使用Windows身份验证的WCF安全性

时间:2012-12-13 20:40:56

标签: wcf wcf-security

允许的正确WCF安全实施/配置是什么:

  • 使用现有Windows帐户对服务进行身份验证
  • 允许从其他项目添加服务引用而不提供 凭证
  • 限制可以调用服务的用户

1 个答案:

答案 0 :(得分:2)

使用现有Windows帐户对服务进行身份验证

为此,您应将绑定配置的transport clientCredentialType属性设置为Windows

<bindings>
   <wsHttpBinding>
      <binding>
         <security mode="Message">
            <transport clientCredentialType="Windows" />
         </security>
      </binding>
   </wsHttpBinding>
</bindings>

允许在不提供凭据的情况下从其他项目添加服务参考

为此,请为服务端点创建mex端点。

<services>
   <service name="Services.SampleService" behaviorConfiguration="wsDefaultBehavior">
      <endpoint address="mex"  binding="mexHttpBinding" contract="IMetadataExchange" />
   </service>
</services>

限制可以调用服务的用户

这个更多涉及。我发现以每个用户为基础保护服务的方式需要自定义授权策略。执行授权的类必须实现IAuthorizationPolicy接口。这是我的授权类的完整代码:

namespace Services.SampleService.Authorization
{
    /// <summary>
    /// Handles the default authorization for access to the service
    /// <para>Works in conjunction with the AuthorizedUsersDefault setting</para>
    /// </summary>
    public class DefaultAuthorization: IAuthorizationPolicy
    {

        string _Id;

        public DefaultAuthorization()
        {
            this._Id = Guid.NewGuid().ToString();
        }

        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            bool isAuthorized = false;
            try
            {
                //get the identity of the authenticated user
                IIdentity userIdentity = ((IIdentity)((System.Collections.Generic.List<System.Security.Principal.IIdentity>)evaluationContext.Properties["Identities"])[0]);
                //verify that the user is authorized to access the service
                isAuthorized = Properties.Settings.Default.AuthorizedUsersDefault.Contains(userIdentity.Name, StringComparison.OrdinalIgnoreCase);
                if (isAuthorized)
                {
                    //add the authorized identity to the current context
                    GenericPrincipal principal = new GenericPrincipal(userIdentity, null);
                    evaluationContext.Properties["Principal"] = principal;
                }
            }
            catch (Exception e)
            {
                Logging.Log(Severity.Error, "There was an error authorizing a user", e);
                isAuthorized = false;
            }
            return isAuthorized;
        }

        public ClaimSet Issuer
        {
            get { return ClaimSet.System; }
        }

        public string Id
        {
            get { return this._Id; }
        }
    }
}

“魔法”发生在Evaluate方法中。在我的例子中,授权用户列表保存在名为ArrayOfString的Properties.Settings变量(类型为AuthorizedUsersDefault)中。这样,我可以维护用户列表而无需重新部署整个项目。

然后,要在每个服务的基础上使用此授权策略,请在ServiceBehaviors节点中设置以下内容:

<behaviors>
   <serviceBehaviors>
      <behavior name="wsDefaultBehavior">
         <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
           <add policyType="Services.SampleService.Authorization.DefaultAuthorization, MyAssemblyName" />
        </authorizationPolicies>
     </serviceAuthorization>
      </behavior>
   </serviceBehaviors>
</behaviors>
相关问题
最新问题