如何使用自托管WCF OData服务进行身份验证

时间:2015-02-05 08:03:52

标签: c# wcf authentication odata wcf-data-services

我有一个在DataServiceHost

的控制台应用程序中运行的WCF DataService

我可以成功启动主机并使用此代码查询我的WCF DataService

public void Start()
{
    var uri = new Uri("http://localhost:12345/Products");
    var host = new DataServideHost(typeof(ProductsDataService), uri);
    if (host.Description.Behaviors.Find<ServiceMetadataBehavior>() == null)
        host.Description.Behaviors.Add(new ServiceMetadataBehavior());
    if (host.Description.Behaviors.Find<ServiceDebugBehavior>() == null)
        host.Description.Behaviors.Add(new ServiceDebugBehavior());
    host.Description.Behaviors.Find<ServiceMetadataBehavior()
        .HttpGetEnabled = true;
    host.Description.Behaviors.Find<ServiceDebugBehavior>()
        .IncludeExceptionDetailInFaults = true;

    host.AddServiceEndpoint(
        new ServiceEndpoint(ContractDescription.GetContract(serviceType))
        {
            Name = "default",
            Address = new EndpointAddress(baseAddress),
            Contract = ContractDescription.GetContract(
                typeof(IRequestHandler)),
            Binding = new WebHttpBinding(),
        });

    host.Open();
}

我希望如何通过基本身份验证或其他方式保护此服务(请注意,我的服务将通过https保护)

我找到了很多关于如何使用IHttpModule使用IIS保护DataService的示例,但我也发现帖子说我不能将HttpModule与我的DataServiceHost一起使用。

有人可以给我一个如何实施身份验证的提示吗?

1 个答案:

答案 0 :(得分:1)

基于博文OData and Authentication – Part 4 – Server Side Hooks,我创建了一个与DataServices一起使用的扩展方法。请记住,您仅通过HTTPS使用基本身份验证或其他人可以看到您的密码,因为用户名/密码只是base64解码。出于测试目的,您可以删除此检查if (!context.Request.IsSecureConnection) return false;

用法:

public ProductsDataService : EntityFrameworkDataService<ProductsContext>
{
    private static validator = new UserValidator();
    public ProductsDataService()
    {
        this.UseBasicAuthentification("My Realm", validator);
    }

    private class UserValidator : IUserValidator
    {
        public IPrincipal Validate(string username, string password)
        {
            // just an example implementation
            if (!"1234".Equals(password)) retur null;
            return new GenericPrincipal(
                new GenericIdentity(username), "Admin", "User");
        }
    }
}

这是实施。您只需创建一个符合您需求的IUserValidator实现。

public static class DataServiceExtensions
{

    public static void UseBasicAuthentification<T>(
        this DataService<T> service, string realm, IUserValidator validator)
    {
        service.ProcessingPipeline.ProcessingRequest += (_sender, _e) =>
        {
            if (!Authenticate(_e.OperationContext, validator))
            {
                _e.OperationContext.ResponseHeaders.Add(
                     "WWW-Authenticate", "Basic realm=" + 
                        Convert.ToBase64String(
                        Encoding.UTF8.GetBytes(GlobalConfiguration.Realm)));
                throw new DataServiceException(401, "401 Unauthorized");
            }
        };
    }

    static bool Authenticate(DataServiceOperationContext context,
        IUserValidator validator)
    {
        if (!context.RequestHeaders.AllKeys.Contains("Authorization"))
            return false;

        // Remember claims based security should be only be 
        // used over HTTPS  
        if (!context.Request.IsSecureConnection)
            return false;

        string authHeader = context.RequestHeaders["Authorization"];

        IPrincipal principal = null;
        if (TryGetPrincipal(authHeader, validator, out principal))
        {
            //context.User = principal;
            return true;
        }
        return false;
    }

    private static bool TryGetPrincipal(string authHeader,
        IUserValidator validator, out IPrincipal principal)
    {
        var protocolParts = authHeader.Split(' ');
        if (protocolParts.Length != 2)
        {
            principal = null;
            return false;
        }
        else if (protocolParts[0] == "Basic")
        {

            var parameter = Encoding.UTF8.GetString(
                Convert.FromBase64String(protocolParts[1]));
            var parts = parameter.Split(':');

            if (parts.Length != 2)
            {
                principal = null;
                return false;
            }

            var username = parts[0];
            var password = parts[1];

            principal = validator.Validate(username, password);

            return principal != null;
        }
        else
        {
            principal = null;
            return false;
        }
    }

}

public interface IUserValidator
{
    IPrincipal Validate(string username, string password);
}