<security> 的 <customBinding><security> of <customBinding>

指定自定义绑定的安全选项。Specifies the security options for a custom binding.

<configuration>
  <system.serviceModel>
    <bindings>
      <customBinding>
        <binding>
          <security>

语法Syntax

<security allowSerializedSigningTokenOnReply="Boolean"
          authenticationMode="AuthenticationMode"
          defaultAlgorithmSuite="SecurityAlgorithmSuite"
          includeTimestamp="Boolean"
          requireDerivedKeys="Boolean"
          keyEntropyMode="ClientEntropy/ServerEntropy/CombinedEntropy"
          messageProtectionOrder="SignBeforeEncrypt/SignBeforeEncryptAndEncryptSignature/EncryptBeforeSign"
          messageSecurityVersion="WSSecurityJan2004/WSSecurityXXX2005"
          requireDerivedKeys="Boolean"
          requireSecurityContextCancellation="Boolean"
          requireSignatureConfirmation="Boolean"
          securityHeaderLayout="Strict/Lax/LaxTimestampFirst/LaxTimestampLast">
   <issuedTokenParameters />
   <localClientSettings />
   <localServiceSettings />
   <secureConversationBootstrap />
</security>

特性和元素Attributes and Elements

以下几节描述了特性、子元素和父元素。The following sections describe attributes, child elements, and parent elements

特性Attributes

属性Attribute 描述Description
allowSerializedSigningTokenOnReplyallowSerializedSigningTokenOnReply 可选。Optional. 一个布尔值,指定是否可以在答复时使用序列化令牌。A Boolean value that specifies if a serialized token can be used on reply. 默认值是 falseThe default value is false. 使用双向绑定时,默认设置为 true 并忽略所做的任何设置。When using a dual binding, the setting defaults to true and any setting made will be ignored.
authenticationModeauthenticationMode 可选。Optional. 指定在发起方和响应方之间使用的身份验证模式。Specifies the authentication mode used between the initiator and the responder. 请参见下面所有的值。See below for all values.

默认为 sspiNegotiatedThe default is sspiNegotiated.
defaultAlgorithmSuitedefaultAlgorithmSuite 可选。Optional. 设置消息加密和密钥包装算法。Sets the message encryption and key-wrap algorithms. 算法和密钥大小由 SecurityAlgorithmSuite 类确定。The algorithms and the key sizes are determined by the SecurityAlgorithmSuite class. 这些算法与“安全策略语言”(WS-SecurityPolicy) 规范中指定的算法一致。These algorithms map to those specified in the Security Policy Language (WS-SecurityPolicy) specification.

以下显示了可能的值。Possible values are shown below. 默认值是 Basic256The default value is Basic256.

此属性与选取不同于默认算法的算法集的其他平台一起使用。This attribute is used when working with a different platform that opts for a set of algorithms different than the default. 在对此设置进行修改时,应该注意相关算法的优缺点。You should be aware of the strengths and weaknesses of the relevant algorithms when making modifications to this setting. 此属性的类型为 SecurityAlgorithmSuiteThis attribute is of type SecurityAlgorithmSuite.
includeTimestampincludeTimestamp 一个布尔值,指定是否每个消息都包含时间戳。A Boolean value that specifies whether time stamps are included in each message. 默认为 trueThe default is true.
keyEntropyModekeyEntropyMode 指定用于保护消息的密钥的计算方法。Specifies the way that keys for securing messages are computed. 密钥只能基于客户端密钥材料、服务密钥材料或两者的组合。Keys can be based on the client key material only, on the service key material only or a combination of both. 有效值为Valid values are

- ClientEntropy:会话密钥基于客户端提供的密钥数据。- ClientEntropy: The session key is based on key data provided by the client.
- ServerEntropy:会话密钥基于服务器提供的密钥数据。- ServerEntropy: The session key is based on key data provided by the server.
- CombinedEntropy:会话密钥基于客户端和服务提供的密钥数据。- CombinedEntropy: The session key is based on the key data provided by the client and service.

默认为 CombinedEntropyThe default is CombinedEntropy.

此属性的类型为 SecurityKeyEntropyModeThis attribute is of type SecurityKeyEntropyMode.
messageProtectionOrdermessageProtectionOrder 设置对消息应用消息级安全算法的顺序。Sets the order in which message level security algorithms are applied to the message. 有效值包括以下值:Valid values include the following:

- SignBeforeEncrypt:先签名,然后加密。- SignBeforeEncrypt: Sign first, then encrypt.
- SignBeforeEncryptAndEncryptSignature:先签名,然后加密签名。- SignBeforeEncryptAndEncryptSignature: Sign first, encrypt, then encrypt the signature.
- EncryptBeforeSign:先加密,然后签名。- EncryptBeforeSign: Encrypt first, then sign.

默认值取决于所使用的 WS-Security 版本。The default value depends upon the version of WS-Security being used. 使用 WS-Security 1.1 时,默认值为 SignBeforeEncryptAndEncryptSignatureThe default value is SignBeforeEncryptAndEncryptSignature when using WS-Security 1.1. 使用 WS-Security 1.0 时,默认值为 SignBeforeEncryptThe default value is SignBeforeEncrypt when using WS-Security 1.0.

此属性的类型为 MessageProtectionOrderThis attribute is of type MessageProtectionOrder.
messageSecurityVersionmessageSecurityVersion 可选。Optional. 设置所使用的 WS-Security 的版本。Sets the version of WS-Security that is used. 有效值包括以下值:Valid values include the following:

- WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11- WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11
- WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10- WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
- WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10- WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10

默认值是 WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11,且该默认值在 XML 中可以简单地表示为 DefaultThe default is WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11 and can be expressed in the XML as simply Default. 此属性的类型为 MessageSecurityVersionThis attribute is of type MessageSecurityVersion.
requireDerivedKeysrequireDerivedKeys 一个布尔值,指定是否可以从原始校验密钥中派生密钥。A Boolean value that specifies if keys can be derived from the original proof keys. 默认为 trueThe default is true.
requireSecurityContextCancellationrequireSecurityContextCancellation 可选。Optional. 一个布尔值,指定当不再需要安全上下文时是否应将其取消和终止。A Boolean value that specifies if security context should be cancelled and terminated when it is no longer needed. 默认为 trueThe default is true.
requireSignatureConfirmationrequireSignatureConfirmation 可选。Optional. 一个布尔值,指定是否启用 WS-Security 签名确认。A Boolean value that specifies whether WS-Security signature confirmation is enabled. 当设置为 true 时,消息签名由响应方进行确认。When set to true, message signatures are confirmed by the responder. 为相互证书配置自定义绑定时或将自定义绑定配置为使用所颁发的令牌(WSS 1.1 绑定)时,此特性默认为 trueWhen the custom binding is configured for mutual certificates or it is configured to use issued tokens (WSS 1.1 bindings) this attribute defaults to true. 否则默认值为 falseOtherwise, the default is false.

签名确认用于确认服务正在完全知晓请求的情况下做出响应。Signature confirmation is used to confirm that the service is responding in full awareness of a request.
securityHeaderLayoutsecurityHeaderLayout 可选。Optional. 指定安全头中元素的排序。Specifies the ordering of the elements in security header. 有效值为Valid values are

- Strict:根据 "使用之前声明" 的一般原则,将项添加到安全标头中。- Strict: Items are added to the security header according to the general principle of "declare before use".
- Lax:项以任何可确认为 WSS: SOAP 消息安全的顺序添加到安全标头中。- Lax: Items are added to the security header in any order that confirms to WSS: SOAP Message security.
- LaxWithTimestampFirst:项以任何符合 WSS: SOAP 消息安全的顺序添加到安全标头中,但安全标头中的第一个元素必须是 wsse: Timestamp 元素。- LaxWithTimestampFirst: Items are added to the security header in any order that confirms to WSS: SOAP Message security except that the first element in the security header must be a wsse:Timestamp element.
- LaxWithTimestampLast:项以任何符合 WSS: SOAP 消息安全的顺序添加到安全标头中,但安全头中的最后一个元素必须是 wsse: Timestamp 元素。- LaxWithTimestampLast: Items are added to the security header in any order that confirms to WSS: SOAP Message security except that the last element in the security header must be a wsse:Timestamp element.

默认为 StrictThe default is Strict.

此元素的类型为 SecurityHeaderLayoutThis element is of type SecurityHeaderLayout.

authenticationMode 特性authenticationMode Attribute

Value 说明Description
字符串String AnonymousForCertificate

AnonymousForSslNegotiated

CertificateOverTransport

IssuedToken

IssuedTokenForCertificate

IssuedTokenForSslNegotiated

IssuedTokenOverTransport

Kerberos

KerberosOverTransport

MutualCertificate

MutualCertificateDuplex

MutualSslNegotiated

SecureConversation

SspiNegotiated

UserNameForCertificate

UserNameForSslNegotiated

UserNameOverTransport

SspiNegotiatedOverTransport

defaultAlgorithm 特性defaultAlgorithm Attribute

Value 描述Description
Basic128Basic128 使用 Aes128 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use Aes128 encryption, Sha1 for message digest, and Rsa-oaep-mgf1p for key wrap.
Basic192Basic192 使用 Aes192 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use Aes192 encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap.
Basic256Basic256 使用 Aes256 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use Aes256 encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap.
Basic256Rsa15Basic256Rsa15 对消息加密使用 Aes256,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use Aes256 for message encryption, Sha1 for message digest and Rsa15 for key wrap.
Basic192Rsa15Basic192Rsa15 对消息加密使用 Aes192,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use Aes192 for message encryption, Sha1 for message digest and Rsa15 for key wrap.
TripleDesTripleDes 使用 TripleDes 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa-oaep-mgf1p。Use TripleDes encryption, Sha1 for message digest, Rsa-oaep-mgf1p for key wrap.
Basic128Rsa15Basic128Rsa15 对消息加密使用 Aes128,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use Aes128 for message encryption, Sha1 for message digest and Rsa15 for key wrap.
TripleDesRsa15TripleDesRsa15 使用 TripleDes 加密,对消息摘要使用 Sha1,对密钥包装使用 Rsa15。Use TripleDes encryption, Sha1 for message digest and Rsa15 for key wrap.
Basic128Sha256Basic128Sha256 对消息加密使用 Aes256,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use Aes256 for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
Basic192Sha256Basic192Sha256 对消息加密使用 Aes192,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use Aes192 for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
Basic256Sha256Basic256Sha256 对消息加密使用 Aes256,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use Aes256 for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
TripleDesSha256TripleDesSha256 对消息加密使用 TripleDes,对消息摘要使用 Sha256,对密钥包装使用 Rsa-oaep-mgf1p。Use TripleDes for message encryption, Sha256 for message digest and Rsa-oaep-mgf1p for key wrap.
Basic128Sha256Rsa15Basic128Sha256Rsa15 对消息加密使用 Aes128,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use Aes128 for message encryption, Sha256 for message digest and Rsa15 for key wrap.
Basic192Sha256Rsa15Basic192Sha256Rsa15 对消息加密使用 Aes192,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use Aes192 for message encryption, Sha256 for message digest and Rsa15 for key wrap.
Basic256Sha256Rsa15Basic256Sha256Rsa15 对消息加密使用 Aes256,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use Aes256 for message encryption, Sha256 for message digest and Rsa15 for key wrap.
TripleDesSha256Rsa15TripleDesSha256Rsa15 对消息加密使用 TripleDes,对消息摘要使用 Sha256,对密钥包装使用 Rsa15。Use TripleDes for message encryption, Sha256 for message digest and Rsa15 for key wrap.

子元素Child Elements

元素Element 描述Description
<issuedTokenParameters> 指定一个当前颁发的令牌。Specifies a current issued token. 此元素的类型为 IssuedTokenParametersElementThis element is of type IssuedTokenParametersElement.
<localClientSettings> 指定此绑定的本地客户端安全设置。Specifies the security settings of a local client for this binding. 此元素的类型为 LocalClientSecuritySettingsElementThis element is of type LocalClientSecuritySettingsElement.
<localServiceSettings> 指定此绑定的本地服务安全设置。Specifies the security settings of a local service for this binding. 此元素的类型为 LocalServiceSecuritySettingsElementThis element is of type LocalServiceSecuritySettingsElement.
<secureConversationBootstrap> 指定用于启动安全对话服务的默认值。Specifies the default values used for initiating a secure conversation service.

父元素Parent Elements

元素Element 描述Description
<binding> 定义自定义绑定的所有绑定功能。Defines all binding capabilities of the custom binding.

备注Remarks

有关使用此元素的详细信息,请参阅 SecurityBindingElement Authentication 模式如何:使用 SecurityBindingElement 创建自定义绑定For more information about using this element, see SecurityBindingElement Authentication Modes and How to: Create a Custom Binding Using the SecurityBindingElement.

示例Example

下面的示例演示如何使用自定义绑定配置安全性。The following example demonstrates how to configure security using a custom binding. 并演示如何使用自定义绑定实现消息级安全性和安全传输。It shows how to use a custom binding to enable message-level security together with a secure transport. 如果在客户端和服务之间传输消息时需要进行安全的传输,同时消息必须在消息级别上保持安全,这非常有用。This is useful when a secure transport is required to transmit the messages between client and service and simultaneously the messages must be secure on the message level. 系统提供的绑定不支持此配置。This configuration is not supported by system-provided bindings.

服务配置定义了一个自定义绑定,该绑定支持使用 TLS/SSL 协议和 Windows 消息安全性保护的 TCP 通信。The service configuration defines a custom binding that supports TCP communication protected using TLS/SSL protocol, and Windows message security. 此自定义绑定使用服务证书在传输级别对服务进行身份验证,并且在客户端与服务之间传输消息时保护消息。The custom binding uses a service certificate to authenticate the service on the transport level and to protect the messages during the transmission between client and service. 这是通过 <sslStreamSecurity> 绑定元素实现的。This is accomplished by the <sslStreamSecurity> binding element. 服务的证书是使用服务行为配置的。The service's certificate is configured using a service behavior.

此外,此自定义绑定将消息安全性与 Windows 凭据类型(默认凭据类型)一起使用。Additionally, the custom binding uses message security with Windows credential type - this is the default credential type. 这是由 安全 绑定元素实现的。This is accomplished by the security binding element. 如果 Kerberos 身份验证机制可用,则将使用消息级安全性对客户端和服务进行身份验证。Both client and service are authenticated using message-level security if Kerberos authentication mechanism is available. 如果 Kerberos 身份验证机制不可用,则使用 NTLM 身份验证。If the Kerberos authentication mechanism is not available, NTLM authentication is used. NTLM 向服务对客户端进行身份验证,但不向客户端对服务进行身份验证。NTLM authenticates the client to the service but does not authenticate service to the client. 安全绑定元素配置为使用 SecureConversation authenticationType,这将导致在客户端和服务上创建安全会话。The security binding element is configured to use SecureConversation authenticationType, which results in the creation of a security session on both the client and the service. 为了使服务的双工协定起作用,需要这么做。This is required to enable the service's duplex contract to work. 有关运行此示例的详细信息,请参阅 自定义绑定安全性For more information on running this example, see Custom Binding Security.

<configuration>
  <system.serviceModel>
    <services>
      <service name="Microsoft.ServiceModel.Samples.CalculatorService"
               behaviorConfiguration="CalculatorServiceBehavior">
        <host>
          <baseAddresses>
            <!-- use following base address -->
            <add baseAddress="net.tcp://localhost:8000/ServiceModelSamples/Service"/>
          </baseAddresses>
        </host>
        <endpoint address=""
                  binding="customBinding"
                  bindingConfiguration="Binding1"
                  contract="Microsoft.ServiceModel.Samples.ICalculatorDuplex" />
        <!-- the mex endpoint is exposed at net.tcp://localhost:8000/ServiceModelSamples/service/mex -->
        <endpoint address="mex"
                  binding="mexTcpBinding"
                  contract="IMetadataExchange" />
      </service>
    </services>
    <bindings>
      <!-- configure a custom binding -->
      <customBinding>
        <binding name="Binding1">
          <security authenticationMode="SecureConversation"
                    requireSecurityContextCancellation="true">
          </security>
          <textMessageEncoding messageVersion="Soap12WSAddressing10"
                               writeEncoding="utf-8" />
          <sslStreamSecurity requireClientCertificate="false" />
          <tcpTransport />
        </binding>
      </customBinding>
    </bindings>
    <!--For debugging purposes set the includeExceptionDetailInFaults attribute to true-->
    <behaviors>
      <serviceBehaviors>
        <behavior name="CalculatorServiceBehavior">
          <serviceMetadata />
          <serviceDebug includeExceptionDetailInFaults="False" />
          <serviceCredentials>
            <serviceCertificate findValue="localhost"
                                storeLocation="LocalMachine"
                                storeName="My"
                                x509FindType="FindBySubjectName" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
</configuration>

请参阅See also