使用ASP.NET角色的WCF表單身份驗證授權=訪問被拒絕？

Question

我有一個基本的WPF應用程序，客戶端將數據寫入數據庫。 我在服務器2012年計算機上使用IIS來承載Web服務。 我正在嘗試實現Forms身份驗證，並且一切正常（從客戶端通過xaml.cs中的用戶名和密碼來對我的ASP.NET用戶進行身份驗證，然后再對其進行身份驗證。然后，我希望實現ASP.NET角色授權不同的命令（提交請求，刪除請求等）。我們應該使用的方法是“ [PrincipalPermission（SecurityAction.Demand，Role =“ Allowed”）]“

從理論上講，當我嘗試按下按鈕時，它應該僅使用在客戶端中傳遞的憑據（我已經確認有效），並且應該檢查我傳遞的用戶是否擔任該角色，如果允許，則允許，如果不允許，否認。 但是，無論用戶是否處於角色中，它仍然會顯示“訪問被拒絕”。

有什么想法嗎？

using System;
using System.Collections.Generic;
using System.Data.Entity.Validation;
using System.Diagnostics;
using System.Linq;
using System.ServiceModel;
using System.Security.Permissions;
using RequestRepository;
using System.Threading;
using System.Web;

namespace RequestServiceLibrary
{
  [ServiceBehavior(InstanceContextMode = InstanceContextMode.Single)]
  public class RequestService : IRequestService
  {
    private List<Request> requests = new List<Request>();
    private RequestLibraryEntities context = new RequestLibraryEntities();

    [PrincipalPermission(SecurityAction.Demand, Role = "Allowed")]
    public string SubmitRequest(Request req)
    {
        Thread.CurrentPrincipal = HttpContext.Current.User;
        if (context.Requests.Count() == 0)
            populateRequests();
        req.Id = Guid.NewGuid().ToString();
        req.TimeSubmitted = DateTime.Now;
        requests.Add(req);
        addRequest(req);
        return req.Id;
    }

    [PrincipalPermission(SecurityAction.Demand, Role = "Allowed")]
    public bool UpdateRequest(Request req)
    {
        Thread.CurrentPrincipal = HttpContext.Current.User;
        bool returnval = false;
        try
        {
            var getobject = requests.Find(x => x.Id.Equals(req.Id));
            if (getobject != null)  //checks to make sure the object isn't empty
            {
                getobject.Username = req.Username;
                getobject.Password = req.Password;
                getobject.RequestedResource = req.RequestedResource;
                getobject.TimeSubmitted = req.TimeSubmitted;
            }
            //Find the request object in the database
            var Id = Guid.Parse(req.Id);
            var rl = context.Requests.Find(Id);
            //Update that object with the values from req            
            rl.Username = req.Username;
            rl.Password = req.Password;
            rl.RequestedResource = req.RequestedResource;
            rl.TimeTransmitted = req.TimeSubmitted;
            context.SaveChanges();
            returnval = true;
            return returnval;
        }
        catch (Exception) { return returnval; }
    }
    public List<Request> GetRequests()
    {
        populateRequests();
        return requests;
    }

    [PrincipalPermission(SecurityAction.Demand, Role = "Disallowed")]
    public bool RemoveRequest(string id)
    {
        bool rval = false;
        try
        {
            Request req = requests.Find(x => x.Id.Equals(id));
            requests.Remove(req);
            rval = delRequest(req);
            return rval;
        }
        catch (Exception)
        {
            return false;
        }
    }


    private void populateRequests()
    {
        requests = new List<Request>();
        var rl = context.Requests.ToList();
        foreach (var r in rl)
        {
            requests.Add(new Request()
            {
                Id = r.Id.ToString(),
                Password = r.Password,
                RequestedResource = r.RequestedResource,
                TimeSubmitted = r.TimeTransmitted,
                Username = r.Username
            });
        }
    }

    private void addRequest(Request req)
    {
        try
        {
            var r = context.Requests.Create();
            r.Id = Guid.Parse(req.Id);
            r.Username = req.Username;
            r.Password = req.Password;
            r.RequestedResource = req.RequestedResource;
            r.TimeTransmitted = req.TimeSubmitted;
            context.Requests.Add(r);
            context.SaveChanges();
        }
        catch (DbEntityValidationException dbEx)
        {
            foreach (var validationErrors in dbEx.EntityValidationErrors)
            {
                foreach (var validationError in validationErrors.ValidationErrors)
                {
                    Console.WriteLine("Property: {0} Error: {1}", validationError.PropertyName, validationError.ErrorMessage);
                }
            }
        }
    }


    private bool delRequest(Request req)
    {
        Guid Id = Guid.Parse(req.Id);
        var r = context.Requests.Create();
        r.Id = Id;
        var rl = context.Requests.Find(Id);
        try
        {
            context.Requests.Remove(rl);
            context.SaveChanges();
            return true;
        }
        catch (Exception) { return false; }
    }

  }
}

Answer 1

為了能夠以這種方式使用PrincipalPermissionAttribute ，您需要首先將Thread.CurrentPrincipal設置為具有適當角色的Principal（在這種情況下為“允許”）。

例如，您可以使用ClientRoleProvider進行此操作，或簡單地手動創建Principal（可能使用從Web服務檢索的角色）。