在WCF中通过HTTP进行表单身份验证-我如何知道哪个用户在打电话给我
[英]Forms authentication over http in WCF - how do I know which user is calling me
问题描述
I'm working on a client-server application using WCF. 
我正在使用WCF开发客户端服务器应用程序。 The first client will be a desktop app (WPF) but I plan to add Xamarin (Android and iOS) and web client. 第一个客户端将是桌面应用程序(WPF),但我计划添加Xamarin(Android和iOS)和Web客户端。 I want this to be an internet service, and to potentially support a large number of clients, so I'm using http, a stateless service to conserve server resources. 我希望这是一项Internet服务,并可能支持大量客户端,因此我正在使用http(一种无状态服务)来节省服务器资源。
I am having difficulties implementing authentication logic. 我在实施身份验证逻辑时遇到困难。 I found this great example that implements forms authentication: 我发现了一个实现表单身份验证的出色示例:
http://www.dotnetspeak.com/wcf/securing-wcf-with-forms-authentication/ http://www.dotnetspeak.com/wcf/securing-wcf-with-forms-authentication/
It allows me to handle authentication how I want - compare username and password against the database, create an authentication cookie and return it. 它允许我根据需要处理身份验证-将用户名和密码与数据库进行比较,创建身份验证cookie并将其返回。 Subsequent calls using this cookie will be authenticated automatically. 使用此cookie的后续调用将自动进行身份验证。
But the problem is, I don't know which user called the service. 但是问题是,我不知道哪个用户调用了该服务。 If GetMyData() is called by user1, I want to make sure he only gets his own data. 如果user1调用GetMyData(),我想确保他仅得到自己的数据。 I obviously don't want to have the client send their ID separately with each request, because that can be easily tampered with - just switch "user1" for "user2" and hey presto, you're getting someone else's data. 我显然不希望客户端随每个请求分别发送其ID,因为这很容易被篡改-只需将“ user1”切换为“ user2”,嘿,presto,您正在获取其他人的数据。 I can get to the authentication cookie inside the service method by calling 我可以通过调用以下方法进入服务方法中的身份验证cookie
WebOperationContext.Current.IncomingRequest.Headers[HttpRequestHeader.Cookie]
(I can also see there's one other header called "Host") (我还可以看到还有一个名为“ Host”的标头)
The cookie is generated from a FormsAuthenticationTicket, which contains the username and password, but it's encrypted. Cookie是从FormsAuthenticationTicket生成的,该表单包含用户名和密码,但是已加密。 I'm not sure whether it's possible for me to decrypt the cookie in my code, but I'm pretty sure it wouldn't be the correct approach. 我不确定我是否可以解密代码中的cookie,但是我很确定这不是正确的方法。 My method was called AFTER the underlying system authenticated the caller, so presumably the cookie was decrypted and the ticket was found to be valid. 我的方法在基础系统对调用方进行身份验证之后被称为,因此大概是cookie被解密了,并且票证被发现是有效的。 So why can't I get to the data? 那么为什么我不能获得数据呢?
Sadly, every article I've found only deals with authenticating the user, but nobody seems to care about which user is using the service afterwards, as long as he's authorized. 不幸的是,我发现的每篇文章都只涉及对用户进行身份验证,但是似乎没有人关心之后哪个用户使用该服务,只要他被授权即可。
I suppose I could store the cookies server-side, along with mapping to the specific user, and find the user that way. 我想我可以在服务器端存储cookie,并映射到特定用户,然后以这种方式找到用户。 But I want the service to be as stateless as possible for performance reasons. 但是出于性能原因,我希望服务尽可能无状态。 Also, this would involve doing fulltext matching on a 300 character long string - for every single request! 此外,这将涉及对300个字符长的字符串进行全文匹配-对于每个单个请求! Yikes! 哎呀!
It seems to me that what I need is a very common use case, so there must be a proper way to do it. 在我看来,我需要的是一个非常普通的用例,因此必须有一种正确的方法来使用它。 I just can't seem to find it. 我似乎找不到。 Can anyone help me out? 谁能帮我吗?
1 个解决方案
解决方案1
0 已采纳 2017-05-07 14:59:26
If you have Forms authentication setup correctly then you can get the logged-in username via Thread.CurrentPrincipal.Identity.Name and send it to your service method for data access validation. 如果正确设置了表单身份验证,则可以通过Thread.CurrentPrincipal.Identity.Name获取登录的用户名,并将其发送到服务方法以进行数据访问验证。 Get the user id from username and validate ownership. 从用户名获取用户ID并验证所有权。
Thread.CurrentPrincipal.Identity.Name decrypts the cookie ticket and returns the logged-in username. Thread.CurrentPrincipal.Identity.Name解密cookie票证并返回登录的用户名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.