简体繁体 English

WIF是使用iPhone保护WCF 4.0 Restful服务的好选择

[英]Is WIF a good option for securing WCF 4.0 Restful service with iPhone

原文 2010-12-13 01:16:29 7 4 iphone/ wcf/ restful-authentication/ wif/ sts-securitytokenservice

I have a project which needs to expose WCF restful service to iphone/ipad Client. 我有一个项目需要向iphone / ipad客户端公开WCF restful服务。 The WCF worked, now i need to secure it with username and password. WCF工作，现在我需要使用用户名和密码来保护它。

For some reason i am a little reluctant to go with CustomBasicAuth 出于某种原因，我有点不愿意使用CustomBasicAuth

Oauth is also not ideal in WCF world for now, you have to create wrapper to do work around it. 到目前为止，Oauth在WCF世界中也不理想，你必须创建包装来做它周围的工作。 please DO correct me if i am wrong. 如果我错了，请纠正我。

Now, I am looking at the Windows Identification Foundation. 现在，我正在查看Windows Identification Foundation。 To be honest, that looks like a smart way but lacking of documentation. 说实话，这看起来像一个聪明的方式，但缺乏文档。

there are 2 things have to put into consideration: 有两件事需要考虑：

implementation have to be iPhone friendly.(not just used in .net world) 实现必须是iPhone友好的。（不只是在.net世界中使用）
implementation need to be easily deployed to cloud (azure) 实施需要轻松部署到云（天蓝色）

I would like to know which option will you choose, and what is the reason of choosing it. 我想知道你会选择哪个选项，选择它的原因是什么。 any links or reference will be greatly appreciated. 任何链接或参考将不胜感激。

4 个解决方案

You might want to try this basic authentication implementation for WCF REST, http://weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx 您可能想要为WCF REST尝试此基本身份验证实现， http：//weblogs.asp.net/cibrax/archive/2009/03/20/custom-basic-authentication-for-restful-services.aspx

Based on your requirements, basic authentication should be enough for what you need. 根据您的要求，基本身份验证应该足以满足您的需求。 WIF will only add some noise in the mix. WIF只会在混音中添加一些噪音。

Thanks Pablo. 谢谢巴勃罗。

Windows Indentity Foundation - WIF, uses SAML 2.0 claims. Windows Indentity Foundation - WIF，使用SAML 2.0声明。

So it is a good fit both for cross platform and the cloud. 因此，它非常适合跨平台和云。

Here is a link to WIF documentation: http://msdn.microsoft.com/en-us/security/aa570351 以下是WIF文档的链接： http ： //msdn.microsoft.com/en-us/security/aa570351

Note that WIF is also used for Windows Azure Access Control Services. 请注意，WIF也用于Windows Azure Access Control Services。

I'm using WIF in a custom STS in Azure for one of our sites. 我在Azure的自定义STS中为我们的一个站点使用WIF。 I think my only concern would be whether the agent, in this case iPhone/iPad, can handle the size of the cookies that WIF generates, as they can be quite large. 我认为我唯一关心的是代理商（在这种情况下是iPhone / iPad）是否可以处理WIF生成的cookie的大小，因为它们可能非常大。 We've been inundated with exceptions related to the claim not working in certain browsers due to cookie size limits. 由于Cookie大小限制，我们已经被与某些浏览器中无法使用的声明相关的例外情况所淹没。 Of course, I don't know if these limits exist for the platforms you're using. 当然，我不知道您使用的平台是否存在这些限制。

Check this nice code project article , 查看这个很好的代码项目文章，

http://www.codeproject.com/Articles/149738/Basic-Authentication-on-a-WCF-REST-Service http://www.codeproject.com/Articles/149738/Basic-Authentication-on-a-WCF-REST-Service

I am investigating this issue as well , so I am not sure this is the full approach but still worth reading. 我也正在调查这个问题，所以我不确定这是完整的方法，但仍然值得一读。

I would add the following architectual concern to your question : 我会在你的问题中添加以下架构问题：

What if you want to support both active (WCF) and passive (web browser authentication) in the same system ? 如果要在同一系统中同时支持活动（WCF）和被动（Web浏览器身份验证），该怎么办？ I am still not sure about that. 我仍然不确定。