Preface ==== In recent work, you need to encrypt and digital signature of the Web Service's transfer content. I use SOAP extension to change the way of SOAP messages to decrypt, so there is no need to make code improvement for the original program. The purpose of secure transmission can be reached.
Idea ==== My design ideas is: The client program notifies the message that inherits the message from the SOAPEXTENSIS I need to encrypt the message, and automatically add an extended SOAP message header in the SOAP message. It indicates whether the SOAP message package is encrypted. When the server accepts the SOAP message package, the extended SOAP message header is extracted and determine whether to perform signature verification and decryption processing according to its designated encryption status. When the server returns a message, it will also determine whether the feedback information is encrypted and signed according to the encryption requirements of the acquired client. In this way, you can determine if you need to use encryption processing by each client, and the server will automatically decrypt each accepted message, and each client can independently exercise their respective security levels without affecting it. Other users.
Procedure ==== In SOAPEXTension, the processing of each sending and receiving SOAP messages is implemented by overriding its ProcessMessage method. In the parameter of the unique SOAPMessage type of the method, the parameter of the STREAM type is included, which is the transmitted SOAP message package.
Before the client sends a message (BeForeSerialize phase), determine whether to encrypt according to the flag specified by its configuration file, and add an extension soapHeader to the current SOAP package list, the extended SOAPHEADER is used to indicate acceptance Whether the SOAP package is encrypted and a digital signature. Encrypt the SOAP message packet according to the instructions in the AfTerSerialize phase. The server side, in the BeforeDeSerialize phase, first get the extended SOAPHEADER object, decide to decrypt the received SOAP message packet based on its instructions.
Solve ==== This scenario is ignored, that is, soapHeader is in the SOAP message package. If you encrypt the entire SOAP message package, you cannot get SOAPHEADER before decrypt the entire SOAP message, but this is not Hold the implementation of the program.
First, do not encrypt the entire SOAP message package, and only encrypt the main body (body) section of the SOAP message package; this solution has a bad place to confidentially confidentially for SOAPHEADER, so it is best not to save and transfer with SoapHeader Machine data.
Second, or encrypt the entire SOAP message package, just use a custom HttpHpHeader to indicate the encryption status of the currently included SOAP message package. The shortcomings of this solution are dependent on a particular transport layer protocol. Of course, it is also possible to customize a format, and the identifier indicating the message package encryption state is placed in the message body. When the message packet is received, the subsequent operation is parsed first after receiving the message packet.
I am using the second solution (ie, using the HTTP header to identify the encrypted state of the SOAP message package). This encountered a trouble in SOAPEXTension because SOAPEXTENSION did not provide an opportunity / method for the extended implementation to handle this HTTP session message. There is a ContentType [String] property in SOAPMESSAGE to get or set the HTTP Content-Type (default to text / XML) of the SOAP request or SOAP response, and you can use it to represent the encrypted state of the SOAP message package, MSDN does not recommend changing it. Using LoadRunner to detect SOAP messages, find that it is "text / XML charset = UTF-8;", change it to "text / xml charset = utf-8; iscryptograph = true", discover the character encoding of the entire SOAP message appears Errors, the content obtained by the recipient is completely garbled, but there is no problem in .NET Framework 1.1, of course, if it is recommended to use the ContenTencoding property in .NET Framework 1.1 to expand your own identity, but unfortunately no Provide this property :- (Final, in the architecture of the .NET Framework 1.0, use the configuration file on the client and the server to indicate whether the SOAP message package is decrypted, but this must keep the client and server pair configuration. The consistency of the logo. 唉 ~
Postscript: The canseek attribute of the SOAPMESAGE.STREAM object in the client and server is different (the server canseek is false). For this, you should be careful, I don't understand this! Related Articles: "Safety Way: Encryption and Digital Signature"
