WCF单一身份验证多个端点

Question

When creating a WCF service application I've implemented UserNamePassValidator for custom authentication and this works as expected.

But due to the large amount of functionality on the service, I've decoupled this into different service contracts such as a stock management service, location management service, task management service etc. and I've then exposed these on different endpoints within the same service.

This seems to work fine, however what I would prefer is to authenticate with one endpoint and have this session state maintained across all of the endpoints. At present what happens is I authenticate to one, I can then access the functionality of that service contract but if I was to connect to another endpoint it requires me to authenticate again.

My current crutch solution is to pass the ClientCredentials between forms on the client side for authenticating, and although it's using Message security so they're encrypted over the wire this is obviously not an ideal solution.

Is there a solution to first part? And if not, what's the best practice for storing user entered credentials in memory (during runtime) at the client side.

Answer 1

You can implement a scheme similar to WS-Federation. It is kind of Federated Security for service level.

• Firstly, your Authentication endpoint should be called STS (Security Token Service). What it does is authentication and return a security token to the client.

• Secondly, STS should be trusted by all the Service Endpoints. When invoking the endpoints you should pass in the security token that STS provided so that the endpoints will be able to read that token and recognize that the token was issued by a trusted STS.

I have implemented one with Thinktecture at https://github.com/khoanguyen/Test-WS-Federation but sorry that I didn't give explanation you will need to research a little bit about WS-Federation and Thinktecture and WIF. But you should know that it is possible to do.

---

A lightweight solution that I am using for REST services for mobile project is below:

• I set up a Authentication endpoint. That endpoint hold a DSA private/public key pair. When client is authenticated, this endpoint generate a token and sign it with DSA private key. Then I combine the signature and token together and return it as a security token to the client.

• At the service endpoints, I gave them the DSA public key (from the key pair of Authentication endpoint). The DSA public key is for verifying the security tokens.

• When client call the service endpoints, it attaches the security token as a Header of HTTP message. Then, the service endpoints read the header to retrieve the security token -> extract the token and the signature from the security token -> use DSA public to verify it.

The strategy for generating the token depends on your need. In my case, my token contains client's username, expiration timestamp. By using DSA, the hacker can extract all the token's data but they cannot alter it because they must have the DSA private key to sign the altered token. Our job is just keeping the private key in secret and don't leave any sensitive info (eg password) in the token.

This is very cheap way. I don't need to access DB to verify user, just ensure got a valid security token, token's data is just for extra need, you can even generate a random token and sign it. No session state needed.