WCF 和身份验证
昨天我开始通过移植现有的 ASP.NET Web 服务来学习 WCF。
创建 WCF 服务本身非常简单。在创建第一个 WCF 服务库项目大约一个小时后,我已经在 WCF 测试客户端中成功测试了我的新 WCF 服务。
现在我想实现一个简单的身份验证系统,但仍然不知道如何实现。为了简单起见,假设我的 Web 服务有三个操作:登录、获取用户名长度和注销。如何完成以下代码中的 TODO?
[ServiceContract]
public class MyService
{
[OperationContract(IsInitiating = true, IsTerminating = false)]
public bool Login(string userName, string password)
{
/* I have already implemented the function that validades
whether the user name and password are correct. */
if (ValidateLogin(userName, password))
{
/* TODO: Initiate a session */
return true;
}
else
return false;
}
[OperationContract(IsInitiating = false, IsTerminating = false)]
public int GetUserNameLength()
{
/*
TODO: How to validate whether the user has logged in?
How to obtain the name of the user that has logged in?
*/
int userNameLength = 42;
return userNameLength;
}
[OperationContract(IsInitiating = false, IsTerminating = true)]
public void Logout()
{
/* TODO: How to logout? */
}
}
注意:我是粗暴黑客的头号敌人。请引导我走向概念上“干净”的解决方案,无论其复杂性如何。
Yesterday I began learning WCF by porting an existing ASP.NET Web Service.
Creating the WCF service was very easy in itself. Approximately an hour after I created my first WCF Service Library project ever, I was already successfully testing my new WCF service in the WCF Test Client.
Now I would like to implement a simple authentication system, but still do not know how. For the sake of simplicity, say my Web Service has three operations: logging in, getting the length of the user's name, and logging out. How do I complete the TODOs in the following code?
[ServiceContract]
public class MyService
{
[OperationContract(IsInitiating = true, IsTerminating = false)]
public bool Login(string userName, string password)
{
/* I have already implemented the function that validades
whether the user name and password are correct. */
if (ValidateLogin(userName, password))
{
/* TODO: Initiate a session */
return true;
}
else
return false;
}
[OperationContract(IsInitiating = false, IsTerminating = false)]
public int GetUserNameLength()
{
/*
TODO: How to validate whether the user has logged in?
How to obtain the name of the user that has logged in?
*/
int userNameLength = 42;
return userNameLength;
}
[OperationContract(IsInitiating = false, IsTerminating = true)]
public void Logout()
{
/* TODO: How to logout? */
}
}
NOTE: I am the enemy number one of gross hacks. Please lead me towards conceptually "clean" solutions, regardless of their complexity.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您遵循的方法对于 WCF 可能不正确。根据上述方法,用户已经通过身份验证,因为它能够调用登录操作。通常,在用户经过身份验证之前,不应允许他/她调用任何操作,但在您的方法中,情况并非如此。
此外,WCF 中的会话是客户端发起的,而不是服务器发起的。但是,根据您的方法,它们似乎是服务器启动的。
以下是一些可以更深入地了解 WCF 安全性的资源,
http://msdn.microsoft.com/en-us/library/ms731925.aspx
改进 wcf 安全指南 - http://wcfsecurityguide.codeplex.com/
如果您想使用自定义 UserNamePassword 验证器,这是链接,
http://msdn.microsoft.com/en-us/library/aa702565.aspx
HTH,
阿米特
The approach you're following may not be correct with WCF. Based on your approach above, the user is already authenticated as it's able to invoke Login operation. Typically, User shouldn't be allowed to invoke any operation until he/she is auhenticated, but in your approach that's not the case.
Also, the sessions in WCF are client initiated, not server initiated. However, based on your approach they seems to be server initiated.
Here're some resources which sheds more light on WCF Security,
http://msdn.microsoft.com/en-us/library/ms731925.aspx
Improve wcf security guidance - http://wcfsecurityguide.codeplex.com/
If you want to use Custom UserNamePassword validator, here is the link,
http://msdn.microsoft.com/en-us/library/aa702565.aspx
HTH,
Amit
看起来您正在尝试在应用程序级别处理身份验证。如果您有特定的业务需要执行此操作,请继续,但如果您只是想确保经过身份验证的用户正在调用您的服务,请使用 内置 WCF 身份验证机制。
此外,您显示的服务契约在 ServiceContract 中缺少此设置:
以使 IsInitiating 和 IsTerminate 实际工作。创建基于会话的 WCF 服务非常有限,因为您强制服务中的所有方法在登录...注销调用序列之间发生。如果您为应用程序开发多个服务,那么尝试在其自己的会话中协调与每个服务的交互可能非常容易出错。
It looks like you are trying to handle authentication at the application level. If you have a particular business need to do this then go right ahead but if you just trying to ensure an authenticated user is calling your service then use the build-in WCF authentication mechanisms.
Also, the service contract you are showing is missing this setting in the ServiceContract:
to make the IsInitiating and IsTerminating actually work. Creating session-based WCF services is pretty limiting because you are forcing all the methods in your service to be occur between he Login ... Logout sequence of calls. If you develop multiple services for your application then trying to orchestrate the interaction with each service in its own session can be very error prone.