使用Windows身份验证的WCF安全性
什么是正确的WCF安全实施/配置,允许:使用Windows身份验证的WCF安全性,wcf,wcf-security,Wcf,Wcf Security,什么是正确的WCF安全实施/配置,允许: 使用现有Windows帐户向服务进行身份验证 允许添加来自另一个项目的服务引用,而不提供 证书 限制可以调用该服务的用户 使用现有Windows帐户对服务进行身份验证 为此,应将绑定配置的transport-clientCredentialType属性设置为Windows <bindings> <wsHttpBinding> <binding> <security mode=
- 使用现有Windows帐户向服务进行身份验证
- 允许添加来自另一个项目的服务引用,而不提供 证书
- 限制可以调用该服务的用户
transport-clientCredentialType
属性设置为Windows
<bindings>
<wsHttpBinding>
<binding>
<security mode="Message">
<transport clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
限制可以调用该服务的用户
这一个有点复杂。我发现基于每个用户保护服务的方法需要自定义授权策略。执行授权的类必须实现IAuthorizationPolicy
接口。这是我的授权类的完整代码:
namespace Services.SampleService.Authorization
{
/// <summary>
/// Handles the default authorization for access to the service
/// <para>Works in conjunction with the AuthorizedUsersDefault setting</para>
/// </summary>
public class DefaultAuthorization: IAuthorizationPolicy
{
string _Id;
public DefaultAuthorization()
{
this._Id = Guid.NewGuid().ToString();
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
bool isAuthorized = false;
try
{
//get the identity of the authenticated user
IIdentity userIdentity = ((IIdentity)((System.Collections.Generic.List<System.Security.Principal.IIdentity>)evaluationContext.Properties["Identities"])[0]);
//verify that the user is authorized to access the service
isAuthorized = Properties.Settings.Default.AuthorizedUsersDefault.Contains(userIdentity.Name, StringComparison.OrdinalIgnoreCase);
if (isAuthorized)
{
//add the authorized identity to the current context
GenericPrincipal principal = new GenericPrincipal(userIdentity, null);
evaluationContext.Properties["Principal"] = principal;
}
}
catch (Exception e)
{
Logging.Log(Severity.Error, "There was an error authorizing a user", e);
isAuthorized = false;
}
return isAuthorized;
}
public ClaimSet Issuer
{
get { return ClaimSet.System; }
}
public string Id
{
get { return this._Id; }
}
}
}
namespace Services.SampleService.Authorization
{
/// <summary>
/// Handles the default authorization for access to the service
/// <para>Works in conjunction with the AuthorizedUsersDefault setting</para>
/// </summary>
public class DefaultAuthorization: IAuthorizationPolicy
{
string _Id;
public DefaultAuthorization()
{
this._Id = Guid.NewGuid().ToString();
}
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
bool isAuthorized = false;
try
{
//get the identity of the authenticated user
IIdentity userIdentity = ((IIdentity)((System.Collections.Generic.List<System.Security.Principal.IIdentity>)evaluationContext.Properties["Identities"])[0]);
//verify that the user is authorized to access the service
isAuthorized = Properties.Settings.Default.AuthorizedUsersDefault.Contains(userIdentity.Name, StringComparison.OrdinalIgnoreCase);
if (isAuthorized)
{
//add the authorized identity to the current context
GenericPrincipal principal = new GenericPrincipal(userIdentity, null);
evaluationContext.Properties["Principal"] = principal;
}
}
catch (Exception e)
{
Logging.Log(Severity.Error, "There was an error authorizing a user", e);
isAuthorized = false;
}
return isAuthorized;
}
public ClaimSet Issuer
{
get { return ClaimSet.System; }
}
public string Id
{
get { return this._Id; }
}
}
}
<behaviors>
<serviceBehaviors>
<behavior name="wsDefaultBehavior">
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="Services.SampleService.Authorization.DefaultAuthorization, MyAssemblyName" />
</authorizationPolicies>
</serviceAuthorization>
</behavior>
</serviceBehaviors>
</behaviors>