WCF授权策略:冒充问题
[英]WCF AuthorizationPolicy: Impersonation Problem
问题描述
I have the following situation (outline): 
我有以下情况(大纲):
Authorization Webservice 授权Webservice
This service gets called and verifies (by executing the given business logic) whether a user is valid or not. 调用此服务并验证(通过执行给定的业务逻辑)用户是否有效。
Custom Business Webservice 自定义业务Web服务
This is some webservice created for a business app, that internally calls the "Authorization Webservice" in order to verify the account which called the business webservice. 这是为业务应用程序创建的一些Web服务,它在内部调用“授权Web服务”以验证调用业务Web服务的帐户。
I realized this logic by making use of WCF service authorization in my "Custom Business Webservice". 我通过在“Custom Business Webservice”中使用WCF服务授权来实现这一逻辑。 Basically I configured 基本上我配置了
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="MyCompany.Authorization.WCF.AuthorizationPolicy, MyCompany.AuthorizationDll"/>
</authorizationPolicies>
</serviceAuthorization>
The AuthorizationPolicy internally invokes the "Authorization Webservice". AuthorizationPolicy内部调用“Authorization Webservice”。
The Problem 问题
The problem is that I need to impersonate the caller of my "Custom Business Webservice". 问题是我需要冒充我的“Custom Business Webservice”的调用者。 The client identity is the correct one, however the WindowsIdentity is that of the application pool user. 客户端标识是正确的,但WindowsIdentity是应用程序池用户的标识。
Note, impersonation works within the service itself if I use [OperationBehavior(Impersonation = ImpersonationOption.Required)] but it does not within the AuthorizationPolicy's Evaluate(...) method. 注意,如果我使用[OperationBehavior(Impersonation = ImpersonationOption.Required)] ,则模拟在服务本身内工作,但它不在 AuthorizationPolicy的Evaluate(...)方法中。
(I use Transport level security using windows authentication credentials, obviously) (显然,我使用Windows身份验证凭据使用传输级安全性)
Anyone has any hints on how I can impersonate the caller prior to entering the IAuthorizationPolicy.Evaluate(...) method?? 在进入IAuthorizationPolicy.Evaluate(...)方法之前,任何人都有关于如何模仿调用者的任何提示?
1 个解决方案
解决方案1
3 已采纳 2010-11-11 21:01:55
It always again feels a bit strange, answering to my own questions, but for the sake of sharing what I got with others I'm going to post the "solution" here. 它总是感觉有点奇怪,回答我自己的问题,但为了分享我与其他人的共识,我将在这里发布“解决方案”。
I'll try to make it short: 我会尽量缩短它:
- Impersonating in the IAuthorizationPolicy.Evaluate(...) is not possible. 模仿IAuthorizationPolicy.Evaluate(...)是不可能的。 (S4U2Self may work, didn't test that since I didn't have that option) (S4U2自己可以工作,没有测试,因为我没有那个选项)
As I already mentioned, impersonating the caller within the webservice operation worked by placing the [OperationBehavior(Impersonation = ImpersonationOption.Required)] . 正如我已经提到的,通过放置[OperationBehavior(Impersonation = ImpersonationOption.Required)] webservice操作中的调用者。 So calling my custom webservice for retrieving the principal as the first statement in my service operation would always work. 因此,调用我的自定义Web服务来检索主体作为我的服务操作中的第一个语句将始终有效。 I didn't like that approach however. 然而,我不喜欢这种方法。
As an alternative I tried to find the latest possible point in the call chain of a WCF service operation where the impersonation finally worked. 作为替代方案,我试图找到WCF服务操作的调用链中的最新可能点,其中模拟最终起作用。 This is where I found the OperationInvoker . 这是我找到OperationInvoker 。
The following diagram illustrates the sequence of dispatchings that are done before the call arrives at the actual operation (taken from here ): 下图说明了在呼叫到达实际操作之前完成的调度顺序(从此处获取 ):
Parameter Inspection was too early, impersonation didn't yet work, but it luckily worked in the Operation Invoker. 参数检查为时尚早,模拟尚未奏效,但幸运的是在Operation Invoker中有效。 So by writing a custom operation invoker and wrapping everything into a custom operation behavior attribute I was able to elegantly solve the problem. 因此,通过编写自定义操作调用程序并将所有内容包装到自定义操作行为属性中,我能够优雅地解决问题。
More info on an according blog post I wrote . 关于我写的相关博客文章的更多信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.