添加[PrincipalPermission(SecurityAction.Demand,Role =“ADMIN”)]时,对象引用未设置为对象的实例

时间:2014-02-25 11:55:56

标签: c# wcf wcf-security

我有一个服务方法

  [PrincipalPermission(SecurityAction.Demand, Role = "ADMIN")]
  public UserInfo GetUserInfo(string login, string password)
  {
     logger.Debug("Getting User Info");
     return new UserInfo() {Balance = 100, UserName = "User1"};
  }

当我添加[PrincipalPermission(SecurityAction.Demand, Role = "ADMIN")]时,我开始获得Object reference not set to an instance of an object例外。

项目中使用的代码:

public class AuthorizationPolicy: IAuthorizationPolicy
{

  Guid _id = Guid.NewGuid();
  private static Logger logger = LogManager.GetCurrentClassLogger();
  // this method gets called after the authentication stage
  public bool Evaluate(EvaluationContext evaluationContext, ref object state)
  {
     logger.Debug("Evaluate");
     // get the authenticated client identity
     IIdentity client = GetClientIdentity(evaluationContext);
     // set the custom principal
     evaluationContext.Properties["Principal"] = new CustomPrincipal(client);
     logger.Debug("Evaluate end");
     return true;
  }

  public ClaimSet Issuer { get; private set; }

  private IIdentity GetClientIdentity(EvaluationContext evaluationContext)
  {
     logger.Debug("GetClientIdentity");
     object obj;
     if (!evaluationContext.Properties.TryGetValue("Identities", out obj))
        throw new Exception("No Identity found");
     IList<IIdentity> identities = obj as IList<IIdentity>;
     if (identities == null || identities.Count <= 0)
        throw new Exception("No Identity found");
     logger.Debug("GetClientIdentity end");
     return identities[0];
  }

  public string Id { get { return _id.ToString(); }
     private set { }
  }

}

和网络配置:

<?xml version="1.0"?>
<configuration>
  <system.web>
    <compilation targetFramework="4.0" debug="true"/>
  </system.web>
  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="customBehaviour">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true"/>

          <serviceAuthorization principalPermissionMode="Custom">
            <authorizationPolicies>
              <add policyType="Beleke.Security.AuthorizationPolicy, App_Code/Security" />
            </authorizationPolicies>
          </serviceAuthorization>
          <!--Specify the Custom Authentication policy that will be used and add the policy location-->
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom"
                                    customUserNamePasswordValidatorType="Beleke.UserAuthentication,Beleke"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="Beleke.BelekeService" behaviorConfiguration="customBehaviour">
        <endpoint address="http://userpc.ktcorp.local/WCFVW/BelekeService.svc"
          binding="wsHttpBinding"
          contract="Beleke.IBelekeService"/>
        <endpoint contract="IMetadataExchange"
          binding="mexHttpBinding"
          address="mex" />
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="ServiceBinding">
          <security mode="Message">
            <message clientCredentialType="UserName"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <!--<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />-->
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <directoryBrowse enabled="true"/>
  </system.webServer>
  <system.web>
    <customErrors mode="Off"/>
  </system.web>
</configuration>

服务器堆栈跟踪:

   at System.ServiceModel.Channels.ServiceChannel.ThrowIfFaultUnderstood(Message reply, MessageFault fault, String action, MessageVersion version, FaultConverter faultConverter)
   at System.ServiceModel.Channels.ServiceChannel.HandleReply(ProxyOperationRuntime operation, ProxyRpc& rpc)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at TestMyService.ServiceReference1.IBelekeService.GetUserInfo(String login, String password)
   at TestMyService.ServiceReference1.BelekeServiceClient.GetUserInfo(String login, String password) in d:\beleke\branches\master\TestMyService\Service References\ServiceReference1\Reference.cs:line 213
   at TestMyService.Program.Main(String[] args) in d:\beleke\branches\master\TestMyService\Program.cs:line 39

更新

跟踪文件包含:

    2014-02-27 18:48:35.2164|DEBUG|Beleke.Security.AuthorizationPolicy|Evaluate
2014-02-27 18:48:35.2164|DEBUG|Beleke.Security.AuthorizationPolicy|GetClientIdentity
2014-02-27 18:48:35.2164|DEBUG|Beleke.Security.AuthorizationPolicy|GetClientIdentity end
2014-02-27 18:48:35.2164|DEBUG|Beleke.Security.AuthorizationPolicy|Evaluate end
2014-02-27 18:48:35.2164|DEBUG|Beleke.BelekeService|Changing balance
2014-02-27 18:48:35.2694|DEBUG|Beleke.Security.AuthorizationPolicy|Evaluate
2014-02-27 18:48:35.2694|DEBUG|Beleke.Security.AuthorizationPolicy|GetClientIdentity
2014-02-27 18:48:35.2694|DEBUG|Beleke.Security.AuthorizationPolicy|GetClientIdentity end
2014-02-27 18:48:35.2694|DEBUG|Beleke.Security.AuthorizationPolicy|Evaluate end

这是服务器端跟踪

at System.Security.Permissions.PrincipalPermission.Demand()
at System.Security.PermissionSet.DemandNonCAS()
at Beleke.BelekeService.GetUserInfo(String login, String password) in d:\beleke\branches\master\BelekeService\App_Code\BelekeService.cs:line 29
at SyncInvokeGetUserInfo(Object , Object[] , Object[] )
at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)

1 个答案:

答案 0 :(得分:1)

来自我的评论:

我在PrincipalPermission.Demand()

中查看了未编译的代码

唯一似乎可能为null的东西是你的IPrincipal.Identity。

您似乎正在使用“CustomPrincipal”...您确定其Identity属性未返回null吗?

<强>加成

未编译的代码:

public void Demand()
{
  new SecurityPermission(SecurityPermissionFlag.ControlPrincipal).Assert();
  IPrincipal currentPrincipal = Thread.CurrentPrincipal;
  if (currentPrincipal == null)
    this.ThrowSecurityException();
  if (this.m_array == null)
    return;
  int length = this.m_array.Length;
  bool flag = false;
  for (int index = 0; index < length; ++index)
  {
    if (this.m_array[index].m_authenticated)
    {
      IIdentity identity = currentPrincipal.Identity;
      if (identity.IsAuthenticated && (this.m_array[index].m_id == null || string.Compare(identity.Name, this.m_array[index].m_id, StringComparison.OrdinalIgnoreCase) == 0))
      {
        if (this.m_array[index].m_role == null)
        {
          flag = true;
        }
        else
        {
          WindowsPrincipal windowsPrincipal = currentPrincipal as WindowsPrincipal;
          flag = windowsPrincipal == null || !(this.m_array[index].Sid != (SecurityIdentifier) null) ? currentPrincipal.IsInRole(this.m_array[index].m_role) : windowsPrincipal.IsInRole(this.m_array[index].Sid);
        }
        if (flag)
          break;
      }
    }
    else
    {
      flag = true;
      break;
    }
  }
  if (flag)
    return;
  this.ThrowSecurityException();
}