堆栈内存溢出
  简体   繁体   English

调用WCF安全请求而不在代码中指定我的凭据

[英]Invoke WCF secure request without specify my credentials in my code

 原文  2014-02-20 14:03:58       c#/ wcf/ windows-authentication

问题描述

I have REST WCF service with windows authentication. 我有带有Windows身份验证的REST WCF服务。 

 <service name="MyService">
    <endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttp_Reliable" contract="ISomeService">
      <identity>
        <dns value="localhost" />
      </identity>
    </endpoint>
    <endpoint address="web" behaviorConfiguration="restBehavior" binding="webHttpBinding" bindingConfiguration="web_authenticate_binding" name="computersWebEndpoint" contract="ISomeService" />
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />

  </service>

and the web_authenticate_binding is: 和web_authenticate_binding是: 

 <binding name="web_authenticate_binding" maxReceivedMessageSize="2147483647">
      <security mode ="TransportCredentialOnly">
        <transport clientCredentialType ="Windows"/>
      </security>
      <readerQuotas maxDepth="128" maxStringContentLength="2147483647" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
      <!--<security mode="TransportCredentialOnly">
        <transport clientCredentialType="Windows"></transport>
      </security>-->
    </binding>

now I want to invoke the service from javascript with the service URL without to write my credentials explicitly in code ( if I will need to fill it in pop up once like when I write the url in the browser that is ok...). 现在,我想使用服务URL从javascript调用服务,而无需在代码中显式地写入我的凭据(如果我需要像在浏览器中写好url一样将其填写在弹出窗口中一次……)。

is there is a way to do it? 有办法吗?

when invoking the service in the "soap" way by adding service reference it is magically even not asking to my credentials... I want the same "magic" to happen when I invoke the service from javascript in ajax call with the service url... someone know how to do it? 通过添加服务引用以“肥皂”方式调用服务时,它甚至不问我的凭据也很神奇...我希望当我通过带有服务URL的ajax调用中的javascript调用服务时,发生同样的“魔术”。 ..有人知道该怎么做吗?

2 个解决方案

解决方案1
 3  2014-02-20 14:35:11

If the service allows anonymous requests then you can request the data anonymously. 如果该服务允许匿名请求,那么您可以匿名请求数据。 Otherwise there is no other option then to provide your username/password in the code/config file. 否则,没有其他选择,只能在代码/配置文件中提供用户名/密码。

Another option is that you'd implement a security token. 另一个选择是您将实现安全令牌。 (Using STS etc.) Or you could, of course, always omit uploading your config file/ cs file to TFS that contains your secure information. (使用STS等。)或者,您当然可以总是忽略将配置文件/ cs文件上传到包含安全信息的TFS。

解决方案2
 0  2014-04-29 13:04:03

You are using Windows authentication already. 您已经在使用Windows身份验证。 All you need to allow Impersonation in WCF service to validate identity of your user in service. 您需要允许WCF服务中的Impersonation来验证服务中用户的身份。

WCF service code can make calls by using the security identity of the service (usually the host process identity or the identity of a service account), or by using the security identity of the original caller. WCF服务代码可以通过使用服务的安全标识(通常是主机进程标识或服务帐户的标识)或使用原始调用方的安全标识来进行调用。 The original caller may be an ASP.NET service account, or it may be the end user of the client application. 原始调用者可以是ASP.NET服务帐户,也可以是客户端应用程序的最终用户。 You impersonate the original caller whenever downstream code needs to authorize based on the original caller's identity. 每当下游代码需要根据原始调用者的身份进行授权时,您就可以模拟原始调用者。

In your case it's straight forward ActiveDirectory/windows user. 就您而言,它是直接的ActiveDirectory / windows用户。

How to do it 怎么做

  • Step 1: Create a Sample WCF Service 步骤1:创建样本WCF服务
  • Step 2: Configure the WCF Service to Use Windows Authentication 步骤2:配置WCF服务以使用Windows身份验证
  • Step 3: Configure the SPN Identity for the WCF Service Endpoint 步骤3:为WCF服务端点配置SPN标识
  • Step 4: Implement Impersonation in the WCF Service 步骤4:在WCF服务中实施模拟
  • Step 5: Create a Web Application Test Client 步骤5:创建一个Web应用程序测试客户端
  • Step 6: Add a WCF Service Reference to the Client 步骤6:将WCF服务引用添加到客户端
  • Step 7: Impersonate the Original Caller When Calling the WCF Service 步骤7:在呼叫WCF服务时模拟原始呼叫者
  • Step 8: Configure the Web Application for Constrained Delegation 步骤8:配置Web应用程序以进行约束委派
  • Step 9: Test the Client and WCF Service 步骤9:测试客户端和WCF服务

I think you have already covered step 1 & step 2. 我认为您已经介绍了步骤1和步骤2。

For step3: 对于步骤3:

Modify web config for service as: 将服务的Web配置修改为:

  • set binding="wsHttpBinding" 设置binding="wsHttpBinding"

  • in identity section, set servicePrincipalName value= HOST/<YourMachineName> & dns value="" instead of localhost. 在标识部分中,将servicePrincipalName值设置为HOST/<YourMachineName>dns value=""而不是localhost。 for example: 例如:

    ... ... ……

Step 4: Implement Impersonation in the WCF Service 步骤4:在WCF服务中实施模拟

  • Add a using statement for the System.Security.Principal namespace. System.Security.Principal命名空间添加using语句。

  • Set the impersonation required on the operation implementation of the specific operation as follows: 如下设置特定操作的操作实现所需的模拟:

    [OperationBehavior(Impersonation = ImpersonationOption.Required)] public string OpertaionFunction(int value) { ... }

Step 5 is for test, so I am skipping that. 第5步用于测试,因此我跳过了。

Step 6: Add a WCF Service Reference to the Client 步骤6:将WCF服务引用添加到客户端

  • Right-click your client project and then click Add Service Reference. 用鼠标右键单击您的客户端项目,然后单击添加服务引用。

Step 7: Impersonate the Original Caller When Calling the WCF Service 步骤7:在呼叫WCF服务时模拟原始呼叫者

  • Add a using statement for the System.Security.Principle namespace. System.Security.Principle命名空间添加using语句。

  • Use the Impersonate() method to impersonate the original caller. 使用Impersonate()方法来模拟原始呼叫者。 Like: 喜欢:

    using System.Security.Principal; protected void YourOperation() { // Obtain the authenticated user's Identity and impersonate the original caller using (((WindowsIdentity)HttpContext.Current.User.Identity).Impersonate()) { WCFTestService.ServiceClient myService = new WCFTestService.ServiceClient(); Response.Write(myService.GetData(123) + "<br/>"); myService.Close(); } }

Step Configure the Web Application for Constrained Delegation 步骤为约束委派配置Web应用程序

  • Start the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 启动Microsoft管理控制台(MMC)Active Directory用户和计算机管理单元。

  • In the left pane of the MMC snap-in, click the Computers node. 在MMC管理单元的左窗格中,单击“计算机”节点。

  • In the right pane, double-click your Web server computer to display the Properties dialog box. 在右窗格中,双击您的Web服务器计算机以显示“属性”对话框。

  • On the Delegation tab of the Properties window for the Web server computer, Do not trust the computer for delegation is selected by default. 在Web服务器计算机的“属性”窗口的“委派”选项卡上,默认情况下选中了“不信任要委派的计算机”。 To use constrained delegation, select Trust this computer for delegation to specified services only. 要使用约束委派,请选择“信任此计算机仅委派给指定的服务”。

  • You specify precisely which service or services can be accessed in the bottom pane. 您可以在底部窗格中精确指定可以访问的服务。 Beneath Trust this computer for delegation to specified services only, select Use Kerberos only. 在“信任此计算机仅将其委派给指定的服务”下,选择“仅使用Kerberos”。

  • Click Add. 单击添加。

  • The Add Services dialog box appears. 出现“添加服务”对话框。 Click Users or computers. 单击用户或计算机。

  • In the Select Users or Computers dialog box, type the name of your WCF service computer if you are running using Network Service. 如果正在使用网络服务运行,则在“选择用户或计算机”对话框中,键入WCF服务计算机的名称。 Alternatively, if you are running WCF by using a custom domain account, enter that account name instead. 或者,如果您正在使用自定义域帐户运行WCF,请输入该帐户名称。 Click OK. 单击确定。

  • You will see all the SPNs configured for the selected user or computer account. 您将看到为所选用户或计算机帐户配置的所有SPN。 To restrict access to the WCF service, select the HOST service, and then click OK. 若要限制对WCF服务的访问,请选择“主机”服务,然后单击“确定”。

Refer : How to: Impersonate the Original Caller in WCF Calling from a Web Application for more details. 请参阅: 如何:在从Web应用程序进行WCF呼叫中模拟原始呼叫者,以获取更多详细信息。

Update for comment : 更新评论

You can call your wcf service from javascript(jQuery) using ajax call like: 您可以使用ajax调用从javascript(jQuery)调用wcf服务,例如: 

$.ajax({
            type: "POST",//default GET, if you wish leave you can also use GET
            url: "http://localhost/Service.svc/ServiceMethod",
            data: JSON.stringify(AnyJsonInput),
            contentType: 'application/json; charset=utf-8',
            dataType: "json",
            success: function(){//on success},
            error: function(){console.log('error in service')}
        });

NOTE : Once Impersonation in above steps is done, in IE it will automatically take windows credentials from which user is logged on. 注意 :完成上述步骤中的Impersonation后,在IE ,它将自动获取用于登录用户的Windows凭据。 For other browser also, you need not to do anything, it will automatically ask for username & password. 对于其他浏览器,您也无需执行任何操作,它将自动询问用户名和密码。

Just to summarize what we all have done is to automatically pass windows credentials for service for authorization. 总结一下我们所做的一切就是自动传递Windows凭据以进行授权服务。 One important thing is that your website also must be using impersonation 重要的一件事是您的网站还必须使用模拟功能

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 安全的Web服务(WCF),无需在使用者应用程序上存储凭据 - Secure Webservice (WCF) without storing credentials on consumer application 为什么User.Invoke(“SetPassword”)使用我的计算机的当前凭据以及如何指定它们? - Why is User.Invoke(“SetPassword”) using my computer's current credentials and how I can I specify them instead? 如何保护我的WCF数据服务服务 - how to secure my WCF Data Service services 为什么我的 Http 客户端在我指定凭据时发出 2 个请求? - Why my Http client making 2 requests when I specify credentials? 无法获得证书消息凭据以在我的WCF服务中工作 - Can't get certificate message credentials to work in my WCF service 在我的应用程序生命周期内维护用于wcf绑定的凭据 - maintaining credentials for wcf binding over the life of my app 如何使用AWS身份验证保护我的wcf服务 - How to secure my wcf service using AWS authentication 如何使用我的InstanceProvider用自己的构造函数调用WCF服务 - How to invoke WCF service with own constructor using my InstanceProvider 发送电子邮件支持票证,而无需在源代码中输入我的电子邮件凭据 - Send Email Support Tickets without entering my email credentials in the source code 保护我的ASP .NET代码以进行演示? - Secure My ASP .NET Code For Presentation?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM