保护 WCF 使用的命名管道

发布于 2024-10-19 13:23:23 字数 595 浏览 6 评论 0 原文

我是 WCF 和命名管道的新手。

我需要一种在同一台计算机上的 UI 应用程序和 Windows 服务之间安全通信的方法。这是我需要的: - 客户端 UI 应用程序需要向 Windows 服务发送(推送)各种消息类型。 - 客户端 UI 应用程序需要从服务接收各种消息类型(推送或拉取)。

(这里的消息只是一个结构化的序列化数据)。

现在,所有这些交换都应该仅在授权用户帐户下进行(可能与服务帐户不同)。因此,我正在考虑为服务和用户帐户使用 ACL 命名管道。

但是,命名管道仅支持流。我有多种类型的消息需要通过命名管道交换,这意味着我需要定义它们并序列化/反序列化它们。

为了避免这个问题,我考虑在命名管道上使用 WCF(用于序列化和 RPC 支持)。还在 Windows 服务中托管 WCF 服务。

问题1) 这是一个好方法吗?我犹豫是否在 WCF 下面使用 http 或 tcp,因为通信必须保留在计算机内。

问题2) 我是否以及如何 ACL WCF 将使用的命名管道?这是我能控制的吗? 我觉得使用特定 SID 进行 ACL 名称管道可以为我提供更好的安全性,而不是在客户端和服务器之间实现身份验证方案。

感谢您的指点、建议! 萨米尔

am newbie to both WCF and Named pipes.

I need a way to securely communicate between a UI application and Windows Service on the same machine. Here's what I need:
- Client UI application needs to send (push) various message types to the Windows Service.
- Client UI app needs will receive various message types from the service (pushed or pulled).

(message here is simply a structured serialized data).

Now all this exchange should happen only under authorized user account (which might be different from service account). So I was thinking of ACLing a named pipe for both the service and user account.

However, the named pipe supports streams only. I have multiple types of messages that need to be exchanged over the named pipe, which means I need to define them and serialize/deserialize them.

To circumvent this, I thought of using WCF (for serialization and RPC support) over named pipes. Also host WCF service in the Windows service.

Question 1)
Is this a good approach ? I hesitate in using http or tcp below WCF as communication must remain within the machine.

Question 2)
If and how can I ACL the named pipe that WCF would use ? Is this something that I can control ?
I feel ACLing the name pipe with specific SIDs provides me better security as opposed to implementing an authentication scheme between client and server.

Thanks for any pointers, suggestions!
Sameer

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

蓝天白云 2024-10-26 13:23:23

1)我认为这是一个很好的方法。你的想法是正确的。

2)正如您似乎已经发现的那样, 我的博客文章向您展示了在 WCF NetNamedPipe 绑定创建的管道上设置 ACL 的一种方法 。它涉及使用反射来填补 Microsoft 实现中的空白,这显然最初是为了支持设置 ACL 的直接机制,但没有正确完成。

AclSecuredNamedPipeBinding ="nofollow" title="MSDN">CustomBinding 和来自 NamedPipeTransportBindingElement。绑定元素具有 SecurityIdentifier

internal List<SecurityIdentifier> AllowedUsers { get { return _allowedUsers; } }
private List<SecurityIdentifier> _allowedUsers = new List<SecurityIdentifier>();

BuildChannelListener(BindingContext)-method 被覆盖以设置私有属性 AllowedUsers

public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
{
  private static Type namedPipeChannelListenerType 
          = Type.GetType("System.ServiceModel.Channels.NamedPipeChannelListener, System.ServiceModel", false);
  IChannelListener<TChannel> listener = base.BuildChannelListener<TChannel>(context);
  PropertyInfo p = namedPipeChannelListenerType.GetProperty(
          "AllowedUsers", BindingFlags.Instance|BindingFlags.NonPublic);
  p.SetValue(listener, _allowedUsers, null);
  return listener;
}

如果您选择此路线,请务必按照 稍后的帖子

1) I think this is a good approach. Your thinking is spot on.

2) As you seem to have already discovered, my blog post here shows you one way to set the ACL on the pipe created by the WCF NetNamedPipe binding. It involves using reflection to fill in the gap in the Microsoft's implementation, which was obviosuly intended originally to support a direct mechanism for setting the ACL, but didn't get finished properly.

Derive a AclSecuredNamedPipeBinding from CustomBinding and a corresponding AclSecuredNamedPipeTransportBindingElement from NamedPipeTransportBindingElement. The binding element has a list of of SecurityIdentifier:

internal List<SecurityIdentifier> AllowedUsers { get { return _allowedUsers; } }
private List<SecurityIdentifier> _allowedUsers = new List<SecurityIdentifier>();

The BuildChannelListener<TChannel>(BindingContext)-method is overridden to set the private property AllowedUsers:

public override IChannelListener<TChannel> BuildChannelListener<TChannel>(BindingContext context)
{
  private static Type namedPipeChannelListenerType 
          = Type.GetType("System.ServiceModel.Channels.NamedPipeChannelListener, System.ServiceModel", false);
  IChannelListener<TChannel> listener = base.BuildChannelListener<TChannel>(context);
  PropertyInfo p = namedPipeChannelListenerType.GetProperty(
          "AllowedUsers", BindingFlags.Instance|BindingFlags.NonPublic);
  p.SetValue(listener, _allowedUsers, null);
  return listener;
}

If you go this route, be sure also to patch the "squatting vulnerability" as explained in a later post.

天暗了我发光 2024-10-26 13:23:23

我尝试了上面“Chris Disson 的博客”中建议的内容,但在以管理员权限运行服务代码后,出现以下异常。
“StudentService 存在问题,部分或全部身份参考无法翻译。”
这是我托管服务的代码

AclSecuredNamedPipeBinding binding = new AclSecuredNamedPipeBinding();
SecurityIdentifier allowedGroup = (SecurityIdentifier)(new 
NTAccount("NPServiceUsers").Translate(typeof(SecurityIdentifier)));
binding.AddUserOrGroup(allowedGroup);
studentServiceHost = new ServiceHost(typeof(StudentService.StudentService));
Uri httpBaseAddress = new 
Uri("net.pipe://localhost/ServiceHost/ServiceHost");

studentServiceHost.AddServiceEndpoint(
typeof(StudentService.IStudentService),binding, httpBaseAddress); 
studentServiceHost.Open();

,然后我尝试将 nTAccount 从“NPServiceUsers”更改为“Administrators”,然后出现以下异常。

“StudentService 对象引用未设置为对象实例存在问题。”

StudentService 是实现 IStudentService 接口的类。

public class StudentService : IStudentService
{
public void DoWork()
{
}
}

I tried what is suggested in above "Chris Disson's blog" but after running service code in admin privilege, got below exception.
"There is an issue with StudentService Some or all identity references could not be translated."
here is my code which host the service

AclSecuredNamedPipeBinding binding = new AclSecuredNamedPipeBinding();
SecurityIdentifier allowedGroup = (SecurityIdentifier)(new 
NTAccount("NPServiceUsers").Translate(typeof(SecurityIdentifier)));
binding.AddUserOrGroup(allowedGroup);
studentServiceHost = new ServiceHost(typeof(StudentService.StudentService));
Uri httpBaseAddress = new 
Uri("net.pipe://localhost/ServiceHost/ServiceHost");

studentServiceHost.AddServiceEndpoint(
typeof(StudentService.IStudentService),binding, httpBaseAddress); 
studentServiceHost.Open();

then I tried by changing nTAccount from "NPServiceUsers" to "Administrators" then I got below exception.

"There is an issue with StudentService Object reference not set to an instance of an object."

studentService is class which implemented the IStudentService interface.

public class StudentService : IStudentService
{
public void DoWork()
{
}
}
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文