我正在使用ASP.NET 4.5 Web应用程序,它使用ASP.NET身份模型进行身份验证和授权。
此Web应用程序还托管WCF服务,同时使用它。还有另一个基于WPF的应用程序将使用托管的托管WCF服务(以及作为客户端本身的Web应用程序)。
我想授权和验证每个WCF服务请求(来自Web应用程序客户端或WPF客户端)。
在理想情况下,我想使用相同的ASP.NET身份模型来验证/授权WCF操作合同。如何从Web应用程序以及WPF应用程序实现此目的?
答案 0 :(得分:5)
使用PrincipalPermissionAttribute来装饰操作实现以进行授权。
public class Service1 : IService1
{
public string GetData(int value)
{
System.Diagnostics.Debug.WriteLine("GetDataCalled");
if (value == 666)
throw new FaultException<Evil666Error>(new Evil666Error() { Message = "Hey, this is 666." });
return string.Format("You entered: {0}", value);
}
[PrincipalPermission(SecurityAction.Demand, Role="Admin")]
[PrincipalPermission(SecurityAction.Demand, Role="Customer")]
public CompositeType GetDataUsingDataContract(CompositeType composite)
{
var userName = ServiceSecurityContext.Current.PrimaryIdentity.Name;
if (composite == null)
{
throw new ArgumentNullException("composite");
}
if (composite.BoolValue)
{
composite.StringValue += "Suffix";
}
return composite;
}
}
因此第一个操作只需要身份验证,而第二个操作需要授权。
然后您需要编写自定义身份验证和授权码。
/// <summary>
/// Used in ServiceModel's ServiceBehavior for authentication of service operations.
/// </summary>
public class IdentityValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
using (var context = new WebPortalDbContext())
{
using (var userManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(context)))
{
var user = userManager.Find(userName, password);
if (user == null)
{
var msg = String.Format("Unknown Username {0} or incorrect password {1}", userName, password);
Trace.TraceWarning(msg);
throw new FaultException(msg);//the client actually will receive MessageSecurityException. But if I throw MessageSecurityException, the runtime will give FaultException to client without clear message.
}
}
}
}
}
/// <summary>
/// Used in ServiceModel's ServiceBehavior for authorization of service operation, according to the role in PrincipalPermissionAttribute
/// </summary>
public class RoleAuthorizationManager : ServiceAuthorizationManager
{
protected override bool CheckAccessCore(OperationContext operationContext)
{
base.CheckAccessCore(operationContext);
using (var context = new WebPortalDbContext())
using (var userStore = new UserStore<ApplicationUser>(context))
{
using (var userManager = new UserManager<ApplicationUser>(userStore))
{
var identity =operationContext.ServiceSecurityContext.PrimaryIdentity;
var user = userManager.FindByName(identity.Name);
if (user == null)
{
var msg = String.Format("Unknown Username {0} .", user.UserName);
Trace.TraceWarning(msg);
throw new FaultException(msg);
}
//Assign roles to the Principal property for runtime to match with PrincipalPermissionAttributes decorated on the service operation.
var roleNames = userManager.GetRoles(user.Id).ToArray();//users without any role assigned should then call operations not decorated by PrincipalPermissionAttributes
operationContext.ServiceSecurityContext.AuthorizationContext.Properties["Principal"] = new GenericPrincipal(operationContext.ServiceSecurityContext.PrimaryIdentity, roleNames);
return true;
}
}
}
}
在配置中,您应该将它们连接在一起。
<serviceBehaviors>
<behavior name="authBehavior">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyNamespace.IdentityValidator,MyNamespace.Security" />
</serviceCredentials>
<serviceAuthorization principalPermissionMode="Custom" serviceAuthorizationManagerType="Mynamespace.Security.RoleAuthorizationManager,mynamespace.Security"></serviceAuthorization>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="True" />
</behavior>
</serviceBehaviors>
<service name="Fonlow.Demo.RealWorldService.Service1" behaviorConfiguration="authBehavior">
<!-- Service Endpoints. A Service may provide multiple endpoints -->
<!-- Not need to define host. Relative -->
<endpoint address="" binding="basicHttpsBinding" contract="Fonlow.Demo.RealWorldService.IService1" bindingConfiguration="httpsBindingConfig">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</service>