如何防止某人覆盖获取Windows身份验证并使用用户名进行wcf调用的代码?
[英]How to prevent someone from overriding the code that grabs the windows authentication and uses the username to make wcf calls?
问题描述
Basically, if you use WindowsAuthentication to grab the username, store in a variable and then pass that to any services you use, what's to stop someone from hacking your code and passing in another username? 
基本上,如果您使用WindowsAuthentication来获取用户名,将其存储在变量中,然后将其传递给您使用的任何服务,那么如何阻止某人入侵您的代码并传递另一个用户名?
On the client end you can check the IsAuthenticated, but then after that it only lets you grab the Windows Username, not the Windows password. 在客户端上,您可以检查IsAuthenticated,但是之后,它只能让您获取Windows用户名,而不是Windows密码。
Is there some way to just pass that authentication object itself without letting it be hacked? 有什么方法可以只通过身份验证对象本身而不让其被黑客入侵吗? Otherwise, I might have to switch back to not using Windows Authentication as my Authentication and custom rolling a user/pass with a db table. 否则,我可能不得不切换回不使用Windows身份验证作为身份验证,并且使用db表自定义滚动用户/密码。
1 个解决方案
解决方案1
1 2011-11-11 22:15:19
You can't pass user's credentials outside of your server due to "NTLM one hop" behavior. 由于“ NTLM一跳”行为,您无法在服务器外部传递用户的凭据。 You may be able to configure Kerberos authentication to handle cases when you need user's credentials flow between front end and backend servers. 您可能可以配置Kerberos身份验证,以处理需要前端和后端服务器之间的用户凭据流时的情况。
The other option is to establish trust between servers (ie HTTPS with client certificate) so backend server is able to trust user name coming from your server (as it would be the only one with correct client certificate). 另一种选择是在服务器之间建立信任(即带有客户端证书的HTTPS),以便后端服务器能够信任来自您服务器的用户名(因为它将是唯一具有正确客户端证书的用户名)。 You will not be able to impersonate the user on backend server as you will on ly have a name. 您将无法模拟后端服务器上的用户,因为您将只有一个名称。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.