我有一个wcf服务,用户需要在进行服务调用之前进行身份验证。将不会有通过登录验证用户的网站或验证用户的Windows /控制台应用程序。我在考虑做这样的事情:
传递请求:
<GetCars>
<Credentials username="test" password="test" />
</GetCars>
如果用户名和密码成功,则返回GetCars的成功响应,否则失败。
问题是我不知道如何将请求传递给上面的wcf服务,然后读取用户名和密码属性来验证它。
答案 0 :(得分:6)
我将很快尝试描述我在自己的WCF服务中使用的方法进行身份验证。使用WS-Security规范(即wsHttpBinding,正如您所使用的),使用WCF SOAP端点进行内置身份验证处理。您可以使用web.config中的设置实现,如下所示:
<bindings>
<wsHttpBinding>
<binding name="myBindingName">
<security mode="Message">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
然后,您可以指定自定义类型来处理身份验证逻辑:
<behaviors>
<serviceBehaviors>
<behavior name="myBehaviorName">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="NameSpaceName.Class,AssemblyName" />
</serviceCredentials>
这个处理身份验证逻辑的类应该扩展UserNamePasswordValidator(需要引用System.IdentityModel.dll并为此导入System.IdentityModel.Selectors)并覆盖Validate:
public class MyValidator : UserNamePasswordValidator {
public override void Validate(string userName, string password) {
// check password. if success, do nothing
// if fail, throw a FaultException
}
}
使用ASP.Net WCF客户端调用此代码需要使用ClientCredential来传递用户名和密码,如下所示:
// This pattern needs to be repeated and username / password set with every creation
// of a client object. This can be refactored to a separate method to simplify.
MyAPIClient client = new MyAPIClient();
// yes UserName is there twice on purpose, that's the proper structure
client.ClientCredentials.UserName.UserName = theUsername;
client.ClientCredentials.UserName.Password = thePassword;
try {
client.Open();
client.DoSomething();
client.Close();
} catch (Exception ex) {
// handle exception, which should contain a FaultException;
// could be failed login, or problem in DoSomething
}
显然,必须使用behaviorConfiguration和bindingConfiguration属性将上面定义的绑定和行为分配给服务本身。