[英]WCF service without SSL but with Windows Group authentication
We are trying to create a WCF service that is only accesible by specified windows groups. 我们正在尝试创建只能由指定的Windows组访问的WCF服务。 How can this be configured in the server web.config and the client configuration?
如何在服务器web.config和客户端配置中配置?
Note: We want to be able to control the windows groups who are allowed access in the server web.config not in code. 注意:我们希望能够控制允许在服务器web.config中访问的窗口组,而不是代码。 Also, we dont want/need SSL at all.
此外,我们根本不需要/需要SSL。
Ive googled around and then best examples I can find are all like this... 我用Google搜索,然后我能找到的最好的例子都是这样的......
WCF Service, Windows Authentication WCF服务,Windows身份验证
But that doesnt explain how to limit access only to a specific group or groups. 但这并不能解释如何限制只访问特定组或组。
If this is intranet application you can use netTcpBinding: 如果这是Intranet应用程序,您可以使用netTcpBinding:
<services>
<service name="YourService"
behaviorConfiguration="YourServiceBehavior">
<endpoint
binding="netTcpBinding"
bindingConfiguration="SecureTransportWindows"
contract="YourContract" />
</service>
</services>
<bindings>
<binding name="SecureTransportWindows">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="YourServiceBehavior">
<serviceAuthorization principalPermissionMode="UseWindowsGroups" />
</behavior>
</serviceBehaviors>
</behaviours>
And then in service code you can demand windows role: 然后在服务代码中,您可以要求Windows角色:
class YourService : YourContract
{
[PrincipalPermission(SecurityAction.Demand, Role="MYDOMAIN\Administrators")]
public string SecuredOperation(string name)
{
return "secured operation";
}
}
If you need to set it in config then you must implement custom authorization: 如果需要在config中进行设置,则必须实现自定义授权:
<behavior name="YourServiceBehavior">
<serviceAuthorization principalPermissionMode="Custom">
<authorizationPolicies>
<add policyType="YourCustomAuthorizationPolicy"/>
</authorizationPolicies>
</serviceAuthorization>
</behavior>
And in code implement IAuthorizationPolicy interface: 并在代码实现IAuthorizationPolicy接口:
public class YourCustomAuthorizationPolicy : IAuthorizationPolicy
{
//you need to check msdn
}
Ok this is the solution we came up with. 好的,这是我们提出的解决方案。 Although it does involve a code change (adding the AspNetCompatibilityRequirements attribute) we can now acheive configuration of the groups/roles in the web.config file rather than hardcoding.
虽然它确实涉及代码更改(添加AspNetCompatibilityRequirements属性),但我们现在可以在web.config文件中实现组/角色的配置,而不是硬编码。
There are a number of steps to this... 这有很多步骤......
1) Add the aspNetCompatibilityEnabled attribute into the serviceHostingEnvironment element and set to true, eg... 1)将aspNetCompatibilityEnabled属性添加到serviceHostingEnvironment元素并设置为true,例如......
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
This tells the WCF service to running in ASP.NET Compatibility Mode and participate fully in the ASP.NET HTTP request lifecycle. 这告诉WCF服务在ASP.NET兼容模式下运行并完全参与ASP.NET HTTP请求生命周期。 See this MSDN article for full details.
有关完整详细信息,请参阅此MSDN文章 。
2) In the WCF code add AspNetCompatibilityRequirements attribute to the service class as per the link above and as specified in this MSDN article ... 2)在WCF代码中,根据上面的链接和本MSDN文章中的规定,将AspNetCompatibilityRequirements属性添加到服务类中......
<AspNetCompatibilityRequirements(RequirementsMode:=AspNetCompatibilityRequirementsMode.Allowed)>
3) Now we can add the usual ASP authorization element in to restrict access to the specified groups/users (without the settings (1) and (2) above, this would be ignored by WCF)... 3)现在我们可以添加通常的ASP 授权元素来限制对指定组/用户的访问(没有上面的设置(1)和(2),这将被WCF忽略)...
<system.web>
<authorization>
<allow roles="MYDOMAIN\WCFAuthenticatedUsers" /> <-- allows access to users in this group
<deny users="*" /> <-- denies access to all other users
</authorization>
</system.web>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.