我的GUI应用程序使用WCF NetNamedPipeBinding控制其姐妹Windows服务。我想阻止其他应用程序冒充我的GUI应用程序并控制我的服务。
是否有必要对Windows服务的GUI应用程序进行身份验证以防止冒充? 我应该怎么做呢?
编辑:远程计算机也应该能够控制服务,因为它们经过身份验证(服务信任),因此我需要添加NetTcpBinding端点。任何包含此内容的答案都会有所帮助。
答案 0 :(得分:2)
是的,有必要保护WCF频道以防止冒充。 WCF可以在您指示时自动加密您的通信,但您需要自己处理身份验证部分。
在WCF中有两种保护消息的方法(如果你计算一次可以同时使用它们的话,则有三种方法)。有一个很好的高级解释here。您可以使用中的哪一种方法取决于我们所讨论的绑定(对于不同的绑定,您将有不同的选项)。
此外,对于保护服务的每种方法,您可以在身份验证凭据类型(每个实体将向其他端点证明其身份的实际方式)之间进行选择。 这取决于绑定以及安全方法。
要查看每个绑定的选项,您可以检查其Security属性。对于每个绑定,此属性的类型不同(例如NetTcpSecurity);您可以查看MSDN或IntelliSense来查找它。
从现在开始,我将使用NetTcpBinding作为示例运输安全性。
要在服务器和客户端部分设置安全性,首先必须在创建和打开通道之前使用安全模式和身份验证类型配置绑定,例如:
var binding = new NetTcpBinding { /* set props here */ };
// TLS security with X.509 certificates
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
然后,在服务器端(此示例特定于上面做出的选择):
// Load and set the server certificate
var serverCertificate = new X509Certificate2(/* parameters here */);
host.Credentials.ServiceCertificate.Certificate = serverCertificate;
// You can leave it at that and let Windows validate the client's certificate using
// the default method (which means that you either need to have added the client's
// certificate to the server machine's certificate store as "trusted", or rely on chain
// trust and have the client's certificate signed by a trusted authority.
// Or, you can use custom validation rules:
var authentication = host.Credentials.ClientCertificate.Authentication;
authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator();
在客户端(这个例子也是具体的):
var clientCertificate = new X509Certificate2(/* parameters here */);
var factory = new ChannelFactory<IYourServiceInterface>(binding, endpoint);
factory.Credentials.ClientCertificate.Certificate = clientCertificate;
// You can leave it at that and let Windows validate the server's certificate using
// the default method (which means that you either need to have added the server's
// certificate to the client machine's certificate store as "trusted", or rely on chain
// trust and have the server's certificate signed by a trusted authority.
// Or, you can use custom validation rules:
var authentication = factory.Credentials.ServiceCertificate.Authentication;
authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator();
var channel = factory.CreateChannel();
// Your channel is now ready for use! You can also cast to to IClientChannel
// to expose some more properties.