WCF;时钟偏移--忽略自定义绑定配置
本文关键字:自定义 绑定 配置 时钟 WCF | 更新日期: 2023-09-27 17:59:40
我们的客户也面临着同样困扰许多其他人的时钟偏移问题。
这些页面中的答案和进一步的网络搜索帮助很大,但我面临着另一个问题。
在本地计算机上调试时,我可以看到绑定的属性设置正确。但由于我不能在本地测试代码(我只有一个时钟),我必须将服务发布到测试服务器。然而,当我使用偏斜的时钟连接到服务时,我仍然会收到MessageSecurityException
s。
我的第一个想法是,绑定在创建后会被修改,但我和这个项目的一位同事都确认,绑定只创建了一次,之后就不会被修改了。
我显然做错了[TM]。如果有人能澄清此事,我将不胜感激。提前谢谢。
这是创建绑定的代码:
WSHttpBinding binding = new WSHttpBinding();
binding.Security.Mode = SecurityMode.TransportWithMessageCredential;
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
// ... blah blah ...
// fix ongoing security
sbe.LocalClientSettings.DetectReplays = false;
sbe.LocalClientSettings.MaxClockSkew = TimeSpan.MaxValue;
sbe.LocalClientSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
sbe.LocalServiceSettings.DetectReplays = false;
sbe.LocalServiceSettings.MaxClockSkew = TimeSpan.MaxValue;
sbe.LocalServiceSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
// fix bootstrap security
SecureConversationSecurityTokenParameters sct = null;
if (sbe is SymmetricSecurityBindingElement)
{
SecurityTokenParameters tokenParameters =
((SymmetricSecurityBindingElement)sbe).ProtectionTokenParameters;
if (tokenParameters is SecureConversationSecurityTokenParameters)
{
sct = tokenParameters as SecureConversationSecurityTokenParameters;
}
}
else if (sbe is TransportSecurityBindingElement)
{
sct = sbe.EndpointSupportingTokenParameters
.Endorsing
.OfType<SecureConversationSecurityTokenParameters>()
.FirstOrDefault();
}
else
{
throw new ArgumentException("Binding has neiter a " +
"SymmetricSecurityBindingElement nor " +
"TransportSecurityBindingElement");
}
SecurityBindingElement bootbe = sct.BootstrapSecurityBindingElement;
bootbe.LocalClientSettings.DetectReplays = false;
bootbe.LocalClientSettings.MaxClockSkew = TimeSpan.MaxValue;
bootbe.LocalClientSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
bootbe.LocalServiceSettings.DetectReplays = false;
bootbe.LocalServiceSettings.MaxClockSkew = TimeSpan.MaxValue;
bootbe.LocalServiceSettings.SessionKeyRenewalInterval = TimeSpan.MaxValue;
这是我在服务跟踪日志中收到的异常的调用堆栈:
System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext requestContext, TimeSpan timeout)
System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
System.Runtime.InputQueue`1.Dispatch()
System.Runtime.ActionItem.DefaultActionItem.Invoke()
System.Runtime.ActionItem.CallbackHelper.InvokeWithoutContext(Object state)
System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
如果您的消息因服务器和客户端上的时间差异超过时钟偏移设置而被拒绝,则您应该收到一个MessageSecurityException
。根据你的描述,我认为你所看到的是人们所期望的。
根据微软的说法,返回MessageSecurityException
而不是更具体的原因是因为
安全异常可能会暴露一些非常敏感的信息对此,我们决定不公开来自安全层的任何细节。例如,您提到的时钟偏移问题,当在故障异常中暴露,将为攻击者提供时钟扭曲服务的设置,并提供信息来制作更多特定攻击。