允许的正确WCF安全实施/配置是什么:
答案 0 :(得分:2)
使用现有Windows帐户对服务进行身份验证
为此,您应将绑定配置的transport clientCredentialType
属性设置为Windows
。
<bindings>
<wsHttpBinding>
<binding>
<security mode="Message">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
允许在不提供凭据的情况下从其他项目添加服务参考
为此,请为服务端点创建mex
端点。
<services>
<service name="Services.SampleService" behaviorConfiguration="wsDefaultBehavior">
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
限制可以调用服务的用户
这个更多涉及。我发现以每个用户为基础保护服务的方式需要自定义授权策略。执行授权的类必须实现IAuthorizationPolicy
接口。这是我的授权类的完整代码:
namespace Services.SampleService.Authorization
{
/// <summary>
/// Handles the default authorization for access to the service
/// <para>Works in conjunction with the AuthorizedUsersDefault setting</para>
/// </summary>
public class DefaultAuthorization: IAuthorizationPolicy
{
string _Id;
public DefaultAuthorization()
{
this._Id = Guid.NewGuid().ToString();
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
bool isAuthorized = false;
try
{
//get the identity of the authenticated user
IIdentity userIdentity = ((IIdentity)((System.Collections.Generic.List<System.Security.Principal.IIdentity>)evaluationContext.Properties["Identities"])[0]);
//verify that the user is authorized to access the service
isAuthorized = Properties.Settings.Default.AuthorizedUsersDefault.Contains(userIdentity.Name, StringComparison.OrdinalIgnoreCase);
if (isAuthorized)
{
//add the authorized identity to the current context
GenericPrincipal principal = new GenericPrincipal(userIdentity, null);
evaluationContext.Properties["Principal"] = principal;
}
}
catch (Exception e)
{
Logging.Log(Severity.Error, "There was an error authorizing a user", e);
isAuthorized = false;
}
return isAuthorized;
}
public ClaimSet Issuer
{
get { return ClaimSet.System; }
}
public string Id
{
get { return this._Id; }
}
}
}
“魔法”发生在Evaluate
方法中。在我的例子中,授权用户列表保存在名为ArrayOfString
的Properties.Settings变量(类型为AuthorizedUsersDefault
)中。这样,我可以维护用户列表而无需重新部署整个项目。
然后,要在每个服务的基础上使用此授权策略,请在ServiceBehaviors
节点中设置以下内容:
<behaviors>
<serviceBehaviors>
<behavior name="wsDefaultBehavior">
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="Services.SampleService.Authorization.DefaultAuthorization, MyAssemblyName" />
</authorizationPolicies>
</serviceAuthorization>
</behavior>
</serviceBehaviors>
</behaviors>