【问题标题】:WCF with custom MembershipProvider and no X.509 cert, possible?具有自定义 MembershipProvider 且没有 X.509 证书的 WCF,可能吗?
【发布时间】:2011-04-03 17:56:50
【问题描述】:

我想根据自定义成员资格和角色提供者对 WCF 服务的用户进行身份验证,但我不想使用证书来保护之间的流量。

是否可以使用 basicHttpBinding,在没有证书的情况下传递自定义凭据?

我问是因为我有一个 WCF 服务,其中所有成员资格提供程序管道等都通过配置连接并托管在 IIS 下,但用户详细信息没有传递到 IIS。

我有一个网络安全的 WAN,所以我不担心消息加密。

ASP.Net 兼容性已开启,配置如下。都是.Net 4.0;

<?xml version="1.0"?>
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.0" />
<membership defaultProvider="DemoMembershipProvider" userIsOnlineTimeWindow="15">
  <providers>
    <clear />
    <add name="DemoMembershipProvider" type="DemoMembershipProvider" connectionStringName="SqlConn" applicationName="TestProvider" enablePasswordRetrieval="false" enablePasswordReset="false" requiresQuestionAndAnswer="false" requiresUniqueEmail="true" passwordFormat="Clear" />
  </providers>
</membership>
<roleManager enabled="true" defaultProvider="DemoRoleProvider" >
  <providers>
    <clear/>
    <add name="DemoRoleProvider" connectionStringName="blah" applicationName="TestProvider" type="DemoRoleProvider" />
  </providers>
</roleManager>
<customErrors mode="Off" />
</system.web>
<system.serviceModel>
<services>
  <service name="DataService">
    <endpoint address="" binding="basicHttpBinding" bindingConfiguration="BindingConfiguration" contract="IDataService" />
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
  </service>
</services>
<bindings>
  <basicHttpBinding>
    <binding name="BindingConfiguration">
      <security mode="None">
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
  </basicHttpBinding>
</bindings>
<behaviors>
  <serviceBehaviors>
    <behavior>
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="DemoMembershipProvider" />
      </serviceCredentials>
      <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="DemoRoleProvider" />
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true" />
</system.serviceModel>
<system.webServer>
  <modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
</configuration>

客户端代码是;

            Console.WriteLine("Calling with valid credentials");
        using (var y = new DataServiceRef.DataServiceClient())
        {
            y.ClientCredentials.UserName.UserName = "ryan";
            y.ClientCredentials.UserName.Password = "password";
            Console.WriteLine("Result: {0}", y.GetData("blah"));
        }

【问题讨论】:

    标签: c# wcf wcf-security


    【解决方案1】:

    您必须使用自定义绑定,因为默认绑定不支持在没有安全通道的情况下发送用户名和密码(传输或消息安全都需要证书)。使用此自定义绑定:

    <customBinding>
      <binding name="UsernamePasswordOverHttp">
        <textMessageEncoding messageVersion="Soap11" />
        <security
          authenticationMode="UserNameOverTransport"
          messageSecurityVersion="WSSecurity10WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
          allowInsecureTransport="true" />
        <httpTransport />
      </binding>
    </customBinding>
    

    另一种解决方案是使用ClearUserNameBinding

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2012-07-14
      • 2015-07-26
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2015-05-24
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多