2

我正在尝试使用 HTTPS / SSL、基本客户端凭据和WebHttpBinding来保护新的 .Net 4.5 WCF 服务。通过在线阅读,我发现了 Allen Conway 的一系列很好的博客文章,我将其用作模板。

WCF 配置

 <system.serviceModel>
    <bindings>
      <webHttpBinding>
        <binding name="webInteropSecureBinding" allowCookies="false" maxBufferPoolSize="2097152" maxBufferSize="2097152" maxReceivedMessageSize="2097152">
          <security mode="Transport">
            <transport clientCredentialType="Basic"></transport>
          </security>
        </binding>
      </webHttpBinding>
    </bindings>
    <services>
      <service name="PsmDataProvider.PsmProvider" behaviorConfiguration="SecureRest">
        <clear />
        <endpoint address="" binding="webHttpBinding" bindingConfiguration="webInteropSecureBinding" name="PsmProvider" contract="PsmDataProvider.IPsmProvider" behaviorConfiguration="webHttpBehavior" />
        <endpoint address="mex" binding="mexHttpsBinding" name="mex" contract="IMetadataExchange" listenUriMode="Explicit" />
        <host>
          <baseAddresses>
            <add baseAddress="https://localhost:44300/PsmProvider/" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="SecureRest">
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="Custom" 
                                    customUserNamePasswordValidatorType="PsmDataProvider.Security.CustomerUserNamePasswordValidator, PsmDataProvider"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="webHttpBehavior">
          <webHttp />
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>

客户用户名密码验证器

我已经取消了 CustomerUserNamePasswordValidator 实现,并确认在引发异常之前调用了构造函数。

using System;
using System.IdentityModel.Selectors;

namespace PsmDataProvider.Security
{
    internal class CustomerUserNamePasswordValidator : UserNamePasswordValidator, ICustomerUserNamePasswordValidator 
    {

        public CustomerUserNamePasswordValidator()
        {
        }

        public override void Validate(string userName, string password)
        {          
            if (userName == null) throw new ArgumentNullException("userName","The username must be provided in the request to access this service");
            if (password == null) throw new ArgumentNullException("password", "The password must be provided in the request to access this service");

        }
    }
}

当我尝试通过 IIS Express 在 VS2012 中运行代码时,服务无法启动并出现以下错误。

在此处输入图像描述

如果我从配置中删除clientCredentialType则它可以工作,但我需要在服务上使用用户名/密码验证以及将来可能在方法级别使用的额外安全性。

这是我在 WCF 配置中的错误配置还是 IISExpress 中的配置问题?

请帮忙...

4

1 回答 1

3

问题似乎是在 IIS 中托管服务时使用基本身份验证时,因为 IIS 想要处理身份验证。

这在此 MSDN 博客文章中进行了讨论

在 .Net Framework 3.0 附带的 WCF 版本中,我们不支持具有传输级别 HTTP 安全性的自定义验证器。我们从社区收到了很多反馈,认为这是一个非常需要的功能,所以我很高兴地说,我们在 .Net Framework 的 3.5 版本中添加了对这个场景的支持。请注意,这仅在自托管服务下受支持。

Allen Conway 的博客文章中讨论了一个解决方案,方法是实现从ServiceAuthorizationManager派生的自定义授权管理器

自定义授权管理器 

public class CustomAuthorizationManager : ServiceAuthorizationManager 
{
    private const string UserName = "username";
    private const string Password = "password";

    protected override bool CheckAccessCore(OperationContext operationContext)
    {
        string authHeader = WebOperationContext.Current.IncomingRequest.Headers["Authorization"];

        if ((authHeader != null) && (authHeader != string.Empty))
        {
            string[] svcCredentials = System.Text.ASCIIEncoding.ASCII
                                        .GetString(Convert.FromBase64String(authHeader.Substring(6)))
                                        .Split(':');

            var user = new { Name = svcCredentials[0], Password = svcCredentials[1] };

            if ((user.Name.Equals(UserName) && user.Password.Equals(Password)))
                return true;
            else
                return false;
        }
        else
        {
            WebOperationContext.Current.OutgoingResponse.Headers.Add("WWW-Authenticate: Basic realm=\"PsmProvider\"");
            throw new WebFaultException(HttpStatusCode.Unauthorized);
        }
    }

}

配置

  <system.serviceModel>
    <bindings>
      <webHttpBinding>
        <binding name="webInteropSecureBinding" allowCookies="false" maxBufferPoolSize="51200" maxBufferSize="51200" maxReceivedMessageSize="51200">
          <security mode="Transport"/>
        </binding>
      </webHttpBinding>
    </bindings>
    <services>
      <service name="PsmDataProvider.PsmProvider" behaviorConfiguration="SecureRest">
        <clear />
        <endpoint binding="webHttpBinding" bindingConfiguration="webInteropSecureBinding" 
                    name="PsmProvider" contract="PsmDataProvider.IPsmProvider" behaviorConfiguration="webHttpBehavior" />
        <endpoint address="mex" binding="mexHttpsBinding" name="mex" contract="IMetadataExchange" />
        <host>
          <baseAddresses>
            <add baseAddress="https://localhost:44300/PsmProvider/" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="SecureRest">
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceAuthorization serviceAuthorizationManagerType="PsmDataProvider.Security.CustomAuthorizationManager, PsmDataProvider"/>
        </behavior>
      </serviceBehaviors>
      <endpointBehaviors>
        <behavior name="webHttpBehavior">
          <webHttp/>
        </behavior>
      </endpointBehaviors>
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>

笔记

另请注意 Travich 关于 IIS / IIS Express 配置的评论

Travich 说...帮助其他用户的一件事。简要说明,但我忽略了一些事情...关闭 IIS 中的基本身份验证并从您的 webHttpBinding 中删除标记!

为我工作。

于 2013-08-22T09:23:02.853 回答