13

如何在 WCF 服务中使用角色管理器?

[Authorize(Roles=)]在我的 .NET 应用程序中,我可以使用标记来限制类或方法。如何为我的 WCF 服务启用此功能?

我目前为每个端点设置了以下绑定:

  <webHttpBinding>
    <binding name="TransportSecurity" maxReceivedMessageSize="5242880">
      <security mode="Transport">
        <transport clientCredentialType="None"/>
      </security>
    </binding>
  </webHttpBinding>

由于我想让用户登录并接收主体的 cookie,我是否需要将其更改为另一种类型clientCredentialType

编辑1:

这是使用 REST,而不是 SOAP。还需要注意的是,它适用于移动设备(android、iPhone)并且可以使用 cookie 来维护会话,这一点很重要。到目前为止,我一直无法使用以下代码/配置来完成这项工作:

配置文件:

   <roleManager enabled="true" defaultProvider="ActiveDirectoryRoleProvider" cacheRolesInCookie="true" cookieName="RoleCookie" cookiePath="/" cookieTimeout="30" cookieRequireSSL="false" cookieSlidingExpiration="true" createPersistentCookie="false" cookieProtection="All">
      <providers>
        <clear />
        <add name="ActiveDirectoryRoleProvider" connectionStringName="ADServices" connectionUsername="" connectionPassword="" attributeMapUsername="sAMAccountName" type="" />
      </providers>
    </roleManager>

    <membership defaultProvider="MembershipADProvider">
      <providers>
        <add name="MembershipADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="" connectionStringName="ADServices" connectionUsername="" connectionPassword="" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

<bindings>
  <webHttpBinding> <!-- webHttpBinding is for REST -->
    <binding name="TransportSecurity" maxReceivedMessageSize="5242880">
      <security mode="Transport">
      </security>
    </binding>
  </webHttpBinding>
</bindings>

<behaviors>
  <endpointBehaviors>
    <behavior name="web">
      <webHttp />
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehaviour">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
      <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
      <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="ActiveDirectoryRoleProvider" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="MembershipADProvider" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

代码

    public void SignIn2(string userName, bool createPersistentCookie)
    {
        if (String.IsNullOrEmpty(userName)) throw new ArgumentException("Value cannot be null or empty.", "userName");

        // put the attributes in a string for userdata
        string userData = "";

        // create the ticket
        FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
                                                userName,
                                                DateTime.Now,
                                                DateTime.Now.AddMinutes(240),
                                                createPersistentCookie,
                                                userData);

        // Now encrypt the ticket.
        string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        // Create a cookie and add the encrypted ticket to the cookie as data.
        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

        // add the cookie
        HttpContext.Current.Response.Cookies.Add(authCookie);
    }

现在使用 Principal Permission,我得到一个SecurityException(我知道该角色在服务器上有效)

    [PrincipalPermission(SecurityAction.Demand, Role = Constants.RoleUser)]
    public Message TestRoles()
    {
        var context = NetworkHelper.GetWebOperationContext();

        return context.CreateTextResponse("You have successfully activated the endpoint.");
    }

我在这里错过了关键的一步吗?

4

5 回答 5

9

我写了一篇关于如何在 WCF 中使用 ASP.NET 身份验证的博客文章;它的要点是您要使用以下绑定:

  <basicHttpBinding>
    <binding>
      <security mode="TransportWithMessageCredential">
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
  </basicHttpBinding>

您还必须应用以下内容serviceBehavior

    <behavior>
      <!-- no need for http get;
          but https get exposes endpoint over SSL/TLS-->
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
      <!-- the authorization and credentials elements tie
        this behavior (defined as the default behavior) to
        the ASP.NET membership framework-->
      <serviceAuthorization
          principalPermissionMode="UseAspNetRoles"
          roleProviderName="AspNetRoleProvider" />
      <serviceCredentials>
        <userNameAuthentication
            userNamePasswordValidationMode="MembershipProvider"
            membershipProviderName="AspNetMembershipProvider" />
      </serviceCredentials>
    </behavior>

需要注意的重要一点是,如果要使用名称和密码保护 WCF,则必须使用 SSL,这就是指定传输安全性的原因。

完成此操作后,您应该能够使用该PrincipalPermission属性来保护您的服务方法。

于 2012-07-04T04:04:51.657 回答
3

很久以前,我和校长也有类似的问题。我不记得细节了,但试试这个,从我非常古老的项目中:

一世。您必须添加 2 个辅助类:

using System.Web;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;

namespace TicketingCore
{
    public class HttpContextPrincipalPolicy : IAuthorizationPolicy
    {
        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            HttpContext context = HttpContext.Current;

            if (context != null)
            {
                evaluationContext.Properties["Principal"] = context.User;
            }

            return true;
        }

        public System.IdentityModel.Claims.ClaimSet Issuer
        {
            get { return ClaimSet.System; }
        }

        public string Id
        {
            get { return "TicketingCore HttpContextPrincipalPolicy"; }
        }
    }
} 


using System;
using System.Collections.Generic;
using System.IdentityModel.Claims;
using System.IdentityModel.Policy;
using System.Text;
using System.Web;
using System.Security.Principal;

namespace TicketingCore
{
    // syncs ServiceSecurityContext.PrimaryIdentity in WCF with whatever is set 
    // by the HTTP pipeline on Context.User.Identity (optional)
    public class HttpContextIdentityPolicy : IAuthorizationPolicy
    {
        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            HttpContext context = HttpContext.Current;

            if (context != null)
            {
                // set the identity (for PrimaryIdentity)
                evaluationContext.Properties["Identities"] = 
                    new List<IIdentity>() { context.User.Identity };

                // add a claim set containing the client name
                Claim name = Claim.CreateNameClaim(context.User.Identity.Name);
                ClaimSet set = new DefaultClaimSet(name);
                evaluationContext.AddClaimSet(this, set);
            }

            return true;
        }

        public System.IdentityModel.Claims.ClaimSet Issuer
        {
            get { return ClaimSet.System; }
        }

        public string Id
        {
            get { return "TicketingCore HttpContextIdentityPolicy"; }
        }
    }
}

ii. 更改 webconfig 以添加这 2 个策略,这是我的配置(格式: add policyType="namespace.class, assembly" )

<serviceBehaviors>
    <behavior name="ServiceBehavior">
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SQLMembershipProvider"/>
      </serviceCredentials>
      <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
          <add policyType="TicketingCore.HttpContextIdentityPolicy, TicketingCore"/>
          <add policyType="TicketingCore.HttpContextPrincipalPolicy, TicketingCore"/>
        </authorizationPolicies>
      </serviceAuthorization>
      <serviceMetadata httpGetEnabled="true"/>
      <serviceDebug includeExceptionDetailInFaults="false"/>
    </behavior>
  </serviceBehaviors>

iii. 确保 cookie 和角色工作正常

注意:我也不记得解决方案的来源了,你可能需要谷歌类名才能找到,希望对你有帮助,祝你好运!

于 2012-07-10T15:59:49.677 回答
2

我认为这样的东西会提供你正在寻找的东西:

// Only members of the SpecialClients group can call this method.
[PrincipalPermission(SecurityAction.Demand, Role = "SpecialClients")]
public void DoSomething()
{ 
}

您可以在此处找到有关设置服务的不同选项的好文章:MSDN 文章。您可能希望使用以下内容更新配置:

<security mode="TransportWithMessageCredential" >
    <transport clientCredentialType="Windows" />
</security>
于 2012-07-03T20:53:06.467 回答
2

两年前,我写了一篇关于 wcf 与表单身份验证和主体权限属性集成的博客。我相信你会发现这很有用:

http://netpl.blogspot.com/2010/04/aspnet-forms-authentication-sharing-for.html

于 2012-07-05T21:19:05.277 回答
1

查看这个问题Passing FormsAuthentication cookie to a WCF service。要点是身份验证 cookie 无法发送或接收,因为 cookie 域/asp 设置/身份验证加密密钥。我建议您出于调试目的转储该 cookie 值 Request.Cookies[".ASPXAUTH"]。

于 2012-07-09T14:16:04.973 回答