我最近阅读了WCF安全指南,并使用它来创建一个应用程序,用户需要创建自己的帐户,然后使用邮件安全性访问应用程序。下面是我从本书到目前为止提出的web.config文件。我遇到的问题围绕用户注册。由于应用程序需要用户名/密码身份验证,因此注册新用户的方法始终失败。
我知道一种解决方法(切换到基于角色的身份验证并在具有注册权限的角色中创建单个用户,并且只是将该信息硬编码到注册方法中)但我正在寻找替代解决方案。有没有办法在操作级别声明特定方法不需要身份验证?如果没有,是否有办法公开具有不同服务合同的单独端点,并且该合同不需要身份验证?这么多的web.config文件与成员资格提供者和消息安全性有关,我有点担心,但是对于在数据库中正确注册新成员的方法,显然必须知道成员资格提供者...
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<connectionStrings>
<add name="MyLocalSQLServer"
connectionString="Initial Catalog=aspnetdb;data source=DESKTOP;Integrated Security=SSPI;"/>
</connectionStrings>
<system.web>
<authentication mode="Forms" />
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5"/>
<membership defaultProvider="MySqlMembershipProvider">
<providers>
<clear />
<add name="mySqlMembershipProvider"
connectionStringName="MyLocalSQLServer"
applicationName="Mech"
type="System.Web.Security.SqlMembershipProvider" />
</providers>
</membership>
</system.web>
<system.serviceModel>
<bindings>
<wsDualHttpBinding>
<binding name="wsDualHttpEndpointBinding">
<security>
<message clientCredentialType="UserName" />
</security>
</binding>
</wsDualHttpBinding>
</bindings>
<services>
<service name="MechService.MechService">
<endpoint address="localhost/MechService" binding="wsDualHttpBinding" bindingConfiguration="wsDualHttpEndpointBinding"
name="wsDualHttpEndpoint" contract="MechService.IMechService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="CN=TempCert" />
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<add binding="basicHttpsBinding" scheme="https" />
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<!--
To browse web app root directory during debugging, set the value below to true.
Set to false before deployment to avoid disclosing web app folder information.
-->
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
这是注册新用户的功能。
public string CreateUser(String Name, String Password, String Email, String Question, String Answer)
{
MembershipCreateStatus status;
try
{
MembershipUser newUser = Membership.CreateUser(Name, Password, Email, Question, Answer, true, out status);
if (newUser == null)
{
return GetErrorMessage(status);
}
else
{
return "MECH_CODE_SUCCESS";
}
}
catch (Exception ex)
{
return ex.Message;
}
}
答案 0 :(得分:1)
您不能通过单一操作选择退出身份验证(尽管您可以选择退出授权,但这对您有帮助)。好消息是认证设置是每个端点,端点有一个合同。因此,将registerUser操作移动到新的ServiceContract,并为其创建单独的绑定,不进行身份验证。