我们如何将 a 转换WindowsIdentity为 a NetworkCredential?我正在测试我的 WCF 服务以验证匿名呼叫者是否被阻止。为此,我想做类似的事情:
myProxy.ClientCredentials.Windows.ClientCredential = foo(WindowsIdentity.GetAnonymous());
将 a 转换为afoo的方法在哪里WindowsIdentityNetworkCredential
问问题
24604 次
3 回答
4
一般来说 foo 不存在。由于 NetworkCredential 是比 WindowsIdentity 更广泛的对象。也就是说,我可以在需要 WindowsIdentity 的地方使用 NetworkCredential,但反之则不行。
原因是出于安全考虑。
NetworkCredential 表示您可以获取此身份并在另一台机器上使用其关联的凭据。
这意味着
- 您拥有用户凭据,而不仅仅是其身份。
- 这组凭据非常适合模拟,而不仅仅是本地访问。
我将假设凭据来自另一台机器(由于 WCF)。再次出于安全原因,在进入这台机器时,该网络凭据已转换为 LocalCredential(除非我们谈论的是委派而不是模拟)。客户端计算机授予在服务器计算机上使用其凭据的权利,并且仅在服务器计算机上使用。
如果你想找回 NetworkCredential,你需要做一些叫做委托的事情,因为这就是所谓的多跳问题。这涉及到 Kerberos,一只黑社会的三头恶犬。您不想处理 Kerberos。
一般来说,默认情况下,WCF 代理不会在调用时发送凭据。您通常需要设置 ClientCredentials 或设置
proxy.UseDefaultCredentials = true
不提供任何一个通常意味着没有凭据,因此是匿名身份验证。
于 2013-03-08T06:29:27.130 回答
3
回答我自己的问题:
不可能将 a 转换WindowsIdentity为 a NetworkCredential。要测试匿名调用者是否被阻止,请使用空会话令牌模拟当前线程,然后调用 WCF 服务。注意:不要使用WindowsIdentity.GetAnonymous。这种方法是没用的(猜想它被错误地实现了,并且从未被纠正过)。使用空会话令牌模拟当前线程的代码(不进行错误处理):
public static class Helper
{
[DllImport("kernel32.dll", CharSet = CharSet.Auto, ExactSpelling = true)]
private static extern IntPtr GetCurrentThread();
[DllImport("advapi32.dll", CharSet = CharSet.Auto, ExactSpelling = true)]
private static extern bool ImpersonateAnonymousToken(IntPtr handle);
public static void ImpersonateAnonymousUser()
{
ImpersonateAnonymousToken(GetCurrentThread());
}
}
static string ToString(IIdentity identity)
{
return string.Format("{0} {1} {2}", identity.Name, identity.IsAuthenticated, identity.AuthenticationType);
}
static void Main(string[] args)
{
Console.WriteLine(ToString(WindowsIdentity.GetCurrent()));
Helper.ImpersonateAnonymousUser();
Console.WriteLine(ToString(WindowsIdentity.GetCurrent()));
}
输出:
my machine\me True NTLM
NT AUTHORITY\ANONYMOUS LOGON False
作为对 Edmund 评论的回应,设置proxy.ClientCredentials.Windows.ClientCredential为null不会做预期的事情 - 以匿名用户的身份提出请求。这是我的完整测试代码及其输出:
服务代码:
public class Service1 : IService1
{
// note that if client is not authenticated, this code will never get a chance to execute
// exception will happen before that
// therefore there is no need to decorate this method with a
// [PrincipalPermission(SecurityAction.Demand, Authenticated=true)] attribute
public string GetData()
{
try
{
var identity = Thread.CurrentPrincipal.Identity;
return string.Concat(identity.Name, ",", identity.IsAuthenticated, ",", identity.AuthenticationType);
}
catch (Exception e)
{
return string.Concat(e.Message, "\\r\\n", e.StackTrace);
}
}
}
服务配置:
<services>
<service name="WcfService1.Service1">
<host>
<baseAddresses>
<add baseAddress="http://mymachine/Service1/" />
</baseAddresses>
</host>
<endpoint address="Service1"
binding ="customBinding"
bindingConfiguration="myHttpBinding"
contract="WcfService1.IService1">
</endpoint>
</service>
</services>
<bindings>
<customBinding>
<binding name="myHttpBinding">
<reliableSession/>
<binaryMessageEncoding />
<httpTransport maxBufferSize="2147483647"
maxReceivedMessageSize="2147483647"
authenticationScheme="IntegratedWindowsAuthentication" />
</binding>
</customBinding>
</bindings>
客户端代码:
static void MakeRequest()
{
try
{
using (var svc = new Service1Client())
{
Console.WriteLine(svc.GetData());
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
Console.WriteLine(e.StackTrace);
}
}
static void Test3()
{
Console.WriteLine("using {0}", ToString(WindowsIdentity.GetCurrent()));
MakeRequest();
Console.WriteLine();
Console.WriteLine("setting svc.ClientCredentials.Windows.ClientCredential to null...");
try
{
using (var svc = new Service1Client())
{
svc.ClientCredentials.Windows.ClientCredential = null;
Console.WriteLine(svc.GetData());
}
}
catch (Exception e)
{
Console.WriteLine(e.Message);
Console.WriteLine(e.StackTrace);
}
Console.WriteLine();
ImpersonateAnonymousUser();
Console.WriteLine("using {0}", ToString(WindowsIdentity.GetCurrent()));
MakeRequest();
Console.WriteLine();
}
客户端配置:
<bindings>
<customBinding>
<binding name="CustomBinding_IService1">
<reliableSession />
<binaryMessageEncoding />
<httpTransport authenticationScheme="Negotiate" />
</binding>
</customBinding>
</bindings>
<client>
<endpoint address="mymachine/Service1/Service1.svc/Service1"
binding="customBinding" bindingConfiguration="CustomBinding_IService1"
contract="ServiceReference1.IService1" name="CustomBinding_IService1">
<identity>
<servicePrincipalName value="host/mymachine" />
</identity>
</endpoint>
</client>
<behaviors>
<endpointBehaviors>
<!-- this setting protects the client by prohibiting the service to assume identity of client
via imperonation and/or delegation and then doing bad things -->
<behavior name="ImpersonationBehavior">
<clientCredentials>
<windows allowedImpersonationLevel="Identification"/>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
输出:
using mymachine\me True Negotiate
mymachine\me,True,Negotiate
setting svc.ClientCredentials.Windows.ClientCredential to null...
mymachine\me,True,Negotiate
using NT AUTHORITY\ANONYMOUS LOGON False
The communication object, System.ServiceModel.Channels.ServiceChannel, cannot be
used for communication because it is in the Faulted state.
Server stack trace:
at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage req
Msg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgDa
ta, Int32 type)
at System.ServiceModel.ICommunicationObject.Close(TimeSpan timeout)
at System.ServiceModel.ClientBase`1.System.ServiceModel.ICommunicationObject.
Close(TimeSpan timeout)
at System.ServiceModel.ClientBase`1.Close()
at System.ServiceModel.ClientBase`1.System.IDisposable.Dispose()
at TestClient.Program.MakeRequest()
于 2013-03-10T20:59:49.493 回答
0
我们有一组测试,我们这样做,我们使用这个辅助方法:
public static ResponseType CallService(RequestType requestBody, NetworkCredential credential)
{
ResponseType response;
using (var channelFactory = new ChannelFactory<IMyService>("BasicHttpBinding_IMyService"))
{
channelFactory.Credentials.Windows.ClientCredential = credential;
var client = channelFactory.CreateChannel();
var request = new MyRequest()
{
MyService = requestBody
};
response = client.MyService(request).MyResponse1;
((IClientChannel)client).Close();
channelFactory.Close();
}
return response;
}
测试中的用法:
var requestBody = GetRequestBody();//another helper method
var credential = new NetworkCredential
{
Domain = "MyDomain",
UserName = "MyUsername",
Password = "MyPassword"
};
var response = CallService(requestBody, credential);
//Assert various user credentials
var response = CallService(requestBody, null);
//Assert anonymous
于 2013-03-10T20:08:11.570 回答