WCF自定义身份验证问题

Question

I have implemented Custom Authentication with UserNamePasswordValidator.

According to project requirement, I require four input parameters for authentication(Username, Password, SiteID, BrandID).

But Validate Method accept only two parameters: Validate(string userName, string password)

Question:

1) How can I send more than two parameters to Validate Method?

2) Is there any other approach to define WCF Authentication with own validate methods?

Thank You,

Ram

Answer 1

1. Basic solution with concatenation

May be the fastest way and easiest is to concatenate Username, SiteID, and BrandID (separated with / or - and making some kind of escapes to prevent use of separation characters) in the Username header and create a CustomValidator.

--------------------------- Edit ---------------------------

2. There are some ways to pass some **extra headers , and use OperationContext .**

I'll also show how to put declarative permissions

In order to do that, you can use classes of Juval Löwy. He implements a GenericContext<T> you can use.

GenericContext<T> encapsulates the mechanics of accessing headers.

2.1 Create a shared Library

To share some data from client and server, passed as soap headers

[DataContract]
public class ExtraHeaders
{
    [DataMember]
    public String Username { get; set; }
    [DataMember]
    public String Password { get; set; }
    [DataMember]
    public String BranchId { get; set; }
    [DataMember]
    public String SiteId { get; set; }
}

2.2 On the client side

Pass the extra headers:

static void Main(string[] args)
{
 // provide identity as headers
  var extraHeaders = new ExtraHeaders
  { 
        Username="manager",
        Password= "password",
        BranchId = "Branch2", 
        SiteId = "Site2" 
  };
  MyContractClient proxy = new MyContractClient(extraHeaders);

  proxy.MyMethod();

  proxy.Close();
} 

The proxy has to be changed a bit (not Visual Studio or svcutil.exe generation):

class MyContractClient : HeaderClientBase<IMyContract, ExtraHeaders>, IMyContract
{
   public MyContractClient(string key,string value) : base(key,value)
   {}
   public void MyMethod()
   {
      Channel.MyMethod();
   }
}

2.3 - Add declarative permission on the server side

Declarative permission with the
[PrincipalPermission(SecurityAction.Demand, Role = "Manager")]

class MyService : IMyContract
{
    [PrincipalPermission(SecurityAction.Demand, Role = "Manager")]
    public void MyMethod()
    {
        var extraHeaders = ExtraHeadersContext.Current;
        if (extraHeaders != null)
        {
            //Console.WriteLine("Extra headers: (BranchId:{0}, SiteId:{1}) ", extraHeaders.BranchId, extraHeaders.SiteId);
            Console.WriteLine("Service call from : {{{0}}}", extraHeaders.Username);
        }
    }
}

2.4 Add a serviceAuthorizationBehavior to stick an identity to the use

<behaviors>
  <serviceBehaviors>
    <behavior name="customIdentificationBehavior">
      <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
          <add policyType="Security.HttpContextPrincipalPolicy,Host" />
        </authorizationPolicies>
      </serviceAuthorization>
    </behavior>

2.5 Implement the serviceAuthorizationBehvior

The goal of that behavior is to assign a Principal and an identity to the caller.

namespace Security
{
    public class HttpContextPrincipalPolicy : IAuthorizationPolicy
    {
        public bool Evaluate(EvaluationContext evaluationContext, ref object state)
        {
            try
            {
                var extraHeaders = ExtraHeadersContext.Current;
                if (extraHeaders != null)
                {
                    IPrincipal principal = new CustomPrincipal(
                        new GenericIdentity(extraHeaders.Username, "Custom Provider"),extraHeaders);

                    evaluationContext.Properties["Principal"] = principal;
                    // Put user here so it can be used for declarative access on methods
                    evaluationContext.Properties["Identities"] = new List<IIdentity>() { principal.Identity };
                }
                else
                {
                    SetAnonymousPrincipal(evaluationContext);
                }
            }
            catch (Exception)
            {
                SetAnonymousPrincipal(evaluationContext);
            }
            return true;
        }
    }
}

2.6 The CustomPrincipal class takes care of putting the user in a role

public class CustomPrincipal : IPrincipal
{
    private ExtraHeaders headers;
    private IIdentity identity;

    public CustomPrincipal(IIdentity identity, ExtraHeaders headers = null)
    {
        this.identity = identity;
        this.headers = headers;
    }
    public IIdentity Identity
    {
        get { return identity; }
    }
    public bool IsInRole(string role)
    {
        String[] roles;
        if (identity.Name == "manager")
            roles = new string[1] { "Manager" };
        else
            roles = new string[1] { "User" };
        return roles.Contains(role);
    }
}

Conclusion

Behind the scenes, Juval's classes read(server side) and write(client side) header.

Excerpt, for instance :

     if(OperationContext.Current.IncomingMessageProperties.ContainsKey(ContextMessageProperty.Name))
     {
        ContextMessageProperty contextProperty = OperationContext.Current.IncomingMessageProperties[ContextMessageProperty.Name] as ContextMessageProperty;
        if(contextProperty.Context.ContainsKey(key) == false)
        {
           return null;
        }
        return contextProperty.Context[key]; 
     }

Link to full working source code : http://1drv.ms/1OqPMUM

Link to excellent Juval Lowy's code : Look for "Context bindings as custom context" in the page http://www.idesign.net/Downloads to have the GenericContext class His book is great if you spend time on WCF

Regards