<message> 的 <wsHttpBinding><message> of <wsHttpBinding>

定义的消息级安全性设置 <wsHttpBinding>Defines settings for message-level security of the <wsHttpBinding>.

<configuration>
  <system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding>
          <security>
            <message>

语法Syntax

<message algorithmSuite="Basic128/Basic192/Basic256/Basic128Rsa15/Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15"
         clientCredentialType="Certificate/IssuedToken/None/UserName/Windows"
         establishSecurityContext="Boolean"
         negotiateServiceCredential="Boolean" />

类型Type

NonDualMessageSecurityOverHttp

特性和元素Attributes and Elements

以下几节描述了特性、子元素和父元素。The following sections describe attributes, child elements, and parent elements

特性Attributes

属性Attribute 说明Description
algorithmSuitealgorithmSuite 设置消息加密和密钥包装算法。Sets the message encryption and key-wrap algorithms. 算法和密钥大小由 SecurityAlgorithmSuite 类确定。The algorithms and the key sizes are determined by the SecurityAlgorithmSuite class. 这些算法与“安全策略语言”(WS-SecurityPolicy) 规范中指定的算法一致。These algorithms map to those specified in the Security Policy Language (WS-SecurityPolicy) specification.

默认值为 Basic256The default value is Basic256.
clientCredentialTypeclientCredentialType 可选。Optional. 指定要在使用安全模式执行客户端身份验证时使用的凭据类型是 Message 还是 TransportWithMessageCredentialsSpecifies the type of credential to be used when performing client authentication using the security mode is Message or TransportWithMessageCredentials. 请参见下面的枚举值。See the enumeration values below. 默认为 WindowsThe default is Windows.

此属性的类型为 MessageCredentialTypeThis attribute is of type MessageCredentialType.
establishSecurityContextestablishSecurityContext 一个布尔值,确定安全通道是否建立安全会话。A Boolean value that determines whether the security channel establishes a secure session. 安全会话将在交换应用程序消息之前建立安全上下文令牌 (SCT)。A secure session establishes a Security Context Token (SCT) before exchanging the application messages. 建立 SCT 时,此安全通道将提供与上层通道之间的 ISession 接口。When the SCT is established, the security channel offers a ISession interface to the upper channels. 有关使用安全会话的详细信息,请参阅如何:创建安全会话For more information about using secure sessions, see How to: Create a Secure Session.

默认值为 trueThe default value is true.
negotiateServiceCredentialnegotiateServiceCredential 可选。Optional. 一个布尔值,指定是在带外客户端提供服务凭据,还是通过协商过程由客户端从服务获取服务凭据。A Boolean value that specifies whether the service credential is provisioned at the client out of band, or is obtained from the service to the client through a process of negotiation. 这种协商是正常消息交换的前提。Such a negotiation is a precursor to the usual message exchange.

如果 clientCredentialType 属性等于 "无"、"用户名" 或 "证书",则将此特性设置为 false 意味着服务证书可用于带外客户端,并且客户端需要 <serviceCertificate> 在服务行为中指定服务证书(使用) <serviceCredentials>If the clientCredentialType attribute equals to None, Username, or Certificate, setting this attribute to false implies that the service certificate is available at the client out of band and that the client needs to specify the service certificate (using the <serviceCertificate>) in the <serviceCredentials> service behavior. 此模式可与实现 WS-Trust 和 WS-SecureConversation 的 SOAP 堆栈交互操作。This mode is interoperable with SOAP stacks which implement WS-Trust and WS-SecureConversation.

如果 ClientCredentialType 属性设置为 Windows,则将此属性设置为 false 会指定基于 Kerberos 的身份验证。If the ClientCredentialType attribute is set to Windows, setting this attribute to false specifies Kerberos based authentication. 这意味着客户端和服务必须是相同 Kerberos 域的一部分。This means that the client and service must be part of the same Kerberos domain. 此模式可与实现 Kerberos 令牌配置文件(如 OASIS WSS TC 中所定义)以及 WS-Trust 和 WS-SecureConversation 的 SOAP 堆栈交互操作。This mode is interoperable with SOAP stacks which implement the Kerberos token profile (as defined at OASIS WSS TC) as well as WS-Trust and WS-SecureConversation.

当此属性为 true 时,会引起通过 SOAP 消息进行 SPNego 交换的 .NET SOAP 协商。When this attribute is true, it causes a .NET SOAP negotiation that tunnels SPNego exchange over SOAP messages.

默认为 trueThe default is true.

algorithmSuite 属性algorithmSuite Attribute

Value 说明Description
Basic128Basic128 使用 Basic128 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use Basic128 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap.
Basic192Basic192 使用 Basic192 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use Basic192 encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap.
Basic256Basic256 使用 Basic256 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use Basic256 encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap.
Basic256Rsa15Basic256Rsa15 对消息加密使用 Basic256,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use Basic256 for message encryption, Sha1 for message digest and Rsa15 for key wrap.
Basic192Rsa15Basic192Rsa15 对消息加密使用 Basic192,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use Basic192 for message encryption, Sha1 for message digest and Rsa15 for key wrap.
TripleDesTripleDes 使用 TripleDes 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use TripleDes encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap.
Basic128Rsa15Basic128Rsa15 对消息加密使用 Basic128,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use Basic128 for message encryption, Sha1 for message digest and Rsa15 for key wrap.
TripleDesRsa15TripleDesRsa15 使用 TripleDes 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use TripleDes encryption, Sha1 for message digest and Rsa15 for key wrap.
Basic128Sha256Basic128Sha256 对消息加密使用 Basic256,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use Basic256 for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
Basic192Sha256Basic192Sha256 对消息加密使用 Basic192,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use Basic192 for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
Basic256Sha256Basic256Sha256 对消息加密使用 Basic256,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use Basic256 for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
TripleDesSha256TripleDesSha256 对消息加密使用 TripleDes,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use TripleDes for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
Basic128Sha256Rsa15Basic128Sha256Rsa15 对消息加密使用 Basic128,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use Basic128 for message encryption, Sha256 for message digest and Rsa15 for key wrap.
Basic192Sha256Rsa15Basic192Sha256Rsa15 对消息加密使用 Basic192,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use Basic192 for message encryption, Sha256 for message digest and Rsa15 for key wrap.
Basic256Sha256Rsa15Basic256Sha256Rsa15 对消息加密使用 Basic256,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use Basic256 for message encryption, Sha256 for message digest and Rsa15 for key wrap.
TripleDesSha256Rsa15TripleDesSha256Rsa15 对消息加密使用 TripleDes,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use TripleDes for message encryption, Sha256 for message digest and Rsa15 for key wrap.

clientCredentialType 属性clientCredentialType Attribute

Value 说明Description
None 允许服务与匿名客户端交互。This allows the service to interact with anonymous clients. 在服务端,这表示该服务不需要任何客户端凭据。On the service side, this indicates that the service does not require any client credential. 对于客户端,这表示客户端不提供任何客户端凭据。On the client, this indicates that the client does not provide any client credential.
证书Certificate 允许服务要求使用证书对客户端进行身份验证。Allows the service to require that the client be authenticated using a certificate. 如果使用消息安全模式且 negotiateServiceCredential 属性设置为 false,则需要向客户端提供服务证书。If message security mode is used and the negotiateServiceCredential attribute is set to false, the client needs to be provisioned with the service certificate.
IssuedTokenIssuedToken 指定自定义令牌,该令牌通常由安全令牌服务颁发。Specifies a custom token, usually issued by a Security Token Service.
UserNameUserName 允许服务要求使用 UserName 凭据对客户端进行身份验证。Allows the service to require that the client be authenticated using a UserName credential. WCF 不支持发送密码摘要,也不支持使用密码派生密钥,然后用这些密钥来确保消息的安全性。WCF does not support sending a password digest or deriving keys using password and using such keys for message security. 因此,在使用用户名凭据时,WCF 会强制保护传输。As such, WCF enforces that the transport is secured when using UserName credentials. 这种凭据模式将产生可互操作的交换或不可互操作的协商,具体取决于 negotiateServiceCredential 属性。This credential mode results in either an interoperable exchange or a non-interoperable negotiation based on the negotiateServiceCredential attribute.
WindowsWindows 允许 SOAP 交换在已通过身份验证的 Windows 凭据上下文中执行。Allows the SOAP exchanges to be under the authenticated context of a Windows credential. 如果 negotiateServiceCredential 属性设置为 true,则将执行 SSPI 协商或 Kerberos(一种可互操作的标准)。If the negotiateServiceCredential attribute is set to true, this either performs an SSPI Negotiation or Kerberos (an interoperable standard).

子元素Child Elements

None

父元素Parent Elements

元素Element 描述Description
<security> 定义的安全设置 <wsHttpBinding>Defines the security settings for a <wsHttpBinding>.

另请参阅See also