WCF REST服务的基于角色的身份验证
[英]Role-based authentification for the WCF REST service
问题描述
I am trying to implement role-based authentification to the REST WCF service . 
我正在尝试对REST WCF服务实现基于角色的身份验证。 I read a lot of information on this theme but didn't got a clear understanding of what I have to do. 我阅读了许多有关此主题的信息,但对我必须做的事情并没有清楚的了解。 I understand how to restrict an access to the service using the [PrincipalPermission] attribute but don't know how to check whether the user belong to the certain role or not. 我了解如何使用[PrincipalPermission]属性限制对服务的访问,但不知道如何检查用户是否属于特定角色。 Therefore I will be very grateful if somebody can direct me to the right way (eg make a roadmap what should I do to achive this goal). 因此,如果有人能以正确的方式指导我(例如制定路线图,为实现该目标我应该怎么做),我将不胜感激。
Let me describe this situation. 让我描述一下这种情况。 I have a remote services which hosted on the server A and ASP.Net MVC client hosted on the server B. All of these rest services has an access to the database where I can read an information whether the user has access to the service or not. 我有一个托管在服务器A上的远程服务,而托管在服务器B上的ASP.Net MVC客户端。所有这些其余服务都可以访问数据库,在该数据库中我可以读取用户是否可以访问该服务的信息。 。
1 个解决方案
解决方案1
0 2014-05-19 08:05:14
OK, Tequila, IMO what you really want, based on your description, is a normal, REST WCF service with a Login(ID as string, PWD as string) method that (perhaps) returns a SessionID. 好的,龙舌兰酒,IMO根据您的描述,您真正想要的是一种普通的REST WCF服务,它具有Login(ID作为字符串,PWD作为字符串)方法(可能)返回SessionID。 This Login() or SessionID() check method would then preceed access to all of your other methods. 然后,此Login()或SessionID()检查方法将允许您访问所有其他方法。 And since it's a webHTTPBinding -- effectively a stateless web service -- you'll need to check the SessionID or ID/Password before each request is processed. 而且由于它是一个webHTTPBinding(实际上是一种无状态的Web服务),因此您需要在处理每个请求之前检查SessionID或ID /密码。
So the workflow would be something like this: 因此,工作流程将如下所示:
1) client sends Login() request to host
2) host checks ID/Password against DB, creates SessionID in DB that times out after x hours, forcing new Login(). SessionID is returned in response to client,.
3) In all subsequent requests, client must provide that SessionID. That SessionID would be checked on the DB, returning stored information about the client (Role, name, ID, address ... whatever is useful) before the remainder of the request is processed.
There are methods for authenticating users BEFORE the request gets to your working code (like client authentication using Forms or client certificates (see http://msdn.microsoft.com/en-us/library/ff405740.aspx )). 在请求到达您的工作代码之前,有一些方法可以对用户进行身份验证(例如使用Forms或客户端证书进行客户端身份验证(请参见http://msdn.microsoft.com/zh-cn/library/ff405740.aspx ))。 This shifts the Login() / SessionID check to a method executed BEFORE the request hits your main program, but the steps are basically the same. 这会将Login()/ SessionID检查转移到在请求到达您的主程序之前执行的方法,但是步骤基本相同。
And since passing ID/Pwd in clear text over the web is a no-no, you'd want to implement SSL on your web service (see http://msdn.microsoft.com/en-us/library/ff650785.aspx ) 而且由于在Web上以明文形式传递ID / Pwd是不行的,所以您希望在Web服务上实现SSL(请参阅http://msdn.microsoft.com/zh-cn/library/ff650785.aspx )
Everything I've describe is basically platform independent, so if you'll have iOS or Android clients, there's nothing in what I've described that would prohibit those OSs from successfully interacting with your web service. 我所描述的一切基本上都是与平台无关的,因此,如果您拥有iOS或Android客户端,那么我所描述的内容将不会阻止这些OS与您的Web服务成功交互。
Good luck. 祝好运。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.