WCF WebHttp混合身份验证(基本和匿名)
[英]WCF WebHttp Mixed Authentication (Basic AND Anonymous)
问题描述
All of this is pertaining to WebHttp binding, hosted in a custom Service Host (IIS is not an option at this time). 
所有这些都与托管在自定义服务主机中的WebHttp绑定有关(IIS目前不可选)。
I've implemented a custom UserNamePasswordValidator, and a custom IAuthorizationPolicy. 我已经实现了一个自定义的UserNamePasswordValidator和一个自定义的IAuthorizationPolicy。 When I configure the endpoint's binding to use Basic authentication, everything works just as I'd like (custom principal, custom roles, etc..). 当我配置终结点的绑定以使用基本身份验证时,一切都按我的意愿进行工作(自定义主体,自定义角色等)。
I'd like to add the ability for anonymous HTTP access as well, and have my custom implementations put the Anonymous user in some default roles, etc.. (if no Authenticate header is sent). 我还想添加匿名HTTP访问的功能,并让我的自定义实现将Anonymous用户设置为某些默认角色,等等。(如果未发送Authenticate标头)。
What happens now is that anonymous users are given a 401 before any of my custom code is hit. 现在发生的是,在我的任何自定义代码被击中之前,匿名用户都将获得401信息。 If I turn off the HTTP Basic authentication requirement, then the Authenticate header is ignored altogether. 如果我关闭了HTTP Basic身份验证要求,则将完全忽略Authenticate标头。
How do I configure, or inject an Authenticate header , to do this both ways (without creating 2 separate endpoints)? 如何配置或注入Authenticate标头 ,以两种方式执行此操作(而无需创建2个单独的端点)?
4 个解决方案
解决方案1
1 已采纳 2008-10-24 16:57:35
First of all, the service responds correctly to the anonymous call, according to the specification . 首先,根据规范 ,服务正确响应匿名呼叫。
Second, this is impossible. 其次,这是不可能的。 When you are self-hosting your service and you have some http binding, WCF will use a System.Net.HttpListener instance to be able to respond to http requests (created in System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen ). 当您自托管服务并具有一些http绑定时,WCF将使用System.Net.HttpListener实例来响应http请求(在System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen创建)。 This listener has a method called HandleAuthentication that is called way before any of your custom code is called. 该侦听器具有一个称为HandleAuthentication的方法,该方法在调用任何自定义代码之前被调用。 It is responsible for sending back the 401 response with the challenge (WWW-Authenticate). 它负责发送带有质询(WWW-Authenticate)的401响应。 There is nothing you can do about this. 您对此无能为力。 If there is, I'd like to know. 如果有,我想知道。
So you're left with the following options: 因此,您剩下以下选项:
- two endpoints 两个端点
- configure your clients to know the default credentials 配置您的客户端以了解默认凭据
- change your clients so they can respond to the challenge 改变您的客户,以便他们可以应对挑战
解决方案2
0 2008-10-18 04:04:55
I've done research on this in the past and found that it is not possible through configuration unless you create 2 separate endpoints (which is not what you want). 过去,我已经对此进行了研究,发现除非您创建2个单独的端点(这不是您想要的端点),否则无法通过配置来实现。 It just simply isn't supported out of the box by WCF. WCF根本就不支持它。
However, WCF is extremely customizable and you could likely do this by writing a custom channel/binding that will do what you want. 但是,WCF具有极高的可定制性,您可以通过编写可满足您需要的自定义通道/绑定来实现此目的。 I recommend you take a look at the REST Chess source code . 我建议您看一下REST Chess源代码 。 It should get you started. 它应该让您开始。
解决方案3
0 2008-10-20 18:53:58
Your best bet is to implement a default roles via a roles provider and let anonymous users automatically join that role. 最好的选择是通过角色提供程序实现默认角色,并让匿名用户自动加入该角色。 Then either programmatically, or via policy injection (aspect oriented) policy, set so that certain anonymous access be allowed via the particular role. 然后,以编程方式或通过策略注入(面向方面)策略进行设置,以便通过特定角色允许某些匿名访问。
As for setting this up via configuration, if it is possible, it would be rather difficult and sort of "hacky". 至于通过配置进行设置,如果可能的话,这将是相当困难的,并且有些“ hacky”。
解决方案4
-2 2008-10-17 17:32:36
I don't think so... I was just writing you need to create to separate endpoint when I decided to read you question again and noticed the last statement of your question. 我不这么认为。。。我只是在写信,当我决定再次阅读您的问题并注意到问题的最后陈述时,您需要创建单独的端点。 So the answer would be no (that I know of) 所以答案是“不”(我知道)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.