简体繁体 English

在企业体系结构上的WCF服务中实现身份验证的最佳方法是什么？

[英]What is the best way to implement authentication in a WCF service on an enterprise architecture?

原文 2009-12-14 03:47:44 9 4 wcf/ security/ authentication/ wcf-security

I'm relatively new to WCF and would like some opinions on what's the best (or most correct) way to implement authentication on an application that exposes its' business layer operations through WCF? 我对WCF比较陌生，想要了解在通过WCF公开其业务层操作的应用程序上实现身份验证的最佳（或最正确）方法是什么？

Is a token supposed to be passed, encripted username/password and verified each time...or what? 是一个应该传递的令牌，用户名/密码，每次验证......或者什么？

Also any links would be appreciated. 也欢迎任何链接。

4 个解决方案

One very important security consideration is that security in WCF works on two levels 一个非常重要的安全考虑因素是WCF中的安全性在两个层面上起作用

Message security 消息安全

Username/Password 用户名密码
Token 代币
Windows Credentials Windows凭据
Client Certificate 客户证书
etc. 等等

Transport Security 运输安全

Service Certificate 服务证书
etc. (I dont really know other cos ive only used 1) 等等（我真的不知道其他cos只用过1）

Its good practice to use a Transport layer security to protect the communication in general, and Message layer to authenticate the user as a valid user, and approve his Privileges. 一般情况下，使用传输层安全性来保护通信，以及将用户作为有效用户进行身份验证的消息层，并批准其权限。

Whether you authenticate on every call is determined if the Service Contract is defined as a 如果将服务合同定义为a，则确定是否对每个呼叫进行身份验证

Singleton 独生子
PerService PerService
PerCall PerCall

I suggest using PerCall as its the most efficient use of hardware resources but this depends alot on your situation. 我建议使用PerCall作为最有效的硬件资源使用，但这取决于你的情况。

WCF offers a lot of mechanisms for authentication and subsequent authorisation. WCF提供了许多身份验证和后续授权机制。

As for authentication: if you're behind a corporate firewall in a LAN, using the straight Windows credentials is the easiest - no messy username/passwords to remember and send around, it just works out of the box. 至于身份验证：如果你是在局域网中的公司防火墙后面，使用直接的Windows凭据是最简单的 - 没有杂乱的用户名/密码记住和发送，它只是开箱即用。 This can be combined with authorisation checks against the Windows group membership system, eg only allow certain groups of users to perform an action. 这可以与针对Windows组成员身份系统的授权检查相结合，例如，仅允许某些用户组执行操作。

If you're looking at internet-facing services, you have the choice between username/password schemes, or certificates. 如果您正在寻找面向互联网的服务，您可以选择用户名/密码方案或证书。 The standard username/password scheme can be checked against the ASP.NET membership system that ASP.NET 2.0 brought us, both for authentication (membership) as well as authorisation (role provider). 可以针对ASP.NET 2.0为我们带来的ASP.NET成员资格系统检查标准用户名/密码方案，包括身份验证（成员资格）和授权（角色提供程序）。

Certificates are great if you're dealing with a very limited set of external users, eg busienss partners or such. 如果您与非常有限的外部用户（例如，商业伙伴等）打交道，证书就很棒。 The certificate must be delivered to the client "out of band", eg on some other way, by disk or something. 证书必须“带外”传送到客户端，例如通过磁盘或其他方式传送给客户端。 But once installed, it's seamless to use and to verify. 但是一旦安装，它就可以无缝使用和验证。

Juval Lowy (author of "Programming WCF Services") has a great article on MSDN on Declarative WCF Security in which he highlights his five security scenarios, how to use and secure them, and he even has a declarative extension for WCF to do this by merely applying an attribute to your service contract - pretty smarT! Juval Lowy（“编程WCF服务”一书的作者）在声明性WCF安全性方面有一篇关于MSDN的精彩文章，其中他强调了他的五个安全场景，如何使用和保护它们，他甚至还有一个WCF的声明性扩展来实现这一点。只是将一个属性应用于您的服务合同 - 非常简单！

I recently implemented a rather large WCF service layer for some media preview services. 我最近为一些媒体预览服务实现了一个相当大的WCF服务层。 Since we are exposing it against the internet, Windows authentication wasn't an option. 由于我们将其暴露在互联网上，因此Windows身份验证不是一种选择。 Due to the fact that we already had an existing user/role system, we also decided not to use ASP.NET membership providers. 由于我们已经拥有现有的用户/角色系统，我们还决定不使用ASP.NET成员资格提供程序。

I ended up implementing a custom authentication/authorization module and using SSL as the transport layer security element. 我最终实现了自定义身份验证/授权模块，并使用SSL作为传输层安全元素。 Using WCF attributes, i can check for role permissions using the standard WCF infrastructure. 使用WCF属性，我可以使用标准WCF基础结构检查角色权限。

Links that helped me on my way getting to the goal: 帮助我实现目标的链接：

http://blogs.msdn.com/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx http://blogs.msdn.com/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx

http://www.leastprivilege.com/CustomPrincipalsAndWCF.aspx http://www.leastprivilege.com/CustomPrincipalsAndWCF.aspx

http://www.samuelotter.com/node/7 http://www.samuelotter.com/node/7

I know of one which I use: Its using the ASP.NET membership framework to do authentication with WCF. 我知道我使用的一个：它使用ASP.NET成员资格框架来对WCF进行身份验证。 I'm currently trying to allow OpenID and other providers into the system which makes me rethink the ASP.NET membership for this type of authentication. 我目前正在尝试允许OpenID和其他提供程序进入系统，这使我重新考虑这种类型的身份验证的ASP.NET成员身份。

But if you are controlling your own accounts, I'd go with the ASP.NET membership. 但是，如果您正在控制自己的帐户，我将使用ASP.NET成员资格。