使用 Windows 身份验证的 WCF 安全性

Question

什么是允许的正确 WCF 安全实现/配置：

• 使用现有 Windows 帐户对服务进行身份验证
• 允许从另一个项目添加服务引用而不提供 凭证
• 限制可以调用服务的用户

Answer 1

使用现有的 Windows 帐户对服务进行身份验证

为此，您应该将绑定配置的transport clientCredentialType 属性设置为Windows。

<bindings>
   <wsHttpBinding>
      <binding>
         <security mode="Message">
            <transport clientCredentialType="Windows" />
         </security>
      </binding>
   </wsHttpBinding>
</bindings>

允许在不提供凭据的情况下从另一个项目添加服务引用

为此，请为您的服务端点创建一个mex 端点。

<services>
   <service name="Services.SampleService" behaviorConfiguration="wsDefaultBehavior">
      <endpoint address="mex"  binding="mexHttpBinding" contract="IMetadataExchange" />
   </service>
</services>

限制可以调用服务的用户

这个有点复杂。我发现基于每个用户保护服务的方式需要自定义授权策略。执行授权的类必须实现IAuthorizationPolicy 接口。这是我的授权类的完整代码：

namespace Services.SampleService.Authorization
{
    /// <summary>
    /// Handles the default authorization for access to the service
    /// <para>Works in conjunction with the AuthorizedUsersDefault setting</para>
    /// </summary>
    public class DefaultAuthorization: IAuthorizationPolicy
    {

        string _Id;

        public DefaultAuthorization()
        {
            this._Id = Guid.NewGuid().ToString();
        }

        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            bool isAuthorized = false;
            try
            {
                //get the identity of the authenticated user
                IIdentity userIdentity = ((IIdentity)((System.Collections.Generic.List<System.Security.Principal.IIdentity>)evaluationContext.Properties["Identities"])[0]);
                //verify that the user is authorized to access the service
                isAuthorized = Properties.Settings.Default.AuthorizedUsersDefault.Contains(userIdentity.Name, StringComparison.OrdinalIgnoreCase);
                if (isAuthorized)
                {
                    //add the authorized identity to the current context
                    GenericPrincipal principal = new GenericPrincipal(userIdentity, null);
                    evaluationContext.Properties["Principal"] = principal;
                }
            }
            catch (Exception e)
            {
                Logging.Log(Severity.Error, "There was an error authorizing a user", e);
                isAuthorized = false;
            }
            return isAuthorized;
        }

        public ClaimSet Issuer
        {
            get { return ClaimSet.System; }
        }

        public string Id
        {
            get { return this._Id; }
        }
    }
}

“魔法”发生在Evaluate 方法中。在我的例子中，授权用户列表保存在名为AuthorizedUsersDefault 的Properties.Settings 变量（类型为ArrayOfString）中。这样，我可以维护用户列表，而无需重新部署整个项目。

然后，要在每个服务的基础上使用此授权策略，请在 ServiceBehaviors 节点中设置以下内容：

<behaviors>
   <serviceBehaviors>
      <behavior name="wsDefaultBehavior">
         <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
           <add policyType="Services.SampleService.Authorization.DefaultAuthorization, MyAssemblyName" />
        </authorizationPolicies>
     </serviceAuthorization>
      </behavior>
   </serviceBehaviors>
</behaviors>