基于用户组限制WCF Web服务功能
我有一个由C#客户端应用程序使用的WCF Web服务。我还有4个组存储在Active Directory中。客户端应用程序正在传递用户凭据以连接此web服务 Web服务公开客户端应用程序要访问的多个API或方法,如下所示:基于用户组限制WCF Web服务功能,wcf,service,Wcf,Service,我有一个由C#客户端应用程序使用的WCF Web服务。我还有4个组存储在Active Directory中。客户端应用程序正在传递用户凭据以连接此web服务 Web服务公开客户端应用程序要访问的多个API或方法,如下所示: [OperationContract] bool Read(); [OperationContract] bool Write(); [PrincipalPermission(SecurityAction.Demand, Role = "
[OperationContract]
bool Read();
[OperationContract]
bool Write();
[PrincipalPermission(SecurityAction.Demand, Role = "Readers")]
[OperationContract]
bool Read();
[PrincipalPermission(SecurityAction.Demand, Role = "Writers")]
[OperationContract]
bool Write();
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBind">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="DXDirectory.DXDirectoryService" behaviorConfiguration="DXDirectory.Service1Behavior">
<!-- Service Endpoints -->
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpBind"
name="BasicBinding" contract="DXDirectory.IDXDirectoryService">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="DXDirectory.Service1Behavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceAuthorization principalPermissionMode="UseWindowsGroups"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
jrista, 谢谢你的回复。我尝试了与PrincipalPermission相同的指令,如下所示:
[OperationContract]
bool Read();
[OperationContract]
bool Write();
[PrincipalPermission(SecurityAction.Demand, Role = "Readers")]
[OperationContract]
bool Read();
[PrincipalPermission(SecurityAction.Demand, Role = "Writers")]
[OperationContract]
bool Write();
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBind">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="DXDirectory.DXDirectoryService" behaviorConfiguration="DXDirectory.Service1Behavior">
<!-- Service Endpoints -->
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpBind"
name="BasicBinding" contract="DXDirectory.IDXDirectoryService">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="DXDirectory.Service1Behavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceAuthorization principalPermissionMode="UseWindowsGroups"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
[OperationContract]
bool Read();
[OperationContract]
bool Write();
[PrincipalPermission(SecurityAction.Demand, Role = "Readers")]
[OperationContract]
bool Read();
[PrincipalPermission(SecurityAction.Demand, Role = "Writers")]
[OperationContract]
bool Write();
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBind">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="DXDirectory.DXDirectoryService" behaviorConfiguration="DXDirectory.Service1Behavior">
<!-- Service Endpoints -->
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpBind"
name="BasicBinding" contract="DXDirectory.IDXDirectoryService">
<!--
Upon deployment, the following identity element should be removed or replaced to reflect the
identity under which the deployed service runs. If removed, WCF will infer an appropriate identity
automatically.
-->
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="DXDirectory.Service1Behavior">
<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
<serviceMetadata httpGetEnabled="true" />
<!-- To receive exception details in faults for debugging purposes, set the value below to true. Set to false before deployment to avoid disclosing exception information -->
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceAuthorization principalPermissionMode="UseWindowsGroups"/>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
是否需要为该功能实现wsHttpBinding?如果是,那么如何在我的Web服务中实现wsHttpBinding?我不知道如何将AD凭据集成到正常的.NET安全框架中。但是,这是可能的(我会看看是否可以找到一些链接),一旦找到,您应该能够使用标准安全属性来检查“角色”,该角色对应于您的广告组:
[OperationContract]
bool Read();
[PrincipalPermission(SecurityAction.Demand, Role = "Writers")]
[OperationContract]
bool Write();
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<adServiceBehavior>
<serviceAuthorization principalPermissionMode="UseWindowsGroups" />
</adServiceBehavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
我有另一个想法。有时我们甚至不希望在接口上有Write()方法。使用WCF,您可以在单个服务类上实现多个服务契约接口。理想的解决方案可能是创建两个服务契约接口,一个是Read()和Write(),另一个是just Read()。根据登录到客户端的用户的不同,您可以使用Read()接口来访问那些只具有读取权限的用户,也可以使用Read()/Write()接口来访问这两者。这还允许您向不应具有写访问权限的客户端公开最安全的服务契约,同时在内部利用读/写契约进行管理。您永远不会公开可能被这种方式利用的代码。jrista是正确的-您可以使用内置的Windows授权服务,包括“PrincipalPermission”属性来限制访问 但是:在授权之前,您需要进行身份验证。首先,在决定是否让他(或她)进来之前,你需要知道谁在敲你服务的门 为了做到这一点,您需要确保在邮件交换上使用Windows凭据,并且客户端和服务器必须位于同一个域中(或者位于具有相互信任关系的域中)。此外,您还需要使用wsHttp或netTcp之类的绑定,默认情况下允许并支持Windows凭据,并且需要确保使用和配置绑定安全配置,将Windows凭据从客户端传输到服务器 您需要具备以下功能:
<system.serviceModel>
<bindings>
<netTcpBinding>
<binding name="Secured">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</netTcpBinding>
</bindings>
</system.serviceModel>
如果需要呼叫用户的名称,请使用
winCaller.namewinCaller.user