堆栈内存溢出
  简体   繁体   English

ASP.NET为下游WCF身份验证和授权形成身份验证

[英]ASP.NET Forms Auth For Downstream WCF Authentication and Authorization

 原文  2013-05-14 20:14:58       asp.net/ wcf/ forms-authentication/ wcf-security

问题描述

Development Environment: Windows 7 Enterprise with .NET 4.0 with Visual Studio 2010 开发环境:带有Visual Studio 2010的.NET 4.0的Windows 7企业版

Production Environment: Windows 2008 Server with IIS 7.0 生产环境:带有IIS 7.0的Windows 2008 Server

I'm trying to figure out the best way to authenticate and authorize against a WCF service running on a separate machine in a separate security zone from the ASP .NET web application. 我试图找出对WCF服务进行身份验证和授权的最佳方法,该服务运行在与ASP .NET Web应用程序不同的安全区域中的另一台计算机上。

Users log in with a username and password against credentials we have stored in a database. 用户使用我们存储在数据库中的凭据使用用户名和密码登录。 We did not implement Membership Provider, but when the user's credentials pass mustard, we manually create a Forms Auth ticket with the user id. 我们没有实现成员资格提供程序,但是当用户的凭据通过芥末时,我们将使用用户ID手动创建Forms Auth票证。

I did roll my own Role Provider that implements RoleProvider. 我确实推出了自己的实现RoleProvider的Role Provider。 As a result, we have "standard" ASP .NET roles along with a forms auth ticket working on our ASP .NET web application. 因此,我们具有“标准” ASP .NET角色以及在我们的ASP .NET Web应用程序上工作的表单身份验证票。

What I need to do is somehow pass these credentials along to the WCF service that's sitting on another machine. 我需要做的是以某种方式将这些凭据传递给位于另一台计算机上的WCF服务。 Originally, I thought I might use the Windows Identity Foundation and create a custom Security Token Service (STS). 最初,我以为我可能会使用Windows Identity Foundation并创建自定义安全令牌服务(STS)。 Basically, if the user authenticates, then create a token and add in the claims based authorization along with user identity into the token and pass that along to the WCF service. 基本上,如果用户进行身份验证,则创建一个令牌,并将基于声明的授权与用户身份一起添加到令牌中,然后将其传递给WCF服务。

We are currently using a .NET Remoting service (.NET 1.1 timeframe) that does not authenticate or authorize at all. 我们当前使用的是.NET Remoting服务(.NET 1.1时间范围),该服务根本不进行身份验证或授权。

That seems like it might be a bit of overkill as there might be a way to simply pass along the information I currently have with the user as when you create the Forms Auth ticket, I know the current IPrinciple is set with the IIdentity set with a "name" property set to the user id on the Thread.CurrentIdentity. 似乎有些矫kill过正,因为当您创建Forms Auth凭单时,可能有一种方法可以简单地传递我当前与用户之间的信息,我知道当前IPrinciple是通过IIdentity设置的, “名称”属性设置为Thread.CurrentIdentity上的用户ID。

I'm pretty sure IsInRole("WhateverRole") would work correctly at this point too, but all of this is on the Web application side. 我很确定IsInRole(“ WhateverRole”)在这一点上也可以正常工作,但是所有这些都在Web应用程序方面。 Nothing gets passed to the .NET Remoting service. 什么都不会传递给.NET Remoting服务。

Looking at these two classes: 看这两个类:
AuthenticationService Class AuthenticationService类别
ServiceAuthorization Class ServiceAuthorization类
I don't think they are what I want. 我认为他们不是我想要的。 Likewise, I've read through Michele Bustamante's Learning WCF , but I don't really see this particular scenario covered. 同样,我已经阅读了Michele Bustamante的Learning WCF ,但我并没有真正看到这种特殊情况。 When I read about Windows Authentication , I keep thinking that needs to be tied into some internal NTLM or Kerberos associated with the internal Windows security situation. 当我阅读有关Windows身份验证的信息时 ,我一直认为需要将其绑定到一些与内部Windows安全情况相关的内部NTLM或Kerberos。 None of our users are internal users. 我们的用户都不是内部用户。 They're strictly external. 他们严格是外部的。

Now, I know that if the user gets a Forms Auth ticket, they essentially get a valid IPrinciple and the roles should be set, right? 现在,我知道,如果用户获得了Forms Auth票证,那么他们实际上将获得有效的IPrinciple,并且应该设置角色,对吗?

If so, is there a way to pass this along to a WCF service setting on another machine? 如果是这样,是否有办法将其传递给另一台计算机上的WCF服务设置? If I set the WCF clientCredentialType to windows and set the serviceAuthorization principlePermissionMode to "UseAspNetRoles", will these be passed along in the security context from the web application to the WCF service when I make the service call? 如果我将WCF clientCredentialType设置为Windows,并且将serviceAuthorization PrinciplePermissionMode设置为“ UseAspNetRoles”,那么在进行服务调用时,这些安全性上下文将从Web应用程序传递到WCF服务中吗?

Nothing I can find is clear on how this might happen. 我找不到什么可能发生的事情。 Thanks. 谢谢。

1 个解决方案

解决方案1
 1 已采纳  2013-05-15 00:42:08

I think what you want is this: 我认为您想要的是:

http://thoughtorientedarchitecture.blogspot.com/2009/10/flowing-aspnet-forms-authentication.html http://thoughtenedarchitecture.blogspot.com/2009/10/flowing-aspnet-forms-authentication.html

This isn't super secure, since you're effectively creating your own man-in-the-middle attack, but it's probably secure enough for most needs. 这不是超级安全,因为您可以有效地创建自己的中间人攻击,但是对于大多数需求而言,它可能足够安全。

Essentially this boils down to this: 本质上可以归结为:

  1. Configure both servers with the same MachineKey 使用相同的MachineKey配置两个服务器
  2. Grab the FormsAuthentication cookie from the user request 从用户请求中获取FormsAuthentication cookie
  3. Attach the cookie to the outgoing WCF service call 将Cookie附加到传出的WCF服务调用
  4. ??? ???
  5. Profit 利润

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ASP.NET Forms身份验证的授权安全性 - Authorization security of ASP.NET Forms authentication 来自asp.net表单auth客户端的wcf授权(请求过滤) - wcf authorization (request filtering) from asp.net forms auth client 使用ASP.NET角色的WCF表单身份验证授权=访问被拒绝? - WCF Forms Authentication authorization using ASP.NET roles = Access Denied? ASP.Net 4.5表单身份验证/授权不起作用 - ASP.Net 4.5 Forms Authentication / Authorization not working 在表单身份验证cookie中存储密码 - ASP.NET和WCF调用 - Storing password in forms authentication cookie - ASP.NET and WCF calls 使用ASP.NET窗体身份验证的WCF服务 - WCF Service using ASP.NET Forms Authentication 对WCF和ASP.NET MembershipProvider表单身份验证感到困惑 - Confused about WCF and ASP.NET MembershipProvider Forms Authentication ASP.NET表单授权 - ASP.NET Forms Authorization asp.net中的认证和授权 - Authentication and authorization in asp.net ASP.NET中的授权和身份验证 - Authorization and Authentication in asp.net
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM