Question

我正在为我的组织开展一项新的安全基础设施工作。由于我们为内部组织开发系统，我想使用Windows身份验证，但是为了授权，我们管理一个单独的Oracle DB（由于历史原因）。我的想法是使用PrincipalPermissionAttribute定义

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

在Global :: Application_Start中

和

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <authorization>
      <deny users="?"/>
    </authorization>
    <roleManager **defaultProvider="MyRoleProvider"**
      enabled="true"
      cacheRolesInCookie="true"
      cookieName=".ASPROLES"
      cookieTimeout="30"
      cookiePath="/"
      cookieRequireSSL="false"
      cookieSlidingExpiration="true"
      cookieProtection="All" >
      <providers>
        <clear />
        <add
          name="MyRoleProvider"
          type="WcfServiceLibrary1.MyRoleProvider"
          connectionStringName="Service1"
          applicationName="InfraTest"
          writeExceptionsToEventLog="true" />
      </providers>
    </roleManager>
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport **clientCredentialType="Windows"** />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfService1.Service1">
        <endpoint address="WcfAuthenticationTest" binding="basicHttpBinding"
          bindingConfiguration="BasicHttpEndpointBinding" name="BasicHttpEndpoint"
          contract="WcfService1.IService1">
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost/WcfAuthentication"/>
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceAuthorization **principalPermissionMode="UseAspNetRoles"**/>
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

在我的Web.config中使用自定义角色提供程序来访问Oracle DB以检查角色。但我不能让它发挥作用。有没有办法让PrincipalPermissionAttribute以这种方式工作，或者整个概念可能是错的？我想过实现我的自定义CodeAccessSecurityAttribute，但它并不那么简单，所以我不想这样做有没有人知道这个问题？我很乐意得到一些答案

Answer 1

我最近学到了两件事。首先我的概念是正确的，我可以使用PrinciplePermissionAttribute和costom角色提供程序，第二个是我完全与web.config标签混淆。 tag用于asp .net设置，同时用于WCF设置。因此，liitle位配置解决了整个问题。这是正确的配置

<?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" defaultLanguage="c#" targetFramework="4.0" />

    <roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES"
      defaultProvider="MyRoleProvider">
      <providers>
        <clear />
        <add connectionStringName="Service1" applicationName="InfraTest"
          writeExceptionsToEventLog="false" name="MyRoleProvider" type="SecLib.MyRoleProvider" />
      </providers>
    </roleManager>

  </system.web>
  <system.serviceModel>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBindingConfiguration" closeTimeout="00:01:00"
          sendTimeout="00:10:00" maxBufferSize="524288" maxReceivedMessageSize="524288">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfRoleProviderTestService.Service1"
               behaviorConfiguration="BasicHttpServiceBehavior" >
        <endpoint name="BasicHttpEndpoint"
                  contract="WcfRoleProviderTestService.IService1"
                  address="WcfAuthenticationTest"
                  binding="basicHttpBinding"
                  bindingConfiguration="BasicHttpBindingConfiguration" />
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost/WcfRoleProviderTestService/" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="BasicHttpServiceBehavior">
          <serviceAuthorization principalPermissionMode="UseAspNetRoles"
            roleProviderName="MyRoleProvider" impersonateCallerForAllOperations="true" />
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
        <behavior name="">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
</configuration>

Answer 2

除非您需要假冒，否则无需包含impersonateCallerForAllOperations="true"

将PrincipalPermissionAttribute与自定义角色提供程序一起使用

2 个答案: