2

我们正在使用自定义主体和身份类型(ProdigyPrincipal/ProdigyIdentity),因为我们需要在我们的程序和服务中提供额外的信息。在程序中我们设置了主体和身份。与 WCF 服务通信时,设置了主体和标识,但在转换为我们自己的类型后,主体和标识为空。

我注意到在调试模式和单元测试模式下运行是有区别的。在调试模式下,主体和身份的类型为WindowsPrincipalWindowsIdentity类型。在单元测试模式下,类型是 GenericPrincipal 和 GenericIdenity。在这两种情况下,当转换为自定义类型时,值都是空的。

主体/身份的设置和获取是通过Thread.CurrentPrincipal完成的。在绑定部分的 App.configs 中,安全模式设置为“传输”。

用于设置/获取主体和身份的功能:

  protected static bool SetProdigyPrincipal()
  {
     #region require Thread.CurrentPrincipal should not be null

     if (Thread.CurrentPrincipal == null) // OK
     {
        throw new InvalidOperationException("SetProdigyPrincipal(): Thread.CurrentPrincipal should not be null");
     }

     #endregion require Thread.CurrentPrincipal should not be null

     var prodigyPrincipal = Thread.CurrentPrincipal as ProdigyPrincipal;

     #region require prodigyPrincipal should not be null

     if (prodigyPrincipal == null) // NOT OK
     {
        throw new InvalidOperationException("SetProdigyPrincipal(): prodigyPrincipal should not be null");
     }

     #endregion require prodigyPrincipal should not be null

     // Get the Windows identity from the current principal
     var prodigyIdentity = Thread.CurrentPrincipal.Identity as ProdigyIdentity;

     #region require windowsIdentity should not be null

     if (prodigyIdentity == null) // NOT OK
     {
        throw new InvalidOperationException("SetProdigyPrincipal(): prodigyIdentity should not be null");
     }

     #endregion require windowsIdentity should not be null

     // Create new instance of Prodigy principal
     var newProdigyPrincipal = new ProdigyPrincipal(prodigyIdentity);

     #region require prodigyPrincipal should not be null

     if (prodigyPrincipal == null)
     {
        throw new InvalidOperationException("SetProdigyPrincipal(): prodigyPrincipal should not be null");
     }

     #endregion require prodigyPrincipal should not be null

     // Set the prodigy principal
     var principalIsSet = ProdigyPrincipal.SetCurrentPrincipal(newProdigyPrincipal, ProdigyService.EnterpriseServiceBus);

     // Return principal is set status
     return principalIsSet;
  }

有谁知道为什么无法从Thread检索自定义主体和身份类型?

亲切的问候,汉斯

4

1 回答 1

8

WCF 通过ServiceAuthorizationBehavior有一种更标准的方式来实现相同的目标。

如果您将其 PrincipalPermissionMode 属性设置为“自定义”,则它允许您提供一个自定义IAuthorizationPolicy项,您可以通过该自定义项使自定义IPrincipal项对 WCF ServiceSecurityContext 可用。DispatchRuntime 会将这个(您的自定义)IPrincipal 分配给 Thread.CurrentPrincipal - 这就是您所追求的,对吧?

这是一个示例 IAuthorizationPolicy 实现:

public class DemoAuthorizationPolicy : IAuthorizationPolicy
{
    private readonly string id = Guid.NewGuid().ToString();

    public string Id { get { return this.id; } }

    public ClaimSet Issuer { get { return ClaimSet.System; } }

    public bool Evaluate(EvaluationContext context, ref object state)
    {
        // Here, create your custom principal
        IIdentity customIdentity = new GenericIdentity("myUserName", "myCustomAuthenticationType");
        IPrincipal customPrincipal = new GenericPrincipal(customIdentity, new[] { "user", "powerUser" });

        // Set EvaluationContext properties
        context.Properties["Identities"] = new List<IIdentity> { customIdentity };
        context.Properties["Principal"] = customPrincipal;

        return true;
    }
}

这就是您在 Web.config 中声明 ServiceAuthorizationBehavior 的方式:

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceAuthorization principalPermissionMode="Custom" >
            <authorizationPolicies>
              <add policyType="PrincipalPermissionModeDemo.DemoAuthorizationPolicy, YourAssemblyName"/>
            </authorizationPolicies>
          </serviceAuthorization>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

然后,在您的服务内部,您可以通过[PrincipalPermission]属性利用声明性安全性,您可以从 获取自定义IPrincipal Thread.CurrentPrincipal并且(或者)您还可以从 获取自定义IIdentityServiceSecurityContext.Current.PrimaryIdentity

希望能解决您的问题!

于 2011-05-07T12:51:19.383 回答