[英]How can i get the WindowsIdentity or WindowsPrincipal of a WCF Claim / SecurityIdentifier (SID)?
I'm trying to allow all users in the Administrators group access through WCF. 我正在尝试允许管理员组中的所有用户通过WCF进行访问。
internal sealed class AuthorizationManager : ServiceAuthorizationManager
{
public override bool CheckAccess(OperationContext operationContext)
{
base.CheckAccess(operationContext);
ReadOnlyCollection<ClaimSet> claimSets = operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets;
ClaimSet claimSet = claimSets[0];
foreach (var claim in claimSet.FindClaims(ClaimTypes.Sid, Rights.Identity))
{
SecurityIdentifier sid = (SecurityIdentifier)claim.Resource;
NTAccount ntAccount = (NTAccount)sid.Translate(typeof(NTAccount));
//This line throws an error. How can i convert a SecurityIdentifier to a WindowsIdentity?
WindowsIdentity user = new WindowsIdentity(ntAccount.Value);
WindowsPrincipal principal = new WindowsPrincipal(user);
return principal.IsInRole(WindowsBuiltInRole.Administrator);
}
}
}
You have to authenticate. 你必须进行身份验证。 You have an identifier that identifies an account, it's isomorphic with an account name ie SID: S-1-5-domain-500 <=> DOMAIN\\Administrator. 您有一个标识帐户的标识符,它与帐户名称同构,即SID:S-1-5-domain-500 <=> DOMAIN \\ Administrator。 A WindowsIdentity is a user that has been authenticated. WindowsIdentity是已经过身份验证的用户。
That said, I think the user you're trying to get has already been authenticated and is providing a claim of his/her account identity (SID). 也就是说,我认为您尝试获取的用户已经过身份验证,并提供了他/她的帐户身份(SID)声明。
JP is correct. JP是对的。 The claims provided include the SID of all user groups the user is a member of. 提供的声明包括用户所属的所有用户组的SID。 Here is our solution. 这是我们的解决方案。
internal sealed class AuthorizationManager : ServiceAuthorizationManager
{
public override bool CheckAccess(OperationContext operationContext)
{
base.CheckAccess(operationContext);
ReadOnlyCollection<ClaimSet> claimSets = operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets;
ClaimSet claimSet = claimSets[0];
//is this a member of the local admins group
SecurityIdentifier adminsSid = new SecurityIdentifier("S-1-5-32-544");
foreach (var claim in claimSet.FindClaims(ClaimTypes.Sid, Rights.PossessProperty))
{
if (adminsSid.Equals(claim.Resource))
{
return true;
}
}
}
}
We are using a code we found here to create a WindowsIdentity
based on the login name. 我们使用此处找到的代码根据登录名创建WindowsIdentity
。 With a minor modification you can create a similar method that returns a WindowsIdentity
based on the SID: 通过一个小修改,您可以创建一个类似的方法,返回基于SID的WindowsIdentity
:
public static WindowsIdentity GetWindowsIdentityBySid(string sid)
{
using (var user =
UserPrincipal.FindByIdentity(
UserPrincipal.Current.Context,
IdentityType.Sid,
sid
))
{
return user == null
? null
: new WindowsIdentity(user.UserPrincipalName);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.