ARCARC--310310

Web Services Web Services 的安全措施的安全措施---- 从从WSE3.0WSE3.0到到 WCFWCF

课程内容概述课程内容概述

理解理解message level message level 的安全性。的安全性。

WSE3.0 WSE3.0 的应用范围，不同情形下对安全措施的的应用范围，不同情形下对安全措施的选择。选择。

理解与使用理解与使用 ““turnkey security scenariosturnkey security scenarios””所有所有turnkey security scenariosturnkey security scenarios的演示与程序的演示与程序

WCFWCF介绍。介绍。

从从WSE3.0WSE3.0到到WCFWCF的过渡。的过渡。

WSEWSE

PolymorphismPolymorphismEncapsulationEncapsulationSubclassingSubclassing

MessageMessage--basedbasedSchema+ContractSchema+ContractBinding via PolicyBinding via Policy

1980s1980s

2000s2000s

InterfaceInterface--basedbasedDynamic LoadingDynamic LoadingRuntime MetadataRuntime Metadata

1990s1990s

ObjectObject--OrientedOriented

ServiceService--OrientedOriented

ComponentComponent--BasedBased

趋势：从趋势：从objectobject--orientedoriented到到serviceservice--orientedoriented

WSE (Web Service Enhancements)WSE (Web Service Enhancements)

WSEWSE市市W3CW3C标准标准WSE1.0, 2.0, 3.0WSE1.0, 2.0, 3.0是微软的是微软的implementation, implementation, WSEWSE作为作为.NET Framework.NET Framework的外加的外加

Secure Web services across multiple intermediaries and trust Secure Web services across multiple intermediaries and trust domainsdomainsHelps developers build Service Oriented solutions today and Helps developers build Service Oriented solutions today and provides a stepping stone to Indigoprovides a stepping stone to Indigo已在企业中使用已在企业中使用

FeaturesFeaturesTurnkey and customizable Web services securityTurnkey and customizable Web services securityExtends ASP.NET Web services Extends ASP.NET Web services –– hosting outside of IIS, hosting outside of IIS, 与与tranporttranport无关无关

V3.0 enhancementsV3.0 enhancementsImproved support for asynchronous messagingImproved support for asynchronous messagingSOAP v1.2 and 64SOAP v1.2 and 64--bit support bit support Secure messaging of documents and binary data (MTOM)Secure messaging of documents and binary data (MTOM)

WSWS--** 架构架构

基础

应用及设施

传输

Connected Connected ApplicationsApplications ManagementManagement BusinessBusiness

ProcessProcess……

SecuritySecuritySecuritySecurity

TrustTrustSecure Secure

ConversationConversation

Messaging Messaging (SOAP, Addressing, MTOM, Eventing)(SOAP, Addressing, MTOM, Eventing)

XML XML (XML, XSD, XPath)(XML, XSD, XPath)

Met

adat

aM

etad

ata

(WSD

L, P

olic

y,

(WSD

L, P

olic

y,

Dis

cove

ry, M

EX)

Dis

cove

ry, M

EX)

HTTPHTTP TCPTCP SMTPSMTP MQMQ

ReliabilityReliabilityReliable Reliable

MessagingMessaging

TransactionsTransactionsAtomic Atomic

TransactionTransactionCoordinationCoordination

Business Business ActivityActivity

WSWS--* * 标准的建立过程标准的建立过程

Specification Specification 发布发布

反馈反馈 修正修正 标准组织标准组织 WSWS--II

工业界的参与工业界的参与

过程协调目的：• 质量• 推向市场的周期• 广泛的工业界支持

输入输入Soap MessageSoap Message

应用应用(client / service)(client / service)

输出输出Soap MessageSoap Message

Applies rules & transforms message to meetWS-* Specifications

Verifies and transforms message into .NET object model

WSEWSE的功能的功能??

WSE 层

WSWS--SecuritySecurity

通讯的安全性通讯的安全性ProtocolProtocol--level level 的安全性的安全性

例子：例子：SSLSSLSender must trust intermediaries.Sender must trust intermediaries.

Include Soap Routers, Dispatchers, etcInclude Soap Routers, Dispatchers, etc……

Message decrypted at intermediariesMessage decrypted at intermediaries对整个对整个 messagemessage加密加密

能用的能用的protocols protocols 受限制受限制

加密加密 加密加密

通讯的安全性通讯的安全性MessageMessage--levellevel的安全性的安全性

与通讯介质无关与通讯介质无关 (HTTP, SMTP, MSMQ, WMQ (HTTP, SMTP, MSMQ, WMQ ……))可只对可只对 messagemessage的各部分加密的各部分加密

For the intermediary and/or ultimate receiver independentlyFor the intermediary and/or ultimate receiver independently送信者送信者(sender) (sender) 只需信任 终收信者只需信任 终收信者((ultimate receiverultimate receiver))数字签名存在数字签名存在messagemessage的的headerheader中中

The message content on the wire includes integrityThe message content on the wire includes integrity

WSE WSE 3.03.0所提供的所提供的Web ServicesWeb Services安全性安全性

PolicyPolicy一组法则（一组法则（Groups of rulesGroups of rules）） 用来施加到用来施加到messagesmessages上上

Define rules applied to outgoing messagesDefine rules applied to outgoing messagesDefine demands for incoming messagesDefine demands for incoming messages

用程序来定义用程序来定义policypolicyAccessible declarativelyAccessible declaratively

Security Turnkey ScenariosSecurity Turnkey Scenarios55种种policy policy encapsulated into classesencapsulated into classesweb servicesweb services中 常用的情形中 常用的情形

Provide round trip securityProvide round trip securityCustom PoliciesCustom Policies

Inherit from the Policy classInherit from the Policy class

Policy in WSE 3.0Policy in WSE 3.0

用用policy assertionspolicy assertions来描述对来描述对message (both message (both incoming and outgoing)incoming and outgoing)的要求的要求

安全成为安全成为deploymentdeployment时的决定时的决定

Simplifies security through the turnkey security Simplifies security through the turnkey security assertionsassertionsCreates a clear division between rolesCreates a clear division between roles

Policy PipelinePolicy Pipeline管道架构管道架构

输入管道的输入管道的policypolicy

输入输入Soap MessageSoap Message Security

Security

TracingTracing

Custom

Custom

SecuritySecurity

TracingTracing

Custom

Custom

应用系统应用系统

输出输出Soap MessageSoap Message

Policy assertions Policy assertions transform the messagetransform the message

…… 输出管道的输出管道的policypolicy

Turnkey Turnkey 安全安全 scenariosscenarios

业界常见的安全设计业界常见的安全设计

每一种情形用每一种情形用 Policy assertionPolicy assertion来表征来表征

UsernameOverCertificateUsernameOverCertificate

AnnonymousOverCertificateAnnonymousOverCertificate

UsernameOverTransportUsernameOverTransport

KerberosKerberos

MutualX509MutualX509

Security Turnkey ScenariosSecurity Turnkey Scenarios

SecuritySecurityAuthenticationAuthentication

Windows DomainWindows DomainWindows Windows login/passwordlogin/password

Kerberos (Windows)Kerberos (Windows)

ServerServer’’s X509 s X509 CertificateCertificate

ClientClient’’s X509 s X509 CertificateCertificate

MutualCertificateMutualCertificate

ServerServer’’s X509 s X509 CertificateCertificate

Any user with Any user with serverserver’’s public keys public key

AnonymousOverCertificaAnonymousOverCertificatete

SSLSSLUser User login/passwordlogin/password

UsernameOverTransportUsernameOverTransport

ServerServer’’s X509 s X509 CertificateCertificate

User User login/passwordlogin/password

UsernameoverCertificateUsernameoverCertificate

几种安全情形几种安全情形

常见的几种情形常见的几种情形Public Web servicePublic Web serviceIntranet Web serviceIntranet Web serviceInternet BusinessInternet Business--toto--businessbusinessMultiple Internet Web servicesMultiple Internet Web services

决策矩阵决策矩阵

Security is not black and whiteSecurity is not black and whiteDecision matrices aligned with your Decision matrices aligned with your requirements help support the selection of: requirements help support the selection of:

Authentication modelAuthentication modelClient authentication typeClient authentication typeMessage protectionMessage protectionMessage Message vsvs transporttransportResource access modelResource access model

Turnkey Security ScenarioTurnkey Security Scenario例子例子Username Credentials with Server Certificate for ProtectionUsername Credentials with Server Certificate for Protection

服务器服务器

InternetInternet IntranetIntranet

验证验证username/ username/ PasswordPassword

Confidential, signedConfidential, signedrequest using a client keyrequest using a client keyprotected with theprotected with theserver certificateserver certificate

Confidential, signedConfidential, signedresponse using response using the supplied client keythe supplied client key

Username/Password Username/Password for Authenticationfor Authentication

Direct AuthenticationDirect Authentication（直接登录）（直接登录）

ContextContextA client needs to access a Web service. The Web service requiresA client needs to access a Web service. The Web service requires the client the client to present credentials for authentication so that additional conto present credentials for authentication so that additional controls such as trols such as authorization and auditing can be implemented.authorization and auditing can be implemented.

问题问题Web service Web service 如何验证如何验证clientclient提交的提交的credentialcredential??

ForcesForcesThe credentials that the client presents to the Web service are The credentials that the client presents to the Web service are based on based on shared secrets, such as passwords. shared secrets, such as passwords. The Web service can validate credentials from the client againstThe Web service can validate credentials from the client against an identity an identity store. store. The Web service is relatively simple, and does not require suppoThe Web service is relatively simple, and does not require support for rt for capabilities such as singlecapabilities such as single--sign on (SSO) or support for nonsign on (SSO) or support for non--repudiation. repudiation. The client and the Web service trust one another to manage credeThe client and the Web service trust one another to manage credentials ntials securely. securely.

Brokered AuthenticationBrokered Authentication（间接认证）（间接认证）

ContextContextA client needs to access a Web service. The Web service requiresA client needs to access a Web service. The Web service requires the application to the application to present credentials for authentication so that additional contropresent credentials for authentication so that additional controls such as authorization ls such as authorization and auditing can be implemented.and auditing can be implemented.

ProblemProblemHow does the Web service verify the credentials that are presentHow does the Web service verify the credentials that are presented by the client?ed by the client?

ForcesForcesThe client accesses additional services, which results in the neThe client accesses additional services, which results in the need for a single sign on ed for a single sign on (SSO) solution. Without a single sign on solution, the client ma(SSO) solution. Without a single sign on solution, the client may be forced to y be forced to authenticate prior to every Web service call or cache the user'sauthenticate prior to every Web service call or cache the user's credentials within the credentials within the application. application. The client and the Web service do not trust each other directly.The client and the Web service do not trust each other directly. The client and the The client and the Web service may not trust one another to manage or exchange sharWeb service may not trust one another to manage or exchange shared secrets ed secrets securely. Establishing trust directly between a client and Web ssecurely. Establishing trust directly between a client and Web service often requires ervice often requires out of band interactions that can hinder clients and services frout of band interactions that can hinder clients and services from interacting om interacting dynamically.dynamically.The Web service and the identity store do not trust each other dThe Web service and the identity store do not trust each other directly. The Web irectly. The Web service may be unable to communicate with the identity store dirservice may be unable to communicate with the identity store directly, because of ectly, because of access control restrictions, network restrictions, or organizatiaccess control restrictions, network restrictions, or organizational policy.onal policy.

Turnkey scenarios, policy cache Turnkey scenarios, policy cache configconfig, client, service, strongly typed , client, service, strongly typed policypolicy

My prototype solution at the virtual serverMy prototype solution at the virtual server

MessageMessage的保护的保护 ––Integrity Integrity 与保密与保密

威胁威胁

Network eavesdropping leads to Network eavesdropping leads to 秘密信息被窃取秘密信息被窃取

MessageMessage在传递中被更改在传递中被更改

薄弱环节薄弱环节

Lack of end to end encryption when sending SOAP messagesLack of end to end encryption when sending SOAP messagesLack of a digital signature to verify authenticity of a SOAP mesLack of a digital signature to verify authenticity of a SOAP messagesage

措施措施

Message Protection Patterns: Message Protection Patterns: Data Origin AuthenticationData Origin AuthenticationData ConfidentialityData Confidentiality

Message integrity Message integrity 与加密与加密

C:C:\\WorkspaceWorkspace\\CSharpCSharp\\WSEWSE\\WSE3TestWSE3Test\\WSE3ServiceWSE3Service\\TraceTrace\\OutputTraceCert11.xmlOutputTraceCert11.xml

WSE 3.0 WSE 3.0 的价值的价值

建立建立web service web service 安全性安全性

VS2005 + WSE 3.0 VS2005 + WSE 3.0 = Simplified WS = Simplified WS 开发开发

1.1. MessageMessage--based systems based systems 理念理念

2.2. WireWire--level level 与与 WCFWCF兼容兼容

WCFWCF

须具备的知识须具备的知识

Windows Server 2003Windows Server 2003上的上的X.509X.509 证书证书 and Kerberos and Kerberos 技术技术

X.509 X.509 的知识包括的知识包括Obtaining x.509 certificates Obtaining x.509 certificates Certificate revocation Certificate revocation Use of X.509 certificates (IPSec, SSL, WS*)Use of X.509 certificates (IPSec, SSL, WS*)

KerberosKerberos的知识包括的知识包括Use of domain accounts and service principal Use of domain accounts and service principal namesnames(SPN(SPN))Troubleshooting guideTroubleshooting guide

Introduction to Web service security interoperability Introduction to Web service security interoperability WSE 3.0 and WSE 2.0WSE 3.0 and WSE 2.0WSE 3.0 and WCFWSE 3.0 and WCFWSE 3.0 and other platformsWSE 3.0 and other platforms

Unified Programming Model Unified Programming Model

WSE Messaging APIs remainWSE Messaging APIs remainSoapClientSoapClient, , SoapServiceSoapServiceExist for compatibilityExist for compatibilityOffers a different programming model that is similar to Offers a different programming model that is similar to what goes out on the wire (what goes out on the wire (SoapEnvelopeSoapEnvelope).).

Message Transmission Optimization Mechanism Message Transmission Optimization Mechanism (MTOM) (MTOM) Message Message 传输的优化机制传输的优化机制

MTOM MTOM 替代了替代了WSE 1.0WSE 1.0和和2.02.0中的中的 DIME & WSDIME & WS--Attachments support Attachments support 益处益处

Composes with WSComposes with WS--Security to protect the data as Security to protect the data as well as the SOAP messagewell as the SOAP messageSimplified programming modelSimplified programming modelWire level Wire level 减小了减小了messagemessage体积体积..

Message Message 传输的优化传输的优化

WSE WSE 2.0, 3.0, WCF 2.0, 3.0, WCF 兼容性兼容性

WSE 2.0 WSE 2.0 可用在可用在 .NET v2.0 .NET v2.0 但是但是……Runtime only support, no design time supportRuntime only support, no design time support32 bit only32 bit only

升级到升级到 WSE 3.0WSE 3.0时有时有Breaking changesBreaking changesSide by side compatibility for all major versionsSide by side compatibility for all major versionsInteroperability with WSE 2.0 to WSE 3.0 or Interoperability with WSE 2.0 to WSE 3.0 or Indigo is not supportedIndigo is not supported

WCF (Indigo)WCF (Indigo)

不同的技术用于不同的场合不同的技术用于不同的场合

企业需要企业需要mix and matchmix and matchReliable ServicesReliable ServicesReliable transport (HTTP, MSMQ, WMQ, SMTP, TCP)Reliable transport (HTTP, MSMQ, WMQ, SMTP, TCP)Distributed and Interoperable Distributed and Interoperable TransactionsTransactionsWhich has DTC? Which supports DT?Which has DTC? Which supports DT?

ServicesServicesInteroperableInteroperable

ASP.NET IntegrationASP.NET Integration

ObjectsObjectsExtensibleExtensible

CLR IntegrationCLR Integration

ComponentsComponentsTransactionsTransactions

COM+ IntegrationCOM+ Integration

QueuingQueuingReliable MsgReliable Msg

MSMQ IntegrationMSMQ Integration

今天的今天的WindowsWindows平台上的分布系统技术平台上的分布系统技术

WSWS--**ProtocolsProtocols

SOASOAInteropInterop

AttributeAttribute--BasedBased

ProgrammingProgramming

MessageMessage--OrientedOriented

ProgrammingProgrammingComposabilityComposabilityExtensibilityExtensibility

Standardized Standardized CommunicationCommunication

Simplified Simplified Programming ModelProgramming Model

微软的下一代分布系统技术，用于建立微软的下一代分布系统技术，用于建立serviceservice--oriented applicationsoriented applications

扩展扩展.NET Framework 2.0 .NET Framework 2.0

用于用于Visual Studio 2005Visual Studio 2005

Runs on Windows XP, Windows Server 2003 and Windows VistaRuns on Windows XP, Windows Server 2003 and Windows Vista

Windows Communication FoundationWindows Communication Foundation

从从WSE 3.0 WSE 3.0 到到WCFWCFWire level interoperable with Wire level interoperable with WCFWCF Beta 1Beta 1

WSE 3.0 investment is maintained WSE 3.0 investment is maintained Support for standard interoperable security scenariosSupport for standard interoperable security scenarios

WSE turnkey security assertions == Indigo security WSE turnkey security assertions == Indigo security binding elementsbinding elements

WSE 3.0 runs sideWSE 3.0 runs side--byby--side with side with WCFWCFUpgrade guidance will beUpgrade guidance will beprovided from WSE 3.0 provided from WSE 3.0 to Indigoto Indigo

应用系统应用系统

Service ModelService Model

MessagingMessaging

Hosting Hosting EnvironmentsEnvironments ASP.NETASP.NETASP.NET AvalonAvalonAvalon WinFormWinFormWinForm NT ServiceNT ServiceNT Service COM+COM+COM+

TCPChannel

TCPTCPChannelChannel

HTTPChannel

HTTPHTTPChannelChannel

QueueChannelQueueQueue

ChannelChannel

SecureChannelSecure

ChannelReliableChannelReliableReliableChannelChannel

Instance BehaviorInstance Instance BehaviorBehavior

Throttling Behavior

Throttling Throttling BehaviorBehavior

Type Integ. Behavior

Type Integ. Type Integ. BehaviorBehavior

TransactionBehavior

TransactionTransactionBehaviorBehavior

ConcurrencyBehavior

ConcurrencyConcurrencyBehaviorBehavior

ErrorBehavior

ErrorErrorBehaviorBehavior

MetadataBehaviorMetadataMetadataBehaviorBehavior

BinaryEncoderBinaryBinary

EncoderEncoder

Text/XMLEncoderText/XMLText/XMLEncoderEncoder

………

……

………

WCF WCF 架构架构

WASWASWAS

Windows Activation Service (WAS)Windows Activation Service (WAS)

HTTP.SYSHTTP.SYS TCP Transport TCP Transport ListenerListener

Named Pipes Named Pipes Transport ListenerTransport Listener

HTTP Listener HTTP Listener Adapter (IIS7)Adapter (IIS7)

NP Listener NP Listener AdapterAdapter

TCP Listener TCP Listener AdapterAdapter

Windows Activation ServiceWindows Activation Service (WAS)(WAS)

Single activation model shared by ASP.NET, IIS7, and WCFSingle activation model shared by ASP.NET, IIS7, and WCFSupports multiple protocolsSupports multiple protocols

WAS/IIS7 WAS/IIS7 架构架构

W3SVCW3SVC

Application PoolApplication Pool

Application Application

Application Application

Application

Application PoolApplication Pool

Application Application

Application Application

Application

Application PoolApplication Pool

Application Application

Application Application

Application

Application PoolApplication Pool

Application Application

Application Application

Application

Application PoolApplication Pool

Application Application

Application Application

Application

Application PoolApplication Pool

Application Application

Application Application

Application Windows Activation ServiceWindows Activation Service

Config MgrConfig Mgr

Process MgrProcess Mgr

HTTP.SYS

HTTP MgrHTTP Mgr

HTTP.SYS Indigo Net.TCPListener

Indigo Net.PipeListener

IIS 7.0 Architecture BenefitsIIS 7.0 Architecture BenefitsGeneralized Process Activation Generalized Process Activation Extensible multiExtensible multi--protocol supportprotocol supportConfigurable Health ManagementConfigurable Health ManagementSide by Side deploymentSide by Side deploymentUnified Management ModelUnified Management ModelFully ComponentizedFully Componentized

Web.config

Web.config

Web.config

Applicationhost.config

Activation and Hosting

WAS Avalon *.EXE NT Service COM+

MessagingHTTP

ChannelTCP

Channel

UDPChannelX-Proc

ChannelQueue

Channel

SOAP SecurityChannel

SOAP ReliabilityChannel

Text/XMLEncoderBinary

Encoder

Service Runtime

Contracts

ThrottlingBehavior

TransactionBehavior

ActivationBehavior

ConcurrencyBehavior

Cmd/ControlFacilities

ErrorBehavior

MetadataBehavior

InstanceBehavior

InspectionFacilities

DataContract

MessageContract

ServiceContract

Policy andBinding

WCF

InteroperabilityInteroperability

Network

App

OtherStack

Application App

BizTalkAdapter

App

WSE

Assurances

Messaging

SOAP

WS-Security

MTOMWS-Addressing

Metadata

WS-Policy

WSDL

UDDI

WS-MetadataExchange

XML Schema

WS-ReliableMessaging WS-Coordination

WS-AtomicTransaction

WS-BusinessActivity

WS-Trust

WS-SecureConversation

Infrastructureand Profiles

WS-ManagementWS-Federation DevicesProfile

Foundation

SOAP / HTTPMIME

XML Infoset

XML 1.0 XMLNamespaces

WS-* Protocols

从从WSE3.0WSE3.0到到WCFWCF的升级的升级

WSE 3.0, Interop & WCFWSE 3.0, Interop & WCF

采用采用WSE 3.0WSE 3.0ASMX & HTTPASMX & HTTPTurnkey Security Scenarios & PolicyTurnkey Security Scenarios & PolicyMTOM for large file transfer (WSE 3.0)MTOM for large file transfer (WSE 3.0)

避免避免Custom TransportsCustom Transports (ESB)(ESB)

Can be built, just not supported out of the boxCan be built, just not supported out of the box

DIME for large file transfer (WSE 2.0)DIME for large file transfer (WSE 2.0)

Maintain investment moving to WCFMaintain investment moving to WCF

WCF WCF 是新的是新的 .NET API.NET API加入了加入了serviceservice的的 Transactions and ReliabilityTransactions and Reliability

Wire level compatible with WSE 3.0Wire level compatible with WSE 3.0WCF clients can talk to WSE 3.0 servicesWCF clients can talk to WSE 3.0 servicesWSE 3.0 clients can talk to WCF servicesWSE 3.0 clients can talk to WCF servicesOnly WSE 3.0, not WSE 1.0 and 2.0 Only WSE 3.0, not WSE 1.0 and 2.0

API/Code is not compatibleAPI/Code is not compatibleWSE 3.0 code will not compile in WCFWSE 3.0 code will not compile in WCF

WSE 3.0 runs side by side with WCFWSE 3.0 runs side by side with WCFWSE 3.0 concepts will help you with WCFWSE 3.0 concepts will help you with WCF微软将提供从微软将提供从WSE3.0WSE3.0到到WCFWCF的升级指南的升级指南

ResourcesResources

Web Services & Other Distributed Web Services & Other Distributed Technologies Developer CenterTechnologies Developer Center(msdn.microsoft.com/webservices/building/wse)(msdn.microsoft.com/webservices/building/wse)

Video presentations by WSE TeamVideo presentations by WSE TeamHands on Labs for Messaging and SecurityHands on Labs for Messaging and SecurityArticles on WSE 3.0Articles on WSE 3.0

WSE 3.0 Security: Interoperability ConsiderationsWSE 3.0 Security: Interoperability Considerationshttp://msdn.microsoft.com/library/default.asp?url=/library/enhttp://msdn.microsoft.com/library/default.asp?url=/library/en--us/dnpag2/html/wss_appx_interopcons_wse30.aspus/dnpag2/html/wss_appx_interopcons_wse30.asp

Introduction to Building Windows Communication Foundation ServicIntroduction to Building Windows Communication Foundation Services, es, Clemens Vasters, Clemens Vasters, MSDN Online: http://msdn.microsoft.com/webservices/indigo/defaulMSDN Online: http://msdn.microsoft.com/webservices/indigo/default.aspx?t.aspx?pull=/library/enpull=/library/en--us/dnlong/html/introtowcf.aspus/dnlong/html/introtowcf.asp

总结总结

message level message level 的安全性。的安全性。

WSE3.0 WSE3.0 的应用范围，不同情形下对安全措施的的应用范围，不同情形下对安全措施的选择。选择。

使用使用 ““turnkey security scenariosturnkey security scenarios””所有所有turnkey security scenariosturnkey security scenarios的演示的演示

WCFWCF介绍。介绍。

从从WSE3.0WSE3.0到到WCFWCF的过渡。的过渡。