WCF (WS-Trust)：System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize拒绝对JAVA客户端进行访问

Question

我正在创建一个活动的STS，它使用已发出的令牌(SAML1，SAML2)对RST进行身份验证，并发出BinarySecurityTokens。这对于.net客户端来说很好。但是，来自客户端(代码、SOAP等)的获得了以下异常-

<ExceptionType>System.ServiceModel.FaultException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Access is denied.</Message>
at System.ServiceModel.Dispatcher.AuthorizationBehavior.Authorize(MessageRpc&amp;amp; rpc)
       at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage11(MessageRpc&amp;amp; rpc)
       at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
       at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
       at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
       at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
       at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
       at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
       at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult result)
       at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
       at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
       at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)...

我怀疑问题是关于绑定的serviceAuthorization。但是，我找不到任何关于为基于索赔的身份验证配置授权的文档。这是我的配置-行为-

<serviceBehaviors>
<behavior name="">
  <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
  <serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="WSTrustServiceBehaviour">
  <serviceCredentials useIdentityConfiguration="true" identityConfiguration="STSIDConfig">
    <issuedTokenAuthentication audienceUriMode="Never" certificateValidationMode="None">
    </issuedTokenAuthentication>
  </serviceCredentials>
  <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
  <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
  <serviceDebug includeExceptionDetailInFaults="true" />
  <serviceAuthorization principalPermissionMode="Always" />
</behavior>
</serviceBehaviors>

绑定

<ws2007FederationHttpBinding>
<clear/>
<binding name="WS2007FedttpBinding">
  <security mode="TransportWithMessageCredential">
    <message establishSecurityContext="false" issuedKeyType="BearerKey">
    </message>
  </security>
</binding>
</ws2007FederationHttpBinding>

服务-

<service behaviorConfiguration="WSTrustServiceBehaviour" name="CustomSTS">
    <endpoint name="WSTrust13HttpEndpoint" address="" binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FedttpBinding" contract="System.ServiceModel.Security.IWSTrust13SyncContract" />
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>

请告诉我丢失了什么

Answer 1

ws2007FederationHttpBinding似乎要求RST具有WS寻址头，并且由于来自java客户端的请求丢失了WS寻址头，因此出现了拒绝访问的错误。我没有为ws2007FederationHttpBinding找到禁用WS寻址的选项，所以现在我们已经要求客户端添加WS寻址头。