使用WSHttpBinding时如何限制对本地计算机的WCF服务的访问?
[英]How to restrict access to a WCF service to the local machine when using WSHttpBinding?
问题描述
I'm using WCF to do inter-process communication on my machine, using WSHttpBinding, and I'd like to restrict the service so only processes on the current machine can call the service. 
我正在使用WCF在我的机器上使用WSHttpBinding进行进程间通信,并且我想限制服务,因此只有当前机器上的进程才能调用该服务。 How can I do this? 我怎样才能做到这一点?
I would prefer to use NetNamedPipesBinding which inherently would perform this restriction, however this is not possible in my scenario, so I'd like a way to restrict it using WSHttpBinding. 我更喜欢使用NetNamedPipesBinding,它固有地会执行此限制,但是在我的场景中这是不可能的,所以我想要一种使用WSHttpBinding来限制它的方法。 The reason I can't use NetNamedPipesBinding is that one of the clients to the service is running within a low-integrity process (Internet Explorer in Protected Mode) and doesn't have access to connect to a higher-integrity named pipe (without a lot of undocumented jiggery-pokery like this which looks good but I'd prefer to avoid). 我无法使用NetNamedPipesBinding的原因是该服务的一个客户端在低完整性进程(保护模式下的Internet Explorer)中运行,并且无权连接到更高完整性的命名管道(没有很多无证的jiggery-pokery 像这样看起来不错,但我宁愿避免)。
One option would be to add an IDispatchMessageInspector that restricts by IP Address as described here . 一种选择是添加一个IDispatchMessageInspector,它按照这里描述的IP地址进行限制。 Is that the best approach? 这是最好的方法吗?
UPDATE: This software will be deployed to hundreds of machines, so a solution like using certificates would likely be more work than desired. 更新:该软件将部署到数百台计算机上,因此像使用证书这样的解决方案可能比预期更多。
1 个解决方案
解决方案1
0 2011-09-12 17:31:40
You could try using X509 certificates to create a security signature. 您可以尝试使用X509证书来创建安全签名。 That way, you can hold the lock and the key. 这样,您可以按住锁和钥匙。 Other IPs would be able to hit your service, but not communicate. 其他IP可以打你的服务,但不能沟通。 You could do something like: 你可以这样做:
In the Service: 在服务中:
<behaviors>
<serviceBehaviors>
<behavior name="wsHttpCertificateBehavior">
<dataContractSerializer maxItemsInObjectGraph="50000"/>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
</clientCertificate>
<serviceCertificate findValue="CN=WSE2QuickStartServer" storeLocation="LocalMachine"
storeName="My" x509FindType="FindBySubjectDistinguishedName" />
</serviceCredentials>
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
In the Client: 在客户端:
<behaviors>
<endpointBehaviors>
<behavior name="wsHttpCertificateBehavior">
<dataContractSerializer maxItemsInObjectGraph="50000" />
<clientCredentials>
<clientCertificate findValue="CN=WSE2QuickStartClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
<serviceCertificate>
<authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" trustedStoreLocation="LocalMachine" />
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<client>
<endpoint address="https://localhost/ClientService.svc" behaviorConfiguration="wsHttpCertificateBehavior" binding="wsHttpBinding" bindingConfiguration="ApplicationServicesBinding" contract="GAINABSApplicationServices.Contracts.ServiceContracts.IClientService" name="ClientService">
<!--<identity>
<certificateReference storeName="AddressBook" storeLocation="CurrentUser"
x509FindType="FindBySubjectName" findValue="WSE2QuickStartServer"
isChainIncluded="true" />
</identity>-->
</endpoint>
</client>
You may optionally need the Identity tag on the client to state that you are explicitly using the cert for the identity when communicating with the service. 您可以选择在客户端上使用Identity标记来声明您在与服务通信时明确使用身份证书。 Hope this helps! 希望这可以帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.