背景:全站HTTPS的時代來了
全站HTTPS,請參考: http://www.cnblogs.com/bugly/p/5075909.html
1. 設置BasicHttpBinding的BasicHttpSecurity模型。
create Binding時通過URI的Scheme來判斷是HTTPS還是HTTP.
internal class AtomBinding { private AtomBinding() { } internal static BasicHttpBinding Create(bool isHttps) { return new BasicHttpBinding { MaxReceivedMessageSize = 65536000, ReaderQuotas = new XmlDictionaryReaderQuotas {MaxStringContentLength = 65536000}, // 設置BasicHttpBinding的安全(BasicHttpSecurity類型) Security = { // 安全模型:如果是訪問的HTTPS svc,則安全模型設置為Transport,HTTP設置為None(默認) Mode = isHttps ? BasicHttpSecurityMode.Transport : BasicHttpSecurityMode.None, // 信息傳輸等級安全設置,客戶端憑證采用默認的匿名認證 Transport = new HttpTransportSecurity {ClientCredentialType = HttpClientCredentialType.None} } }; } }
2. BasicHttpSecurity類型介紹
- 2.1. Message
Security is provided using SOAP message security. For the BasicHttpBinding, the system requires that the server certificate be provided to the client separately. The valid client credential types for this binding are UserName and Certificate.(客戶端需要提供用戶名+密碼以及證書,Basic Authentication==戶名+密碼)
- 2.2. None
The SOAP message is not secured during transfer. This is the default behavior.(默認的方式,沒有任何安全措施,不能保證信息的完整性和保密性)
- 2.3. Transport
Security is provided using HTTPS. The service must be configured with SSL certificates. The SOAP message is protected as a whole using HTTPS. The service is authenticated by the client using the service’s SSL certificate. The client authentication is controlled through the ClientCredentialType.(通過HTTPS來保證信息安全,客戶端的認證取決於ClientCredentialType的配置)
- 2.4. TransportCredentialOnly
This mode does not provide message integrity and confidentiality(這種方式不保證信息的完整性和機密性). It provides only HTTP-based client authentication. Use this mode with caution. It should be used in environments where the transfer security is being provided by other means (such as IPSec) and only client authentication is provided by the Windows Communication Foundation (WCF) infrastructure.
- 2.5. TransportWithMessageCredential
Integrity, confidentiality and server authentication are provided by HTTPS. The service must be configured with a certificate. Client authentication is provided by means of SOAP message security. This mode is applicable when the user is authenticating with a UserName or Certificate credential and there is an existing HTTPS deployment for securing message transfer.(這種方法最安全,但也最繁瑣)
3. 客戶端忽略對服務器端證書的校驗
public AtomResponse Execute(AtomRequest message) { ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, policyErrors) => true; return Channel.Execute(message); }
如果客戶端不忽略對服務器端證書的校驗,則必須在客戶端安裝服務器端證書的根證書。