使用WCF的身份验证服务
[英]Authentication Service using WCF
问题描述
I have a custom MembershipProvider as shown below. 
我有一个自定义MembershipProvider,如下所示。 It validate user name and password against Active Directory. 它根据Active Directory验证用户名和密码。 I would like to make this as an “authentication service”. 我想把它作为“身份验证服务”。 This should work even if the client uses forms authentication or windows authentication. 即使客户端使用表单身份验证或Windows身份验证,这也应该有效。
There is a WCF “HR Service” which is providing employee information. 有一个WCF“人力资源服务”,它提供员工信息。 The “HR UI” website is using “HR Service” WCF service. “HR UI”网站正在使用“HR Service”WCF服务。 Now we need to ensure that any client using the “HR Service” should be authenticated using “authentication service” before accessing the operation of “HR Service”. 现在,我们需要确保在访问“HR服务”操作之前,使用“身份验证服务”对使用“HR服务”的任何客户端进行身份验证。 If the client application is authenticated once, next time onwards it should not be validated again (till the application is closed). 如果客户端应用程序经过一次身份验证,则下次不应再次验证(直到应用程序关闭)。 When a new instance of the client application is opened it need to be authenticated from beginning. 当打开客户端应用程序的新实例时,需要从头开始进行身份验证。
How do we achive it? 我们如何实现它? Do we have any code samples for the end to end flow demonstration? 我们是否有任何代码样本用于端到端流程演示?
Note: I should be able to test it using self hosted services. 注意:我应该能够使用自托管服务进行测试。
Note: The client can be of any platform (eg Java). 注意:客户端可以是任何平台(例如Java)。
namespace LijosCustomValidation
{
public sealed class LijoMembershipProvider : MembershipProvider
{
public override bool ValidateUser(string username, string password)
{
bool isValid = true;
//my logic to validate the user name and password
return isValid;
}
//other implementations of Abstract Methods from MembershipProvider
}
1 个解决方案
解决方案1
4 2012-03-06 13:23:41
Your auth service should return a token if the auth is successful. 如果身份验证成功,您的身份验证服务应返回令牌。 This token in turn should then be presented to the HR service. 然后,该令牌应该被呈现给HR服务。
You have a couple of options as to what the HR service does at this point. 关于人力资源服务目前做了什么,您有几种选择。 It can either know the secret to validate the token, or it needs to call the auth service to validate the token. 它可以知道验证令牌的秘密,也可以调用auth服务来验证令牌。
The token should be some value that can be validated if you know the secret, so it could something, say the users id, that is symmetrically encrypted. 如果你知道秘密,那么令牌应该是一些可以验证的值,因此它可以是对称加密的用户ID。 Ideally it should have a time component in it to prevent replay attacks. 理想情况下,它应该有一个时间组件来防止重放攻击。
I'd suggest some something like 我建议一些类似的东西
<hash value>|<token issue time>|<user id>
The hash value should be hash (sha1, md5, etc) of everything after the first pipe. 哈希值应该是第一个管道之后的所有内容的哈希值(sha1,md5等)。 You can then base64 encode the result and pass it around. 然后,您可以对结果进行base64编码并传递它。 Validating the token could then check the issue date was within a certain time-frame. 然后验证令牌可以检查发布日期是否在某个时间范围内。
You also have the option of storing the token in the client in a cookie and passing as a cookie to the services, or making it a parameter on your services. 您还可以选择将令牌存储在客户端中的cookie中,并将cookie作为cookie传递给服务,或者将其作为服务的参数。 There may be other options, depending on your client architecture & how you want to structure your services. 可能还有其他选项,具体取决于您的客户端体系结构以及您希望如何构建服务。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.