使受 UserNameOverTransport 保护的 Silverlight WCF SOAP 服务通过 HTTP 工作以用于网络体系结构

发布于 2024-10-18 20:17:10 字数 3005 浏览 3 评论 0原文

我有一个使用 WCF SOAP 服务的 Silverlight 4 应用程序。每次调用都会进行身份验证/授权（准 RESTful）。这是通过使用authenticationMode=UserNameOverTransport 来完成的 - 这基本上意味着该用户名/密码位于每个 WCF 调用中，但受到每个消息的 SSL 加密的保护。这个方案的优点是我可以在 web.config 中配置成员资格提供程序来进行身份验证，使其能够灵活地适应不同的安装。

我有一个客户想要在他们的网络上设置这个网站，其方案是：Internet <= SSL Traffic =>面向外部的启用 SSL 的转发服务器 <= 内部网络中不安全的 HTTP =>托管我的应用程序的服务器。他们向我保证这是一个常见的架构，我相信他们，我不是经验丰富的互联网应用程序开发人员。

我不知道该怎么办，因为我的应用程序设置在启用 SSL 的服务器上（UserNameWithTransport 通过 SSL）。在纯 HTTP 中，我不确定如何获取提供用户特定应用程序数据所需的用户名。 WCF 不提供“UserNameWithNoTransport”身份验证模式，因为这意味着以纯文本形式发送用户名/密码，这是愚蠢的。现在，我的服务器端代码从 ServiceSecurityContext.Current.PrimaryIdentity.Name 获取用户，知道 Web 服务器已经处理了 SSL 加密和用户身份验证。我怎样才能以一种在 HTTP 解决方案中有意义的方式完成这项工作？

我想要一个解决方案，允许我将我的解决方案配置为在 web.config 中的 HTTP 和 HTTPS 情况下工作，如果这是不可能的，那么我们将不胜感激。谢谢，

几天后我将针对这个问题悬赏，如果你在此之前给出一个好的答案，你就会得到它。

编辑：这是所要求的网络配置：

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net" />
  </configSections>

  <system.web>
        <pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID"/>
    <membership defaultProvider="SampleProvider">
      <providers>
        <add name="SampleProvider" type="MyNamespace.NullMembershipProvider, MyDLL"/>
      </providers>
    </membership>    
  </system.web>

  <appSettings>
    ...
  </appSettings>

  <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <bindings>
      <customBinding>
        <binding name="BinaryCustomBinding" sendTimeout="00:10:00">
          <security authenticationMode="UserNameOverTransport"/>
          <binaryMessageEncoding />
          <httpsTransport maxBufferSize="100000" maxReceivedMessageSize="100000" />
        </binding>
      </customBinding>
    </bindings>

    <services>
      <service name="MyNamespace.MyService">
        <endpoint
                    binding="customBinding" bindingConfiguration="BinaryCustomBinding"
                    name="MyService" contract="MyNamespace.IServiceContract" />
      </service>
    </services>

    <behaviors>
      <serviceBehaviors>
        <behavior name="">
          <serviceMetadata
            httpsGetEnabled="true"
            httpGetEnabled="false" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <userNameAuthentication
              userNamePasswordValidationMode="MembershipProvider"
              membershipProviderName="SampleProvider"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel> 


  <log4net>
...
  </log4net>
</configuration>

原文

I have a Silverlight 4 application that uses a WCF SOAP service. The authentication/authorization happens per call (quasi RESTful). This is done by using authenticationMode=UserNameOverTransport - this basically means that that username/password is in each WCF call, but is protected by the SSL encryption of each message. The great thing about this scheme is that I can configure a membership provider in my web.config to do the authentication, making it flexible for different installations.

I have a client that would like to set this website up on their network where the scheme is: Internet <= SSL Traffic => External facing SSL enabled forwarding server <= unsecure HTTP in their internal network => server that hosts my application. They assure me this is a common architecture and I believe them, I am not that experienced an internet application developer.

I am not sure what to do about this as my application is set up to be on the SSL enabled server (UserNameWithTransport is over SSL). in plain HTTP I am not sure how I would get the username which I need to provide the user specific application data. WCF does not provide a "UserNameWithNoTransport" authenticationMode as that would mean sending the username/password in plain text, which is silly. Right now my server side code gets the user from the ServiceSecurityContext.Current.PrimaryIdentity.Name, knowing that the web server has already taken care of the SSL encryption and user authentication. How can I have this work in a way that makes sense in an HTTP solution?

I would like a solution that allows me to configure my solution to work in both the HTTP and HTTPS situation from the web.config, if this is not possible than any other advice is appreciated. thanks

I will place a bounty on this question in a few days, if you give a good answer before then you'll get it.

EDIT: here is the web config as requested:

<?xml version="1.0"?>
<configuration>
  <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net" />
  </configSections>

  <system.web>
        <pages controlRenderingCompatibilityVersion="4.0" clientIDMode="AutoID"/>
    <membership defaultProvider="SampleProvider">
      <providers>
        <add name="SampleProvider" type="MyNamespace.NullMembershipProvider, MyDLL"/>
      </providers>
    </membership>    
  </system.web>

  <appSettings>
    ...
  </appSettings>

  <system.serviceModel>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
    <bindings>
      <customBinding>
        <binding name="BinaryCustomBinding" sendTimeout="00:10:00">
          <security authenticationMode="UserNameOverTransport"/>
          <binaryMessageEncoding />
          <httpsTransport maxBufferSize="100000" maxReceivedMessageSize="100000" />
        </binding>
      </customBinding>
    </bindings>

    <services>
      <service name="MyNamespace.MyService">
        <endpoint
                    binding="customBinding" bindingConfiguration="BinaryCustomBinding"
                    name="MyService" contract="MyNamespace.IServiceContract" />
      </service>
    </services>

    <behaviors>
      <serviceBehaviors>
        <behavior name="">
          <serviceMetadata
            httpsGetEnabled="true"
            httpGetEnabled="false" />
          <serviceDebug includeExceptionDetailInFaults="true" />
          <serviceCredentials>
            <userNameAuthentication
              userNamePasswordValidationMode="MembershipProvider"
              membershipProviderName="SampleProvider"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel> 


  <log4net>
...
  </log4net>
</configuration>

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

白云悠悠 2024-10-25 20:17:10

在 .NET 4 中允许通过 HTTP UserNameOverTransport 是可能的，但我认为在 Silverlight 中这是不可能的。您需要设置安全元素的 allowInsecureTransport 属性：

<customBinding>         
  <binding name="BinaryCustomBinding" sendTimeout="00:10:00">           
    <security authenticationMode="UserNameOverTransport" allowInsecureTranposrt="true"/>             
    <binaryMessageEncoding />           
    <httpTransport maxBufferSize="100000" maxReceivedMessageSize="100000" />           
  </binding>       
</customBinding>

问题是 allowInsecureTranposrt 是在 Silverlight 中不可用。如果没有这个，您将无法通过不安全的通道使用 UserName 令牌。

Allowing UserNameOverTransport over HTTP is possible in .NET 4 but I think it is not possible in Silverlight. You need to set allowInsecureTransport attribute of security element:

<customBinding>         
  <binding name="BinaryCustomBinding" sendTimeout="00:10:00">           
    <security authenticationMode="UserNameOverTransport" allowInsecureTranposrt="true"/>             
    <binaryMessageEncoding />           
    <httpTransport maxBufferSize="100000" maxReceivedMessageSize="100000" />           
  </binding>       
</customBinding>

The problem is that allowInsecureTranposrt is not available in Silverlight. Without this you can't use UserName token over unsecured channel.

回复收藏 0 原文

~没有更多了~