WCF 自定义验证器:如何初始化“用户”验证器来自自定义验证器的对象
我有一个工作自定义 UserNamePasswordValidator 可以调用我的 Oracle DB。
此类派生自 System.IdentityModel.Selectors.UserNamePasswordValidator,并且 Validate() 方法返回 void。
我从数据库加载我的用户对象,一旦验证了密码,我想隐藏我的“用户”对象,以便服务在处理其业务时可以访问它。在 ASP.NET/Java 领域,我会将其存储到会话中,或者可能是我的整个控制器类中。如何从 WCF 中的验证器执行此操作?
或者,换句话说,WCF 领域为服务设置自定义用户域对象的最佳实践是什么。
更新:这就是我解决这个问题的方法。我在验证器期间缓存 User 对象,然后在 AuthorizatinPolicy 步骤中访问它。
// this gets called after the custom authentication step where we loaded the User
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// get the authenticated client identity
IIdentity client = GetClientIdentity(evaluationContext);
User user;
OraclePasswordValidator.users.TryGetValue(client.Name, out user);
if(user != null) {
// set the custom principal
evaluationContext.Properties["Principal"] = user;
return true;
}
return false;
}
I have a working custom UserNamePasswordValidator that calls into my Oracle DB.
This class derives from System.IdentityModel.Selectors.UserNamePasswordValidator and the Validate() method returns void.
I load my User object from the database, and once the password is validated, I want to stash my "User" object so the service can access it when going about its business. In ASP.NET / Java land I would stash it into a session, or perhaps my overall Controller class. How do I do this from the Validator in WCF?
Or, in other words, what is the best practice in WCF land to set a custom User domain object for the service.
Update: This is how I've worked around it. I cache the User object during the validator, then access it later in the AuthorizatinPolicy step.
// this gets called after the custom authentication step where we loaded the User
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// get the authenticated client identity
IIdentity client = GetClientIdentity(evaluationContext);
User user;
OraclePasswordValidator.users.TryGetValue(client.Name, out user);
if(user != null) {
// set the custom principal
evaluationContext.Properties["Principal"] = user;
return true;
}
return false;
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我不是 WCF 专家,但从我迄今为止阅读和实现的内容来看,执行此操作的“正确”方法是使用
Validator进行身份验证用户,然后实现一个IAuthorizationPolicy来执行实际的授权。因此,您将在授权策略中在当前线程上设置自定义主体。为了能够转发来自用户名/密码验证的信息,您可以实现一个继承自
UserNameSecurityTokenAuthenticator的安全令牌身份验证器。 SecurityTokenAuthenticator将首先调用验证器,如果验证成功,它可以添加您的自定义授权策略并通过构造函数将用户信息发送到策略。内容很长:这里有一篇文章对所涉及的类进行了更多描述; http://blogs.msdn.com/card/archive/2007/10/04/how-identity-providers-can-show-custom-error-messages-in-cardspace.aspx
I'm not a WCF expert, but from what I've read and implemented so far, the 'correct' way to do this would be to use the
Validatorto authenticate the user, and then implement anIAuthorizationPolicyto do the actual authorization. So it would be in the authorization policy that you'll set your custom principal on the current thread.To be able to forward information from the username/password validation, you can implement a security token authenticator that inherits from
UserNameSecurityTokenAuthenticator. The SecurityTokenAuthenticator will first call the validator and if validation succeeds, it can add your custom authorization policy and send userinfo to the policy through the constructor. Something a long the lines of this:There's an article here that describes a bit more around the involved classes; http://blogs.msdn.com/card/archive/2007/10/04/how-identity-providers-can-show-custom-error-messages-in-cardspace.aspx
我有完全相同的问题。
我正在使用 API 连接到底层 Oracle 数据库,并通过打开连接来“验证”登录详细信息。
然后,我想将此连接存储在某个地方(很简单,我将为所有不同的用户创建一个连接池),但也创建一个代表该用户的自定义身份和主体,这样一旦它到达我的自定义 IAuthorizationPolicy,它就不会'不需要重新加载此信息。
我已经进行了大量搜索,但没有找到任何内容,因此我的计划是这样做:
通过打开 API 连接来验证自定义 UserNamePasswordValidator 中的登录详细信息。
将打开的连接存储在用户名下的连接池中。
当调用我的自定义 IAuthorizationPolicy.Evaluate() 时,我将查看提供的通用身份:
抱歉,我无法摆脱这个糟糕的 HTML 转义)
然后我获取一个连接从基于 IIdentity.Name 的池中,使用此连接从数据库加载特定于用户的数据,并将其存储在我在评估上下文中设置的自定义身份和主体中:
那么我应该可以在需要时使用 System.Threading.Thread.CurrentPrincipal 或 CurrentIdentity 访问我的自定义身份和主体。
希望这能在某种程度上有所帮助;我不确定这是最好的方法,但这是迄今为止我想到的最好的方法......
史蒂夫
I have exactly the same issue.
I am using an API to connect to my underlying Oracle Database, and I "validate" logon details by opening a connection.
I then want to store this connection somewhere (easy enough, I will create a connection pool for all the different users), but also create a custom Identity and Principal representing this user, so that once it gets to my custom IAuthorizationPolicy, it doesn't need to reload this information.
I have done a lot of searching and not found anything so my plan is to do this:
Validate login details in custom UserNamePasswordValidator by opening API connection.
Store opened connection in connection pool under the user name.
When my custom IAuthorizationPolicy.Evaluate() is called, I will look at the generic identity provided:
(sorry I can't get rid of this poor HTML escaping)
I then grab a connection from the pool based on the IIdentity.Name, use this connection to load up user-specific data from the database and store this in a custom Identity and Principal which I set in the EvaluationContext:
Then I should have access to my custom identity and principal whenever I need it by using System.Threading.Thread.CurrentPrincipal or CurrentIdentity.
Hope this helps in some way; I'm not sure it's the best way to go about it, but it's the best I've come up with so far...
Steve