简体繁体 English

使用WCF验证多个服务之间的呼叫者身份

[英]Validating the identity of the caller between multiple services with WCF

原文 2014-01-06 18:17:03 0 2 c#/ wcf/ security

I have a client, which calls a service (passing it a user id and password). 我有一个客户端，该客户端调用服务（向其传递用户ID和密码）。 The first service can validate these credentials against users in a database. 第一服务可以针对数据库中的用户验证这些凭据。 The first service then needs to call another service, but this second service cannot be passed the user id and password given to the first service (this is a requirement outside of my control). 然后，第一个服务需要调用另一个服务，但是第二个服务无法传递给第一个服务的用户ID和密码（这是我无法控制的要求）。

在此处输入图片说明

The services will most likely be on different domains and both exposed to the internet (so security is a big issue here). 这些服务很可能位于不同的域，并且都暴露于Internet（因此，安全性是一个大问题）。

I am therefore looking at options for how the second service should check/validate that it is being called by my first service (and not by someone else trying to impersonate it). 因此，我正在寻找第二种服务应如何检查/验证第二种服务是否被我的第一种服务（而不是试图模仿它的其他人）调用的选项。

One idea I've had is to add an additional service that acts as an authentication service, this could issue a token that is then passed to the second service which in turn calls the authentication service to check the token. 我曾经想过的一个想法是添加一个充当身份验证服务的附加服务，这可以发出一个令牌，然后将该令牌传递给第二个服务，后者又调用身份验证服务来检查令牌。 Another idea (from a colleague) has been to assign an SSL certificate to each service, and check the certificate when the call comes into Server B - I haven't seen certificates used in this way though so am not sure if it's viable. （来自同事的）另一个想法是为每个服务分配一个SSL证书，并在服务器B进行呼叫时检查该证书-我没有看到以这种方式使用的证书，尽管不确定它是否可行。

This is still at the design stage, so I am open to alternative ideas/approaches. 这仍处于设计阶段，因此我愿意接受其他想法/方法。

2 个解决方案

If you need an easy fix, then creating an extra set of credentials for service A so that service B can be sure it's called from an authorized party without knowing the clients credentials might be enough. 如果您需要简单的修补程序，则可以为服务A创建一组额外的凭据，以便可以确保从授权方调用了服务B，而无需知道客户凭据就足够了。

In the long run, something like Windows Identity Foundation sounds exactly like your plans with the authentication service. 从长远来看，类似Windows Identity Foundation的声音听起来与您使用身份验证服务的计划完全一样。

So, both A and B parties are exposed to the internet (distrusted environment). 因此，甲乙双方都暴露于互联网（不受信任的环境）中。 Taking into account security requirements what you need is mutual WCF authentication . 考虑到安全性要求，您需要的是相互WCF身份验证 。 Certificates are the easiest way to achieve the goal - your server has to ensure that proper client calls it and the client has to be sure it calls proper server (DNS attacks, etc.). 证书是实现目标的最简单方法-服务器必须确保正确的客户端调用它，而客户端必须确保其调用正确的服务器（DNS攻击等）。 That means each party must have public key of the other to authenticate. 这意味着每一方都必须具有另一方的公共密钥才能进行身份验证。 Check this article for the details on how to configure your server and client. 查看本文以获取有关如何配置服务器和客户端的详细信息。