经过几天的测试,我发现创建具有身份验证的 WCF Web 服务的唯一方法是将证书放入 localmachine/trustedpeople 证书存储区。主人不会为我这样做。您是否知道无需在该商店中放置证书即可启用 WCF 身份验证的任何方法?有没有其他方法可以让 WCF 安全性在共享主机上发挥作用?
我在 codeproject 上使用了一个将证书放入 app_data 的示例,但我无法让它工作。
【问题讨论】:
标签: wcf wcf-security shared-hosting
我在本地 IIS 上做了一些非常简单的测试。我有非常简单的单一方法服务。为了公开服务,我使用了这个配置:
<configuration>
<appSettings>
<add key="CertificatePath" value="D:\Applications\CertificateFromFile\App_Data\ServerCert.pfx" />
<add key="CertificatePassword" value="password" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.0" />
</system.web>
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="CertificateFromFile.MyPasswordValidator, CertificateFromFile" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<protocolMapping>
<clear />
<add scheme="http" binding="wsHttpBinding" />
</protocolMapping>
<bindings>
<wsHttpBinding>
<binding>
<security mode="Message">
<message clientCredentialType="UserName" establishSecurityContext="false" negotiateServiceCredential="false" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true">
<serviceActivations>
<add service="CertificateFromFile.MyService" factory="CertificateFromFile.MyServiceHostFactory" relativeAddress="Service.svc" />
</serviceActivations>
</serviceHostingEnvironment>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
配置定义:
加载证书的整个过程是在自定义服务主机和服务主机工厂中完成的:
namespace CertificateFromFile
{
public class MyServiceHostFactory : ServiceHostFactory
{
protected override System.ServiceModel.ServiceHost CreateServiceHost(Type serviceType, Uri[] baseAddresses)
{
string path = ConfigurationManager.AppSettings["CertificatePath"];
string password = ConfigurationManager.AppSettings["CertificatePassword"];
return new MyServiceHost(serviceType, path, password, baseAddresses);
}
}
public class MyServiceHost : ServiceHost
{
private readonly string _certificatePath;
private readonly string _certificatePassword;
public MyServiceHost(Type serviceType, string certificatePath, string certificatePassword, params Uri[] baseAddresses)
: base(serviceType, baseAddresses)
{
_certificatePath = certificatePath;
_certificatePassword = certificatePassword;
}
protected override void OnOpening()
{
base.OnOpening();
var certificate = new X509Certificate2(_certificatePath, _certificatePassword);
var credentials = Description.Behaviors.Find<ServiceCredentials>();
credentials.ServiceCertificate.Certificate = certificate;
}
}
}
【讨论】: