2

What is the correct WCF security implementation/configuration that allows:

  • Using existing Windows accounts to authenticate with the service
  • Allow adding of a Service Reference from another project without providing credentials
  • Limiting the users that can call the service
4

1 回答 1

2

使用现有 Windows 帐户对服务进行身份验证

为此,您应该将transport clientCredentialType绑定配置的属性设置为Windows.

<bindings>
   <wsHttpBinding>
      <binding>
         <security mode="Message">
            <transport clientCredentialType="Windows" />
         </security>
      </binding>
   </wsHttpBinding>
</bindings>

允许在不提供凭据的情况下从另一个项目添加服务引用

为此,请mex为您的服务端点创建一个端点。

<services>
   <service name="Services.SampleService" behaviorConfiguration="wsDefaultBehavior">
      <endpoint address="mex"  binding="mexHttpBinding" contract="IMetadataExchange" />
   </service>
</services>

限制可以调用服务的用户

这个涉及更多一点。我发现基于每个用户保护服务的方式需要自定义授权策略。执行授权的类必须实现该IAuthorizationPolicy接口。这是我的授权类的完整代码:

namespace Services.SampleService.Authorization
{
    /// <summary>
    /// Handles the default authorization for access to the service
    /// <para>Works in conjunction with the AuthorizedUsersDefault setting</para>
    /// </summary>
    public class DefaultAuthorization: IAuthorizationPolicy
    {

        string _Id;

        public DefaultAuthorization()
        {
            this._Id = Guid.NewGuid().ToString();
        }

        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            bool isAuthorized = false;
            try
            {
                //get the identity of the authenticated user
                IIdentity userIdentity = ((IIdentity)((System.Collections.Generic.List<System.Security.Principal.IIdentity>)evaluationContext.Properties["Identities"])[0]);
                //verify that the user is authorized to access the service
                isAuthorized = Properties.Settings.Default.AuthorizedUsersDefault.Contains(userIdentity.Name, StringComparison.OrdinalIgnoreCase);
                if (isAuthorized)
                {
                    //add the authorized identity to the current context
                    GenericPrincipal principal = new GenericPrincipal(userIdentity, null);
                    evaluationContext.Properties["Principal"] = principal;
                }
            }
            catch (Exception e)
            {
                Logging.Log(Severity.Error, "There was an error authorizing a user", e);
                isAuthorized = false;
            }
            return isAuthorized;
        }

        public ClaimSet Issuer
        {
            get { return ClaimSet.System; }
        }

        public string Id
        {
            get { return this._Id; }
        }
    }
}

“魔法”发生在Evaluate方法中。在我的情况下,授权用户列表保存在名为 的 Properties.Settings 变量(类型ArrayOfString)中AuthorizedUsersDefault。这样,我可以维护用户列表,而无需重新部署整个项目。

然后,要在每个服务的基础上使用此授权策略,请在ServiceBehaviors节点中设置以下内容:

<behaviors>
   <serviceBehaviors>
      <behavior name="wsDefaultBehavior">
         <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
           <add policyType="Services.SampleService.Authorization.DefaultAuthorization, MyAssemblyName" />
        </authorizationPolicies>
     </serviceAuthorization>
      </behavior>
   </serviceBehaviors>
</behaviors>
于 2013-03-25T17:17:50.163 回答