堆栈内存溢出
  简体   繁体   English

通过WCF服务的多跳传递SecurityException

[英]Pass SecurityException through multiple hops of WCF services

 原文  2015-12-18 16:11:35       c#/ wcf/ exception/ authorization

问题描述

I've got an ASP.NET MVC/WebApi application that acts as a WCF client. 我有一个充当WCF客户端的ASP.NET MVC / WebApi应用程序。 My WCF services are authorizing via ClaimsPrincipalPermission and additionally throw a SecurityException if the combination of the current user and the data does not match (eg user is trying to access data from other user). 我的WCF服务正在通过ClaimsPrincipalPermission进行授权,并且如果当前用户和数据的组合不匹配(例如,用户正在尝试从其他用户访问数据),则还会抛出SecurityException

I catch this as a SecurityAccessDeniedException in my filters and return status code 403. 我在过滤器中将其作为SecurityAccessDeniedException捕获,并返回状态代码403。

This however only works for communication that involves a single hop. 但是,这仅适用于涉及单跳的通信。 If the service itself communicates with yet another service, then the SecurityAccessDeniedException gets turned into a FaultException before it reaches the web application. 如果服务本身与另一个服务进行通信,则SecurityAccessDeniedException在到达Web应用程序之前将转换为FaultException

Example flow: 流程示例: 

Web client --> Service A [SecurityException] --> [SecurityAccessDeniedException] Web

Web client --> Service A --> Service B [SecurityException] 
  --> [SecurityAccessDeniedException] Service A [FaultException] --> [FaultException] Web

I tried implementing an IErrorHandler that handles the SecurityAccessDeniedException but I cannot just throw a SecurityException there. 我尝试实现一个处理SecurityAccessDeniedExceptionIErrorHandler ,但是我不能仅仅在此处抛出SecurityException

What are my options to propagate the SecurityException up to the Web client? 我有什么选择可以将SecurityException传播到Web客户端?

Alternatively: how can I construct a message in my error handler, which the client then correctly interprets as a SecurityAccessDeniedException ? 或者:如何在错误处理程序中构造一条消息,然后客户端将其正确解释为SecurityAccessDeniedException

1 个解决方案

解决方案1
 0 已采纳  2015-12-22 07:52:02

I'm now using an IErrorHandler which generates a corresponding FaultException . 我现在正在使用IErrorHandler ,它生成相应的FaultException On the caller, this generates yet another SecurityAccessDeniedException , which I could then handle with the same IErrorHandler etc. 在调用方上,这将生成另一个SecurityAccessDeniedException ,然后可以使用相同的IErrorHandler等进行处理。 

public void ProvideFault(Exception error, MessageVersion version, ref Message message)
{
    if (error is SecurityAccessDeniedException)
    {
        var code = FaultCode.CreateSenderFaultCode(
            "FailedAuthentication",
            "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");

        var faultText = new FaultReasonText(error.Message, CultureInfo.CurrentCulture);

        var faultException = new FaultException(new FaultReason(faultText), code);
        MessageFault messageFault = faultException.CreateMessageFault();
        message = Message.CreateMessage(version, messageFault, "FailedAuthentication"); // the last parameter might not be semantically correct...
    }
}

I got this idea by looking at http://leastprivilege.com/2007/11/01/wcf-and-securityaccessdeniedexception/ 我通过查看http://leastprivilege.com/2007/11/01/wcf-and-securityaccessdeniedexception/获得了这个想法

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 .NET和Web服务中的多跳模拟 - Multiple hops impersonation in .NET and web services 通过单个WCF端点访问多种服务/方法 - Accessing Multiple Services/Methods through a Single WCF End Point 实例化多个WCF服务 - instantiating multiple WCF services 多个服务的 WCF 服务架构 - WCF Service architecture for multiple services 管理多个OData / WCF服务 - Managing multiple OData / WCF services Silverlight Web服务的SecurityException - SecurityException with Silverlight Web Services 具有多个服务和合同的WCF网站 - WCF Site with multiple services and contracts WCF具有多个服务和命名空间问题 - WCF with multiple services and namespace issues WCF通过多种服务进行交易 - WCF transaction over multiple services WCF 4.5-多个Web服务 - WCF 4.5 - multiple web services
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM