {ClientCredentialType = HttpClientCredentialType.None} } }; } }
2. BasicHttpSecurity型別介紹
- 2.1. Message
Security is provided using SOAP message security. For the BasicHttpBinding, the system requires that the server certificate be provided to the client separately. The valid client credential types for this binding are UserName and Certificate.(客戶端需要提供使用者名稱+密碼以及證書,Basic Authentication==戶名+密碼)
- 2.2. None
The SOAP message is not secured during transfer. This is the default behavior.(預設的方式,沒有任何安全措施,不能保證資訊的完整性和保密性)
- 2.3. Transport
Security is provided using HTTPS. The service must be configured with SSL certificates. The SOAP message is protected as a whole using HTTPS. The service is authenticated by the client using the service’s SSL certificate. The client authentication is controlled through the ClientCredentialType.(通過HTTPS來保證資訊保安,客戶端的認證取決於ClientCredentialType的配置)
- 2.4. TransportCredentialOnly
This mode does not provide message integrity and confidentiality(這種方式不保證資訊的完整性和機密性). It provides only HTTP-based client authentication. Use this mode with caution. It should be used in environments where the transfer security is being provided by other means (such as IPSec) and only client authentication is provided by the Windows Communication Foundation (WCF) infrastructure.
- 2.5. TransportWithMessageCredential
Integrity, confidentiality and server authentication are provided by HTTPS. The service must be configured with a certificate. Client authentication is provided by means of SOAP message security. This mode is applicable when the user is authenticating with a UserName or Certificate credential and there is an existing HTTPS deployment for securing message transfer.(這種方法最安全,但也最繁瑣)
3. 客戶端忽略對伺服器端證書的校驗
public AtomResponse Execute(AtomRequest message) { ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, policyErrors) => true; return Channel.Execute(message); }
如果客戶端不忽略對伺服器端證書的校驗,則必須在客戶端安裝伺服器端證書的根證書。