当前位置: 文江博客话题详情

如何在单个 WCF<服务>中混合 WIF 和非 WIF 端点?

发布于 2024-11-14 15:08:46 字数 1687 浏览 2 评论 0原文

基于 WIF 的 WCF 服务需要调用方法 FederatedServiceCredentials.ConfigureServiceHost(),或放置等效的 中的元素>web.config 文件,即可工作。这是服务级别的设置,换句话说,它适用于所有端点。

根据方法文档,ServiceHostBase 实例以几种特定于 WIF 的方式进行修改。例如,将授权替换为基于WIF的授权类。

现在我想要一个带有多个 < 的 (在 内) /code>s,其中一个端点基于 WIF,其他端点使用普通 Windows 身份验证。

更新。响应下面的答案,让我解释一下为什么我们要混合使用 WIF 和非 WIF 端点。如果我们只使用 WIF,那么我们的每个客户都需要一个 STS,例如 AD FS。设置这一点并不困难,但这是一个障碍,特别是如果他们只是想测试驱动我们的软件。因此,我们所做的就是以使用 Windows 集成身份验证的模式进行安装(对于我们的 Web 服务,以及我们的前端),然后他们可以切换到使用 AD FS 的模式。

所以基本上我们希望能够在没有 AD FS 的情况下进行安装,以降低应用程序的进入门槛。

为此, 需要 。然而——这是我的问题——这也会影响同一服务的非 WIF 端点:例如,它们突然使用 WIF 授权管理器(ClaimsAuthorizationManager)。

所以我的问题是:在单个 WCF 中混合 WIF 和非 WIF 端点的推荐方法是什么?

原文

A WIF-based WCF service needs to call method FederatedServiceCredentials.ConfigureServiceHost(), or put the equivalent element <federatedServiceHostConfiguration> in the web.config file, to work. This is a setting on the service level, in other words it applies for all endpoints.

According to the method documentation, the ServiceHostBase instance is modified in several WIF-specific ways. For example, the authorization is replaced by a WIF-based authorization class.

Now I'd like to have a single <service> (inside <system.serviceModel><services>) with multiple <endpoint>s, where one endpoint is WIF-based, and the others are using plain Windows authentication.

Update. In response to an answer below, let me explain why we want to mix WIF and non-WIF endpoints. If we only use WIF, then each of our customers needs an STS, like AD FS. Setting this up is not difficult, but it is a hurdle, especially if they just want to test drive our software. So what we do is install in a mode where Windows integrated authentication is used (for our web services, and also for our front end), and then later they can switch to a mode where AD FS is used.

So basically we want to be able to install without AD FS to lower the barrier to entry of our application.

To do this, the <service> needs a <federatedServiceHostConfiguration>. However -- and here is my problem -- this affects also the non-WIF endpoints for that same service: for example, they suddenly use the WIF authorization manager (an instance of class ClaimsAuthorizationManager).

So my question is: what is the recommended way to mix WIF and non-WIF endpoints in a single WCF <service>?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

清风夜微凉 2024-11-21 15:08:46

我认为你不能。但在您的情况下,您应该只让一个 WIF 端点将多凭据支持留给 STS。

您可以在 STS 上放置多个端点来处理不同类型的身份验证。例如,一种用于 Windows,一种用于用户名/密码。

我去年举办的代码训练营课程就证明了这一点。来源附在我的博客文章 http://www.neovolve.com/post/2010/11/21/CodeCampOz-Not-a-WIF-of-federation.aspx。查看 NotAWif Demo\4 - Identity delegate\NotAWif.DelegationSTS 中的 web.config。

<system.serviceModel>
  <services>
    <service behaviorConfiguration="ServiceBehavior"
                    name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract">

      <endpoint address="UserName/IWSTrust13"
                        binding="ws2007HttpBinding"
                        bindingConfiguration="ws2007HttpBindingUserNameConfiguration"
                        contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

      <endpoint address="Windows/IWSTrust13"
                binding="ws2007HttpBinding"
                bindingConfiguration="ws2007HttpBindingWindowsConfiguration"
                contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

      <endpoint address="mex"
                        binding="mexHttpsBinding"
                        contract="IMetadataExchange" />
      <host>
        <baseAddresses>
          <add baseAddress="https://localhost/NotAWif.DelegationSTS/Service.svc" />
        </baseAddresses>
      </host>
    </service>
  </services>
  <bindings>
    <ws2007HttpBinding>
      <binding name="ws2007HttpBindingUserNameConfiguration">
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None">
            <extendedProtectionPolicy policyEnforcement="Never" />
          </transport>
          <message clientCredentialType="UserName"
                                establishSecurityContext="false" />
        </security>
      </binding>
      <binding name="ws2007HttpBindingWindowsConfiguration">
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None">
            <extendedProtectionPolicy policyEnforcement="Never" />
          </transport>
          <message clientCredentialType="Windows"
                                establishSecurityContext="false" />
        </security>
      </binding>
    </ws2007HttpBinding>
  </bindings>
  <behaviors>
    <serviceBehaviors>
      <behavior name="ServiceBehavior">
        <serviceMetadata httpGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="false" />
        <serviceCredentials>
          <serviceCertificate findValue="DefaultApplicationCertificate"
                                          x509FindType="FindBySubjectName" />
        </serviceCredentials>
      </behavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

这就是我如何配置 STS 以支持多种类型的身份验证。 RP 应该只处理声明,而不是声明|WindowsIdentity。 STS 负责将特定类型的身份验证转换为 RP 将使用的一组声明。

I don't think you can. In your situation though, you should only have the one WIF endpoint have leave the multiple credential support to the STS.

You can put multiple endpoints on your STS to handle different types of authentication. One for Windows, one for username/password for example.

I did a code camp oz session last year that demonstrated this. The source is attached to my blog post at http://www.neovolve.com/post/2010/11/21/CodeCampOz-Not-a-WIF-of-federation.aspx. Have a look at the web.config in NotAWif Demo\4 - Identity Delegation\NotAWif.DelegationSTS.

<system.serviceModel>
  <services>
    <service behaviorConfiguration="ServiceBehavior"
                    name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract">

      <endpoint address="UserName/IWSTrust13"
                        binding="ws2007HttpBinding"
                        bindingConfiguration="ws2007HttpBindingUserNameConfiguration"
                        contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

      <endpoint address="Windows/IWSTrust13"
                binding="ws2007HttpBinding"
                bindingConfiguration="ws2007HttpBindingWindowsConfiguration"
                contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

      <endpoint address="mex"
                        binding="mexHttpsBinding"
                        contract="IMetadataExchange" />
      <host>
        <baseAddresses>
          <add baseAddress="https://localhost/NotAWif.DelegationSTS/Service.svc" />
        </baseAddresses>
      </host>
    </service>
  </services>
  <bindings>
    <ws2007HttpBinding>
      <binding name="ws2007HttpBindingUserNameConfiguration">
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None">
            <extendedProtectionPolicy policyEnforcement="Never" />
          </transport>
          <message clientCredentialType="UserName"
                                establishSecurityContext="false" />
        </security>
      </binding>
      <binding name="ws2007HttpBindingWindowsConfiguration">
        <security mode="TransportWithMessageCredential">
          <transport clientCredentialType="None">
            <extendedProtectionPolicy policyEnforcement="Never" />
          </transport>
          <message clientCredentialType="Windows"
                                establishSecurityContext="false" />
        </security>
      </binding>
    </ws2007HttpBinding>
  </bindings>
  <behaviors>
    <serviceBehaviors>
      <behavior name="ServiceBehavior">
        <serviceMetadata httpGetEnabled="true" />
        <serviceDebug includeExceptionDetailInFaults="false" />
        <serviceCredentials>
          <serviceCertificate findValue="DefaultApplicationCertificate"
                                          x509FindType="FindBySubjectName" />
        </serviceCredentials>
      </behavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

This is how I configured the STS to support multiple types of authentication. The RP should only deal in claims, not claims|WindowsIdentity. It is the STS's responsibility to convert a particular type of authentication into a set of claims that the RP will use.

回复 原文
三岁铭 2024-11-21 15:08:46

您可能会将 WIF 的使用与 STS 的使用混淆。他们没有关系。

WS2007FederationHttpBinding 将导致 WCF 端点期望颁发令牌(来自 STS)。
WS2007HttpBinding 或 NetTcpBinding 可能需要 Windows 令牌。

您可以使用 WIF 来处理这两种情况,事实上,正是有了 WIF,您才能拥有更有效地支持两种不同令牌格式的服务行为。

已颁发的令牌端点将依赖于 WIF 配置中 saml11/saml2 安全令牌处理程序的配置来处理令牌,并依赖于受信任的颁发者部分来建立对该令牌的信任。
Windows 端点将依赖 Windows 安全令牌处理程序之一来处理 Windows 令牌。

两者都将通过 WIF 服务授权管理器进行传输,但会为 Windows 或您颁发的令牌提供声明。您可以使用claimsAUthenticationManager 在到达claimsauthorizationmanager 来授权访问之前转换这些声明。

有很多方法可以给这只猫剥皮,但这绝对是可能的。

You may be confusing the use of WIF with using an STS. They are not related.

WS2007FederationHttpBinding will cause the WCF endpoint to expect an issued token (from an STS).
WS2007HttpBinding or NetTcpBinding can require a Windows token.

You can use WIF to handle both, in fact it is WITH WIF that you are able to have a service behavior that supports two different token formats more effectively.

The issued token endpoint will rely on the configuration for the saml11/saml2 security token handler in WIF config to process the token and the trusted issuer section to establish trust of that token.
The windows endpoint will rely on one of the windows security token handlers to process the windows token.

Both will funnel through the WIF service authz manager but will hydrate claims for windows or for your issued token. you can use the claimsAUthenticationManager to transform those claims prior to reaching the claimsauthorizationmanager to authorize access.

THere are lots of ways to skin this cat but that is definitely possible.

回复 原文
~没有更多了~

关于作者

心在旅行

暂无简介

0 文章
0 评论
23 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文