【问题标题】:How can I use the Role Manager in a WCF Service?如何在 WCF 服务中使用角色管理器?
【发布时间】:2012-07-03 20:37:23
【问题描述】:

如何在 WCF 服务中使用角色管理器?

在我的 .NET 应用程序中,我可以使用 [Authorize(Roles=)] 标记来限制类或方法。如何为我的 WCF 服务启用此功能?

我目前为每个端点设置了以下绑定:

  <webHttpBinding>
    <binding name="TransportSecurity" maxReceivedMessageSize="5242880">
      <security mode="Transport">
        <transport clientCredentialType="None"/>
      </security>
    </binding>
  </webHttpBinding>

由于我想让用户登录并接收与委托人有关的 cookie,我是否需要将其更改为另一种 clientCredentialType

编辑 1:

这是使用 REST,而不是 SOAP。还需要注意的是,它适用于移动设备(android、iPhone)并且可以使用 cookie 来维护会话,这一点很重要。到目前为止,我无法使用以下代码/配置来完成这项工作:

配置文件:

   <roleManager enabled="true" defaultProvider="ActiveDirectoryRoleProvider" cacheRolesInCookie="true" cookieName="RoleCookie" cookiePath="/" cookieTimeout="30" cookieRequireSSL="false" cookieSlidingExpiration="true" createPersistentCookie="false" cookieProtection="All">
      <providers>
        <clear />
        <add name="ActiveDirectoryRoleProvider" connectionStringName="ADServices" connectionUsername="" connectionPassword="" attributeMapUsername="sAMAccountName" type="" />
      </providers>
    </roleManager>

    <membership defaultProvider="MembershipADProvider">
      <providers>
        <add name="MembershipADProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" applicationName="" connectionStringName="ADServices" connectionUsername="" connectionPassword="" attributeMapUsername="sAMAccountName" />
      </providers>
    </membership>

<bindings>
  <webHttpBinding> <!-- webHttpBinding is for REST -->
    <binding name="TransportSecurity" maxReceivedMessageSize="5242880">
      <security mode="Transport">
      </security>
    </binding>
  </webHttpBinding>
</bindings>

<behaviors>
  <endpointBehaviors>
    <behavior name="web">
      <webHttp />
    </behavior>
  </endpointBehaviors>
  <serviceBehaviors>
    <behavior name="ServiceBehaviour">
      <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
      <serviceDebug httpHelpPageEnabled="true" includeExceptionDetailInFaults="true" />
      <serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="ActiveDirectoryRoleProvider" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="MembershipADProvider" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

代码

    public void SignIn2(string userName, bool createPersistentCookie)
    {
        if (String.IsNullOrEmpty(userName)) throw new ArgumentException("Value cannot be null or empty.", "userName");

        // put the attributes in a string for userdata
        string userData = "";

        // create the ticket
        FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(1,
                                                userName,
                                                DateTime.Now,
                                                DateTime.Now.AddMinutes(240),
                                                createPersistentCookie,
                                                userData);

        // Now encrypt the ticket.
        string encryptedTicket = FormsAuthentication.Encrypt(authTicket);

        // Create a cookie and add the encrypted ticket to the cookie as data.
        HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket);

        // add the cookie
        HttpContext.Current.Response.Cookies.Add(authCookie);
    }

现在使用主体权限,我得到一个SecurityException(我知道该角色在服务器上有效)

    [PrincipalPermission(SecurityAction.Demand, Role = Constants.RoleUser)]
    public Message TestRoles()
    {
        var context = NetworkHelper.GetWebOperationContext();

        return context.CreateTextResponse("You have successfully activated the endpoint.");
    }

我在这里错过了一个关键步骤吗?

【问题讨论】:

    标签: c# wcf


    【解决方案1】:

    我写了a blog post 关于如何在 WCF 中使用 ASP.NET 身份验证;它的要点是您要使用以下绑定:

      <basicHttpBinding>
        <binding>
          <security mode="TransportWithMessageCredential">
            <message clientCredentialType="UserName"/>
          </security>
        </binding>
      </basicHttpBinding>
    

    您还必须申请以下serviceBehavior

        <behavior>
          <!-- no need for http get;
              but https get exposes endpoint over SSL/TLS-->
          <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
          <!-- the authorization and credentials elements tie
            this behavior (defined as the default behavior) to
            the ASP.NET membership framework-->
          <serviceAuthorization
              principalPermissionMode="UseAspNetRoles"
              roleProviderName="AspNetRoleProvider" />
          <serviceCredentials>
            <userNameAuthentication
                userNamePasswordValidationMode="MembershipProvider"
                membershipProviderName="AspNetMembershipProvider" />
          </serviceCredentials>
        </behavior>
    

    需要注意的重要一点是,如果要使用名称和密码保护 WCF,则必须使用 SSL,这就是指定传输安全性的原因。

    完成此操作后,您应该能够使用PrincipalPermission 属性来保护您的服务方法。

    【讨论】:

    【解决方案2】:

    很久以前,我和校长也遇到过类似的问题。我不记得细节了,但试试这个,来自我非常古老的项目:

    我。您必须添加 2 个辅助类:


    using System.Web;
    using System.IdentityModel.Claims;
    using System.IdentityModel.Policy;
    
    namespace TicketingCore
    {
        public class HttpContextPrincipalPolicy : IAuthorizationPolicy
        {
            public bool Evaluate(EvaluationContext evaluationContext, ref object state)
            {
                HttpContext context = HttpContext.Current;
    
                if (context != null)
                {
                    evaluationContext.Properties["Principal"] = context.User;
                }
    
                return true;
            }
    
            public System.IdentityModel.Claims.ClaimSet Issuer
            {
                get { return ClaimSet.System; }
            }
    
            public string Id
            {
                get { return "TicketingCore HttpContextPrincipalPolicy"; }
            }
        }
    } 
    
    
    using System;
    using System.Collections.Generic;
    using System.IdentityModel.Claims;
    using System.IdentityModel.Policy;
    using System.Text;
    using System.Web;
    using System.Security.Principal;
    
    namespace TicketingCore
    {
        // syncs ServiceSecurityContext.PrimaryIdentity in WCF with whatever is set 
        // by the HTTP pipeline on Context.User.Identity (optional)
        public class HttpContextIdentityPolicy : IAuthorizationPolicy
        {
            public bool Evaluate(EvaluationContext evaluationContext, ref object state)
            {
                HttpContext context = HttpContext.Current;
    
                if (context != null)
                {
                    // set the identity (for PrimaryIdentity)
                    evaluationContext.Properties["Identities"] = 
                        new List<IIdentity>() { context.User.Identity };
    
                    // add a claim set containing the client name
                    Claim name = Claim.CreateNameClaim(context.User.Identity.Name);
                    ClaimSet set = new DefaultClaimSet(name);
                    evaluationContext.AddClaimSet(this, set);
                }
    
                return true;
            }
    
            public System.IdentityModel.Claims.ClaimSet Issuer
            {
                get { return ClaimSet.System; }
            }
    
            public string Id
            {
                get { return "TicketingCore HttpContextIdentityPolicy"; }
            }
        }
    }
    

    二。更改 webconfig 以添加这 2 个策略,这是我的配置(格式:add policyType="namespace.class, assembly")

    <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <serviceCredentials>
            <userNameAuthentication userNamePasswordValidationMode="MembershipProvider" membershipProviderName="SQLMembershipProvider"/>
          </serviceCredentials>
          <serviceAuthorization principalPermissionMode="Custom">
            <authorizationPolicies>
              <add policyType="TicketingCore.HttpContextIdentityPolicy, TicketingCore"/>
              <add policyType="TicketingCore.HttpContextPrincipalPolicy, TicketingCore"/>
            </authorizationPolicies>
          </serviceAuthorization>
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    

    三。确保 cookie 和角色工作正常

    注意:我也不记得解决方案的来源了,你可能需要谷歌类名才能找到,希望对你有帮助,祝你好运!

    【讨论】:

    • 这是 Internet 上最完整的示例,并且似乎是在 WCF 服务中使用表单身份验证进行授权的最正确方法。一个相关的问题是如何在服务调用本身中执行身份验证并返回 401 错误,而不是依赖 IIS web.config 来拒绝匿名用户访问服务子目录。
    • 任何地方的示例项目?
    【解决方案3】:

    我认为这样的东西会提供你正在寻找的东西:

    // Only members of the SpecialClients group can call this method.
    [PrincipalPermission(SecurityAction.Demand, Role = "SpecialClients")]
    public void DoSomething()
    { 
    }
    

    您可以在此处找到有关设置服务的不同选项的好文章:MSDN Article。您可能希望使用以下内容更新您的配置:

    <security mode="TransportWithMessageCredential" >
        <transport clientCredentialType="Windows" />
    </security>
    

    【讨论】:

      【解决方案4】:

      两年前,我发表了一篇关于 wcf 与表单身份验证和主体权限属性集成的博客。我相信你会发现这很有用:

      http://netpl.blogspot.com/2010/04/aspnet-forms-authentication-sharing-for.html

      【讨论】:

      • 不确定这对我的情况有帮助。
      • 与我的方法相比,您错过了什么:1)您没有将 threadprincipal 设置为 context.user 2)您没有 asp.net 兼容性 3)您还应该重新申请 Authenticated=除了特定角色之外,在您的 PrincipalPermission 中为 true
      【解决方案5】:

      看看这个问题Passing FormsAuthentication cookie to a WCF service。要点是身份验证 cookie 无法发送或接收,因为 cookie 域/asp 设置/身份验证加密密钥。我建议您出于调试目的转储该 cookie 值 Request.Cookies[".ASPXAUTH"]。

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 2013-07-21
        • 1970-01-01
        • 1970-01-01
        • 2011-05-22
        • 2023-04-06
        • 1970-01-01
        • 2012-09-14
        • 2010-10-16
        相关资源
        最近更新 更多