[英]Pass SecurityException through multiple hops of WCF services
I've got an ASP.NET MVC/WebApi application that acts as a WCF client. 我有一个充当WCF客户端的ASP.NET MVC / WebApi应用程序。 My WCF services are authorizing via
ClaimsPrincipalPermission
and additionally throw a SecurityException
if the combination of the current user and the data does not match (eg user is trying to access data from other user). 我的WCF服务正在通过
ClaimsPrincipalPermission
进行授权,并且如果当前用户和数据的组合不匹配(例如,用户正在尝试从其他用户访问数据),则还会抛出SecurityException
。
I catch this as a SecurityAccessDeniedException
in my filters and return status code 403. 我在过滤器中将其作为
SecurityAccessDeniedException
捕获,并返回状态代码403。
This however only works for communication that involves a single hop. 但是,这仅适用于涉及单跳的通信。 If the service itself communicates with yet another service, then the
SecurityAccessDeniedException
gets turned into a FaultException
before it reaches the web application. 如果服务本身与另一个服务进行通信,则
SecurityAccessDeniedException
在到达Web应用程序之前将转换为FaultException
。
Example flow: 流程示例:
Web client --> Service A [SecurityException] --> [SecurityAccessDeniedException] Web
Web client --> Service A --> Service B [SecurityException]
--> [SecurityAccessDeniedException] Service A [FaultException] --> [FaultException] Web
I tried implementing an IErrorHandler
that handles the SecurityAccessDeniedException
but I cannot just throw a SecurityException
there. 我尝试实现一个处理
SecurityAccessDeniedException
的IErrorHandler
,但是我不能仅仅在此处抛出SecurityException
。
What are my options to propagate the SecurityException
up to the Web client? 我有什么选择可以将
SecurityException
传播到Web客户端?
Alternatively: how can I construct a message in my error handler, which the client then correctly interprets as a SecurityAccessDeniedException
? 或者:如何在错误处理程序中构造一条消息,然后客户端将其正确解释为
SecurityAccessDeniedException
?
I'm now using an IErrorHandler
which generates a corresponding FaultException
. 我现在正在使用
IErrorHandler
,它生成相应的FaultException
。 On the caller, this generates yet another SecurityAccessDeniedException
, which I could then handle with the same IErrorHandler
etc. 在调用方上,这将生成另一个
SecurityAccessDeniedException
,然后可以使用相同的IErrorHandler
等进行处理。
public void ProvideFault(Exception error, MessageVersion version, ref Message message)
{
if (error is SecurityAccessDeniedException)
{
var code = FaultCode.CreateSenderFaultCode(
"FailedAuthentication",
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
var faultText = new FaultReasonText(error.Message, CultureInfo.CurrentCulture);
var faultException = new FaultException(new FaultReason(faultText), code);
MessageFault messageFault = faultException.CreateMessageFault();
message = Message.CreateMessage(version, messageFault, "FailedAuthentication"); // the last parameter might not be semantically correct...
}
}
I got this idea by looking at http://leastprivilege.com/2007/11/01/wcf-and-securityaccessdeniedexception/ 我通过查看http://leastprivilege.com/2007/11/01/wcf-and-securityaccessdeniedexception/获得了这个想法
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.