我搜索了这个错误,没有找到正确的答案.. 2个月前我在做MVC - > WCF通信。它工作,然后我注释掉PrincipalPermission属性,使其在localhost(VS IIS Express)上工作。
重新启用后,我收到错误"请求主要许可失败。"我想我的小组是错的。
WCF方面:
[ServiceBehavior(InstanceContextMode = InstanceContextMode.Single, ConcurrencyMode = ConcurrencyMode.Multiple)]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
[PrincipalPermission(SecurityAction.Demand, Role = "Test_Group")]
public class TestService : ITestService
{
public int Test()
{
return 0;
}
}
客户方:
public async Task<ActionResult> Test()
{
Services.TestClientService testClient = new Services.TestClientService();
testClient.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
testClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
try
{
int response = await testClient.TestAsync();
}
catch(Exception ex)
{
System.Diagnostics.Debug.WriteLine(ex.Message);
}
return View();
}
WCF网络配置:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<!-- serviceAuthorizationManagerType="MyProject.Common.RoleAuthorizationManager, MyProject" -->
<serviceAuthorization principalPermissionMode="UseWindowsGroups">
<authorizationPolicies>
<add policyType="MyProject.Common.AuthorizationPolicy, MyProject" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyProject.Common.IdentityValidator, MyProject" />
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="svcBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="MyProject.TestService" behaviorConfiguration="authBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="MyProject.ITestService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<!-- <protocolMapping>
<add binding="wsDualHttpBinding" scheme="https" />
</protocolMapping>-->
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
客户端webconfig:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior>
<customInspector />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" />
</basicHttpBinding>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<extensions>
<behaviorExtensions>
<add name="customInspector" type="MyMVC.Services.WCF.Behavior, MyMVC" />
</behaviorExtensions>
</extensions>
<client>
<endpoint address="http://localhost:9999/TestService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
contract="MyMVC.Services.ITestService" name="wsHttpEndpointBinding_ITestService" />
</client>
我无法访问WCF AuthorizationPolicy.cs以检查是否设置了Thread.CurrentPrincipal。
知道如何调试错误吗?我认为它是Windows中Test_Group的问题。 WCF和MVC在IIS中运行。 MVC在IIS APPPOOL \ MVC下运行,它是Test_Group的成员。
感谢您的帮助。
答案 0 :(得分:1)
将PrincipalPermission属性从类级别移动到方法级别。
文章:https://social.msdn.microsoft.com/Forums/vstudio/en-US/41c5a8c6-8d17-41c7-9714-4e47296ba75d/principalpermission-attribute-on-class-level-in-wcf-service?forum=wcf(上篇文章提到它不能在WCF的课堂级别上使用:/)
答案 1 :(得分:0)
Test_Group是Active Directory中的本地组还是一个?如果是后者,它应该以您的域名为前缀,后跟反斜杠。所以“Domain \ Test_Group”
如果没有尝试删除最后一个属性,请将以下内容放在函数的开头。
PrincipalPermission pp = new PrincipalPermission(null, @"Test_Group");
pp.Demand();