1

我有一个 WCF 服务托管在单个端点上,带有<ws2007FederationHttpBinding>. 该服务使用 WIF 令牌进行保护。

服务有一种方法void IsOnline()来确定服务的可用性。此方法必须可以在没有令牌的情况下调用,并且我不能拆分接口,也不能添加另一个不安全的端点。(=配置服务限制)

那么,我可以修改我的绑定以基本上声明“使用 WIF 令牌是可选的”吗?或者换句话说:服务应该使用调用者的声明和身份,或者如果没有提供令牌,则使用某种匿名令牌。

我当前的绑定:

  <microsoft.identityModel>
    <service saveBootstrapTokens="true">
      <audienceUris>
        <add value="https://.../MyServiceCaller" />
      </audienceUris>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" issuer="https://.../MyFederationProviderHere" realm="https://.../MyServiceCaller" requireHttps="true" />
        <cookieHandler requireSsl="true" />
      </federatedAuthentication>
      <applicationService>
        <claimTypeRequired>
          <claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" />
          <claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" />
        </claimTypeRequired>
      </applicationService>
      <serviceCertificate>
        <certificateReference x509FindType="FindByThumbprint" findValue="123123" />
      </serviceCertificate>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="123123" name="My.Auth.FederationProvider" />
          <add thumbprint="456456" name="My.Auth.FederationProvider" />
        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>
    ...
  <ws2007FederationHttpBinding>
    <binding name="Host_Ws2007FederationHttp_WithToken">
      <security>
        <message establishSecurityContext="false" issuedKeyType="BearerKey"
            issuedTokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
            negotiateServiceCredential="false">
          <tokenRequestParameters>
            <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
              <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
              <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
            </trust:SecondaryParameters>
          </tokenRequestParameters>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
4

1 回答 1

1

No - In WCF authentication requirements are per endpoint. You need a separate endpoint for your IsOnline operation. You then use a binding on this endpoint that allows anonymous connections.

于 2012-12-20T06:21:16.670 回答