在文章 《如何使用svconfigeditor.exe编辑WCF Service配置文件(一)》中,介绍了如何使用该工具进行简单的配置来发布一个WCF service。
本文将接上篇继续介绍进行一些设计证书,绑定行为,服务行为等高级行为的配置
1.base address的配置
如果WCF Service通过serviehost发布,那么必须为其配置一个base address。of course,如果Service通过IIS 承载的话就不存在base address了。
过程如下:
press Services-> 选择你所要发布的ServiceType -> select host,然后点击右下角的New... button,会弹出base address editor对话框,输入base address 即可,如下图所示
前面已经介绍过,base address schema有很多,例如http,https,net.tcp,net.msmq,net.pipe,我们要根据endpoint的绑定协议,选择合适的base address schema. 例如图中所写的net.tcp//... ,对于这样的base address,只有endpoint在使用netTcpBinding这种绑定协议时才能匹配该base address.
2.服务行为设置(包括验证,授权,metadata等高级设置)
(有关serviceBehavior的配置及每个element的作用,please refer to the following KB Articles:
http://msdn.microsoft.com/en-us/library/ms788988.aspx )
service bebaviors是配置文件中的重点和难点,里面涉及到众多复杂的功能,下面一一讲解
press Advanced -> select Service Behaviors ->点击右边的 New Service Behavior Configuration,弹出 behavior画面,此时缺省的serviceBevior名为NewBehabior,我们可以将其rename as you like,比如 MyServiceBehavior,如下图所示:
然后点击Add,添加ServiceBehavior的元素,ServiceBevior内的element才是重点,ServiveBehavior就好像一个container,里面的element才是真正的宝藏,弹出对话框如下所示:
其中红框内为常见需要配置的element
2.1 serviceCredentials的配置
添加serviceCredentials之后,点击进入,我们可以看到如下图所示的element集合
2.1.1 serviceCertificate element
serviceCertificate这个element的作用在microsoft MSDN表述为:
Specify an X.509 certificate that will be used to authenticate the service to clients using Message security mode.( 更详细内容,please refer to:http://msdn.microsoft.com/en-us/library/ms731340.aspx)
在svcconfigeditor中进行编辑此element的screenshot如下:
all attributes of serviceCertificate
Attributes
Attribute | Description |
---|---|
findValue |
A string that contains the value to search for in the X.509 certificate store. The type contained in the attribute must satisfy the requirements of the specified X509FindType. The default is an empty string. |
storeLocation |
Specifies the location of the X.509 certificate store that the client uses to validate the server’s certificate against. Valid values include the following:
The default is LocalMachine. 该值用来指定客户端来验证服务器证书时,x.509证书在服务器上存放的位置,有两个值:分别为LocalMachine和CurrentUser,缺省值为LocalMachine. |
storeName |
Specifies the name of the X.509 certificate store to open. Valid values include the following:
The default is My. 该值用来指定x.509证书的存储位置的名称,缺省为My,即为personal Certificates。 我们可以通过MMC snap in (Certificates)来查看相应证书的存储位置Name,如图所示: |
X509FindType |
Defines the type of X.509 search to be executed. Valid values include the following:
The type contained in the findValue attribute must satisfy the requirements of the specified X509FindType. The default value is FindBySubjectDistinguishedName. 该值指定了查找x.509证书时所用的查找类型,by default为FindBySubjectDistinguishedName |
2.1.2 clientCertificate element
Defines an X.509 certificate used to sign and encrypt messages to a client form a service in a duplex communication pattern.(For more information,please refer to http://msdn.microsoft.com/en-us/library/ms731367.aspx). and There are two elements in it, they are authentication and certificate.
clientCertificate配置screenshot如下所示:
右上为clientCertificate->Authentication配置,右下为clientCertificate->Certificate配置
2.1.2.1 clientCertificate->authentication
Specifies authentication behaviors for client certificates used by a service.(指定服务使用的客户端证书的身份验证行为)
Attributes
Attribute | Description |
---|---|
customCertificateValidatorType |
Optional string. A type and assembly used to validate a custom type. This attribute must be set when certificateValidationMode is set to Custom. 可选的字符串。用于验证自定义类型的类型和程序集。当 certificateValidationMode 设置为 Custom 时,必须设置此属性。 |
certificateValidationMode |
Optional enumeration. Specifies one of three modes used to validate credentials. If set to Custom, then a customCertificateValidator must also be supplied. The default is ChainTrust. 可选的枚举。指定用来验证凭据的三种模式之一。如果设置为 Custom,则还必须提供 customCertificateValidator。默认值为 ChainTrust。 |
includeWindowsGroups |
Optional Boolean. Specifies if Windows groups are included in the security context. Setting this attribute to true has a performance impact, as it results in a full group expansion. Set this attribute to false if you do not need to establish the list of groups a user belongs to. 可选的布尔值。指定 Windows 组是否包含在安全上下文中。将此属性设置为 true 会影响性能,因为这会导致完全组扩展。如果不需要建立用户所属组的列表,请将此属性设置为 false。 |
mapClientCertificateToWindowsAcccount |
Boolean. Specifies whether the client can be mapped to a Windows identity using the certificate. Active Directory must be enabled to do this. For more information about using the Active Directory feature, see http://technet2.microsoft.com/WindowsServer/en/Library/0602148e-1a8f-4917-bb01-6fd342aba7161033.mspx. 布尔值。指定是否可以使用证书将客户端映射到 Windows 标识。为此,必须启用 Active Directory。有关使用 Active Directory 功能的更多信息,请参见 http://technet2.microsoft.com/WindowsServer/en/Library/0602148e-1a8f-4917-bb01-6fd342aba7161033.mspx。 |
revocationMode |
Optional enumeration. One of the modes used to check for a revoked certificate lists (RCL). The default is Online. 可选的枚举。用于检查吊销证书列表 (RCL) 的一种模式。默认值为 Online。 |
trustedStoreLocation |
Optional enumeration. One of the two system store locations: LocalMachine or CurrentUser. This value is used when a service certificate is negotiated to the client. Validation is performed against the Trusted People store in the specified store location. The default is CurrentUser. 可选的枚举。两个系统存储位置之一:LocalMachine 或 CurrentUser。在向客户端协商服务证书时使用此值。将根据指定存储位置中的“受信任人”存储执行验证。默认值为 CurrentUser。 |
2.1.2.2 <clientCertificate> -> <certificate>
Specifies an X.509 certificate used to sign and encrypt messages.指定用于对消息进行签名和加密的 X.509 证书。
Attribute | Description |
---|---|
findValue |
A string that contains the value to search for in the X.509 certificate store. The type contained in the attribute must satisfy the requirements of the specified X509FindType. The default is an empty string. |
storeLocation |
Specifies the location of the X.509 certificate store that the client uses to validate the server’s certificate against. Valid values include the following:
The default is LocalMachine. |
storeName |
Specifies the name of the X.509 certificate store to open. Valid values include the following:
The default is My. |
X509FindType |
Defines the type of X.509 search to be executed. Valid values include the following:
The type contained in the findValue attribute must satisfy the requirements of the specified X509FindType. The default value is FindBySubjectDistinguishedName. |