我这样称呼我的服务:
private void button1_Click(object sender, RoutedEventArgs e)
{
TestServiceClient client = new
TestServiceClient("WSHttpBinding_ITestService");
client.ClientCredentials.UserName.UserName = "wrong";
client.ClientCredentials.UserName.Password = "password";
try
{
client.Open();
client.GetColors(); //should not validate, but it is.
client.Close();
}
catch (Exception ex)
{
}
}
我重写这样的验证:
public class CustomUserNameValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
if ((userName != "right") || (password != "password"))
{
throw new SecurityTokenException("Validation Failed!");
}
}
public CustomUserNameValidator()
{
}
}
CustomUserNameValidator在我的Test.dll中,所以在我的web.configs ServiceBehehaviors部分中,我定义了这个:
<behavior name="CustomValidator">
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom"
customUserNamePasswordValidatorType="Test.CustomUserNameValidator, Test"/>
<serviceCertificate findValue="Test" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName"/>
</serviceCredentials>
<serviceMetadata httpGetEnabled="True"/>
</behavior>
当我运行客户端时,即使我给了错误的凭据,它仍会执行服务。验证甚至没有被调用。我可以调用Validate的唯一方法是将它放在我的Operation GetColors中,但是我必须把它放在每个操作中。
我将我的用户存储在一个包含用户名和加密密码的表中,因此自定义用户名/密码验证器的使用方式还是应该以不同的方式处理。
如果自定义用户名验证不是自托管的,而是托管在IIS中,那么自定义用户名验证是否有效?