【问题标题】:Authenticate WCF for IPC and Remote Access为 IPC 和远程访问验证 WCF
【发布时间】:2011-05-15 17:30:17
【问题描述】:

我的 GUI 应用程序使用 WCF 的 NetNamedPipeBinding 控制其姊妹 Windows 服务。我想防止其他应用程序冒充我的 GUI 应用程序并控制我的服务。

是否有必要向 Windows 服务验证 GUI 应用程序以防止模拟?
我应该怎么做?


编辑:远程计算机也应该能够控制服务,因为它们已经过身份验证(受服务信任),所以我需要添加一个NetTcpBinding 端点。任何包含此内容的答案都会有所帮助。

【问题讨论】:

    标签: c# wcf authentication windows-services ipc


    【解决方案1】:

    是的,有必要保护 WCF 通道以防止模拟。 WCF 可以在您指示时自动加密您的通信,但您需要自己处理身份验证部分。

    在 WCF 中有两种保护消息的方法(如果您算上可以同时使用这两种方法,则三种方法)。有一个很好的高级解释here。您可以使用哪些方法取决于我们正在讨论的绑定(对于不同的绑定,您会有不同的选项)。

    此外,对于保护服务的每种方法,您都可以选择身份验证凭证类型(每个实体向另一个端点证明其身份的实际方式)。 这取决于绑定和安全方法

    要查看每个绑定的选项,您可以查看其Security 属性。对于每个绑定,此属性的类型不同(例如NetTcpSecurity);您可以查看 MSDN 或 IntelliSense 来了解这一点。

    从现在开始,我将使用 NetTcpBinding 和传输安全作为示例。

    要设置服务器端和客户端部分的安全性,您首先必须在创建和打开通道之前配置安全模式和身份验证类型的绑定,例如:

    var binding = new NetTcpBinding { /* set props here */ };
    // TLS security with X.509 certificates
    binding.Security.Mode = SecurityMode.Transport;
    binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
    

    然后,在服务器端(此示例特定于上面所做的选择):

    // Load and set the server certificate
    var serverCertificate = new X509Certificate2(/* parameters here */);
    host.Credentials.ServiceCertificate.Certificate = serverCertificate;
    
    // You can leave it at that and let Windows validate the client's certificate using
    // the default method (which means that you either need to have added the client's
    // certificate to the server machine's certificate store as "trusted", or rely on chain
    // trust and have the client's certificate signed by a trusted authority.
    
    // Or, you can use custom validation rules:
    var authentication = host.Credentials.ClientCertificate.Authentication;
    authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
    authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator();
    

    而在客户端(这个例子也是具体的):

    var clientCertificate = new X509Certificate2(/* parameters here */);
    var factory = new ChannelFactory<IYourServiceInterface>(binding, endpoint);
    factory.Credentials.ClientCertificate.Certificate = clientCertificate;
    
    // You can leave it at that and let Windows validate the server's certificate using
    // the default method (which means that you either need to have added the server's
    // certificate to the client machine's certificate store as "trusted", or rely on chain
    // trust and have the server's certificate signed by a trusted authority.
    
    // Or, you can use custom validation rules:
    var authentication = factory.Credentials.ServiceCertificate.Authentication;
    authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
    authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator();
    
    var channel = factory.CreateChannel();
    
    // Your channel is now ready for use! You can also cast to to IClientChannel
    // to expose some more properties.
    

    【讨论】:

    猜你喜欢
    • 2010-10-13
    • 1970-01-01
    • 1970-01-01
    • 2015-02-15
    • 1970-01-01
    • 2020-10-22
    • 1970-01-01
    • 1970-01-01
    • 2011-10-23
    相关资源
    最近更新 更多