![](/img/trans.png)
[英]What is the recommended way to do WCF username/password authentication in DMZ
[英]Username and password authentication for WCF service behind DMZ firewall
情境
客户端<-通过HTTPS-> DMZ防火墙<-仅通过HTTP-> WCF服务
当客户端尝试连接到WCF服务时,它必须通过HTTPS(SSL)进行连接。 如果尝试通过HTTP连接,则DMZ防火墙仍然会将其重定向到HTTPS。 当请求到达DMZ防火墙时,它将通过不安全的连接(仅HTTP)转发到WCF服务。
我希望通过用户名和密码身份验证来保护我的服务,因此我尝试使用模式TransportWithMessageCredential
和自定义UserNamePasswordValidator
设置wsHttpBinding
。
我的web.config文件看起来像
<system.serviceModel>
<services>
<service name="WcfService1.TestWcfService" behaviorConfiguration="WcfService1.TestWcfServiceBehavior">
<!-- Service Endpoints -->
<endpoint address="" binding="wsHttpBinding" bindingName="wsHttpBinding_behind_firewall" contract="WcfService1.ITestWcfService">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="WcfService1.TestWcfServiceBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfService1.WcfAuthenticationValidator, WcfService1"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding_behind_firewall">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
</system.serviceModel>
我的密码验证器类如下所示:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Security.Principal;
using System.ServiceModel;
using System.IdentityModel.Selectors;
using System.IdentityModel.Tokens;
namespace WcfService1
{
public class WcfAuthenticationValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
if (userName == null)
{
throw new ArgumentNullException(nameof(userName));
}
if (password == null)
{
throw new ArgumentNullException(nameof(password));
}
//TODO: get username and password from DB and compare incoming password with one stored in DB.
if (!(userName == "hello" && password == "world"))
{
throw new SecurityTokenException("Unknown Username or Incorrect Password");
}
}
}
}
要连接到此WCF服务,我的客户端代码如下所示:
TestWcfService.TestWcfServiceClient client = new TestWcfService.TestWcfServiceClient();
client.ClientCredentials.UserName.UserName = "hello";
client.ClientCredentials.UserName.Password = "world";
Console.WriteLine(client.GetData(0));
此客户端应用程序的app.config包含:
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBinding_behind_firewall_ITestWcfService" />
</wsHttpBinding>
</bindings>
<client>
<endpoint address="https://example.com/TestWcfService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_behind_firewall_ITestWcfService"
contract="TestWcfService.ITestWcfService" name="wsHttpBinding_behind_firewall_ITestWcfService">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
</client>
</system.serviceModel>
wsHttpBinding的棘手部分是WCF服务期望所有传入流量都将通过HTTPS。
我希望服务器接受HTTP和HTTPS传入流量,并进行用户名和密码验证。 谁能帮我这个?
您可以在web.config中添加具有两种不同绑定配置的两个端点-一个端点用于http,另一个端点用于https。
类似于以下内容:
<bindings>
<wsHttpBinding>
<binding name="wsHttpsBindingConfig" >
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None">
</transport>
</security>
</binding>
<binding name="wsHttpBindingConfig" >
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1">
<endpoint name="wsHttpBinding"
contract="WcfService1.IService1"
binding="wsHttpBinding"
bindingConfiguration="wsHttpBindingConfig"
address="" >
</endpoint>
<endpoint name="wsHttpsBinding"
binding="wsHttpBinding"
bindingName="wsHttpBinding_secure"
contract="WcfService1.IService1"
bindingConfiguration="wsHttpsBindingConfig"
address="">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
</service>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.