Question

我有一个启用了角色的SqlMembershipProvider商店。这已配置并在角色“xxUser”和“xxAdmin”中具有用户“devtest”。

我还有一个WCF服务，我想对其进行身份验证和授权。我的问题是：

授权不是发生，代码只是执行尽管有政策属性
我没有任何身份或安全感上下文所以不知道是谁调用服务

我需要：

知道哪个用户正在呼叫方法
某种程度的拒绝用户如果权限不匹配（理想情况下应该执行此操作在...内 RoleProvider /的MembershipProvider / WCF 但如果我必须自己可以做到这一点）
传输中的SSL

我设立了服务合同：

    [ServiceContract]
    public interface ISupportService
    {
        [OperationContract]
        [PrincipalPermission(SecurityAction.Demand, Role = "ThisRoleDoesNotExist")]
        List<BaseInterestRate> GetAllBaseInterestRates();
    }

代码很简单：

public class SupportService : ISupportService
{
    public List<BaseInterestRate> GetAllBaseInterestRates()
    {
        OperationContext operationContext = OperationContext.Current;
        ServiceSecurityContext serviceSecurityContext = ServiceSecurityContext.Current; // is always null

        using (xxxEntities entities = new xxxEntities())
        {
            return new List<BaseInterestRate>(entities.BaseInterestRates);
        }
    }}

我的服务配置是：

- ＆GT;

<behaviors>
  <serviceBehaviors>
      <behavior name="SupportServiceBehavior">
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="AspNetSqlRoleProvider" />
          <serviceCredentials>
              <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" 
 membershipProviderName="SqlMembershipProvider" />
          </serviceCredentials>
      </behavior>
    <behavior>     
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

已配置MembershipProvider：

  <membership defaultProvider="SqlMembershipProvider" >
      <providers>
          <clear/>
          <add name="SqlMembershipProvider"
   connectionStringName="SqlMembershipProvider"
   applicationName="xxx"
   type="System.Web.Security.SqlMembershipProvider" />
      </providers>
  </membership>
  <roleManager enabled="true">
      <providers>
          <clear />
          <add connectionStringName="SqlMembershipProvider" applicationName="xxx"
           name="AspNetSqlRoleProvider" type="System.Web.Security.SqlRoleProvider" />
          <add applicationName="xxx" name="AspNetWindowsTokenRoleProvider"
           type="System.Web.Security.WindowsTokenRoleProvider" />
      </providers>
  </roleManager>

我已遵循这些页面上的说明信至：

我不希望出现证书/运输等问题。失败但有异常，但我可以在WCF调用中进行调试。我没有可用的安全上下文/用户上下文，当我使用不在上述两个角色中的用户时（我在上面的代码示例中这样做），我没有被“踢出”。

我的客户端应用程序目前是一个Web应用程序，但最终还将提供Windows窗体应用程序和测试套件。我目前正在使用ASP.NET WebDev服务器并运行.NET 4.0。

我错过了什么吗？

Answer 1

我对WCF Rest服务有点新，但在我自己的测试中，我遇到了类似的问题。我偶然发现了这个视频，这有点帮助（即使它不是我想要做的）：

http://channel9.msdn.com/blogs/rojacobs/endpointtv-securing-restful-services-with-aspnet-membership

基本上问题是在asp.net配置下我必须禁用匿名访问才能使用MembershipProvider身份验证：

system.web>
    <authorization>
      <deny users="?" />
    </authorization>
...

Answer 2

我认为你不能在界面上设置主要权限。我敢打赌，如果你把它转移到服务实现方法上它会起作用

或者至少因为一个不同的原因而开始破坏（我目前仍处于困境 - 我获得访问被拒绝的例外 - 希望你不要！）

（我首先尝试将它们放在合约界面上）

Answer 3

这是使用SSL自托管的wcf服务的正确配置：

<?xml version="1.0"?>
<configuration>
   <startup>
      <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.0"/>
   </startup>
   <connectionStrings>
      <add name="mySqlConnection" connectionString="Data Source=.\SQLEXPRESS2012;Integrated Security=SSPI;Initial Catalog=aspnetdb;"/>
   </connectionStrings>
   <system.web>
      <compilation debug="true"/>
      <!-- Configure the Sql Membership Provider -->
      <membership defaultProvider="MySqlMembershipProvider" userIsOnlineTimeWindow="15">
         <providers>
            <clear/>
            <add name="MySqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="mySqlConnection" applicationName="UsersManagementNavigationApplication" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Hashed"/>
         </providers>
      </membership>

      <!-- Configure the Sql Role Provider -->
      <roleManager enabled="true" defaultProvider="MySqlRoleProvider">
         <providers>
            <clear/>
            <add name="MySqlRoleProvider" type="System.Web.Security.SqlRoleProvider" connectionStringName="mySqlConnection" applicationName="UsersManagementNavigationApplication"/>
         </providers>
      </roleManager>
   </system.web>
   <system.serviceModel>
      <bindings>
         <webHttpBinding>
            <binding name="webBinding">
               <security mode="Transport">
                  <transport clientCredentialType="Basic"/>
               </security>
            </binding>
         </webHttpBinding>
         <basicHttpBinding>
            <binding name="basicBindingConfiguration">
               <security mode="Transport">
                  <transport clientCredentialType="Basic"/>
               </security>
            </binding>
         </basicHttpBinding>
      </bindings>
      <behaviors>
         <endpointBehaviors>
            <behavior name="webEndpointBehavior">
               <webHttp/>
            </behavior>
         </endpointBehaviors>
         <serviceBehaviors>
            <behavior name="webServiceBehavior">
               <serviceMetadata httpsGetEnabled="true"/>
               <serviceThrottling/>
               <serviceDebug/>
            </behavior>
            <behavior name="myServiceBehavior">
               <!-- Configure role based authorization to use the Role Provider -->
               <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="MySqlRoleProvider">
               </serviceAuthorization>
               <serviceCredentials>
                  <!-- Configure user name authentication to use the Membership Provider -->
                  <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfServiceHTTPSSelfHosted.MyCustomValidator, WcfServiceHTTPSSelfHosted"   />
               </serviceCredentials>
               <!-- To avoid disclosing metadata information, set the value below to false before deployment -->
               <serviceMetadata httpsGetEnabled="true"/>
               <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
               <serviceDebug includeExceptionDetailInFaults="false"/>
            </behavior>
         </serviceBehaviors>
      </behaviors>
      <services>
         <service behaviorConfiguration="myServiceBehavior" name="WcfServiceHTTPSSelfHosted.WcfServiceHTTPSSelfHosted">
            <endpoint address="" binding="basicHttpBinding" bindingConfiguration="basicBindingConfiguration" contract="WcfServiceHTTPSSelfHosted.IWcfServiceHTTPSSelfHosted"/>
            <endpoint address="web" behaviorConfiguration="webEndpointBehavior" binding="webHttpBinding" bindingConfiguration="webBinding" contract="WcfServiceHTTPSSelfHosted.IWcfServiceHTTPSSelfHosted"/>
            <endpoint address="mex" binding="mexHttpsBinding" bindingConfiguration="" contract="IMetadataExchange"/>
            <host>
               <baseAddresses>
                  <add baseAddress="https://localhost:50001/WcfServiceHTTPSSelfHosted/"/>
               </baseAddresses>
            </host>
         </service>
      </services>
   </system.serviceModel>
</configuration>

如果您想了解更多信息请查看：

http://www.albertoschiassi.it/Home/tabid/55/EntryId/94/Use-ASP-NET-SqlMemberShipProvider-in-WCF-self-hosted-service.aspx

和

http://www.albertoschiassi.it/Home/tabid/55/EntryId/95/Use-ASP-NET-SqlMemberShipProvider-in-WCF-self-hosted-service-with-SSL.aspx

ASP.NET成员资格提供程序身份验证无法验证WCF服务

3 个答案: