WCF 和委托人许可
我有许多服务将作为 Windows 服务在 NT Authority\System 的安全上下文下运行(这些服务基于 NetTCP)。 Active Directory 中存储了六个允许访问这些服务的组:
用户 代理商 批准者 管理员(三级管理员)
我知道我可以使用 ServiceSecurityContext.Current.WindowsIdentity.Name 获取连接到服务的用户。
我需要做的是在业务层中验证传入的用户上下文是否能够访问特定服务,并且我希望它遵循我公司支持的旧应用程序,该应用程序使用PrincipalPermission 向其传递角色并使用Demand() 方法来确保访问。
我想我最初的问题是,如果我向 PrimaryPermission 传递 ServiceSecurityContext 用户名和关联的角色(组),它是否会自动知道在幕后点击 Active Directory,因为该服务是在同一域上的 AD 帐户的上下文中运行的? 或者有什么特别的事情我应该做吗?
I have a number of services that will be running under the security context of NT Authority\System as a Windows service (the services are NetTCP-based). There are six groups stored in Active Directory that will be allowed to access these services:
Users
Agents
Approvers
Administrators (three levels of admins)
I know I can get the user who is connecting to the service using ServiceSecurityContext.Current.WindowsIdentity.Name.
What I need to do is validate in a business layer that the user context being passed in is able to access the particular service though, and I'd like it to follow an older application my company supports that uses PrincipalPermission passing it a role and using the Demand() method to ensure access.
I guess my initial question is, if I pass PrincipalPermission the ServiceSecurityContext username and the associated role (group), will it automatically know to hit Active Directory behind the scenes since the service is running under the context of an AD account on the same domain? Or is there something special I should do?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的,当你需要一个角色时,它会调用 IPrincipal.IsInRole。 这将使用主体拥有的任何实现。 因此,如果将其设置为 Windows,它将完成所有访问 AD 的工作。
Right, when you demand a role, it'll call IPrincipal.IsInRole. This will use whatever implementation the principal has. So, if it's set to Windows, it'll do all the work to hit AD.