将PrincipalPermissionAttribute 与自定义角色提供程序结合使用
我正在为我的组织开发新的安全基础设施。由于我们开发供内部组织使用的系统,我想使用 Windows 身份验证,但为了授权,我们管理一个单独的 Oracle DB(由于历史原因)。我的想法是使用
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
Global::Application_Start 中 定义的 PrincipalPermissionAttribute 并
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authorization>
<deny users="?"/>
</authorization>
<roleManager **defaultProvider="MyRoleProvider"**
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/"
cookieRequireSSL="false"
cookieSlidingExpiration="true"
cookieProtection="All" >
<providers>
<clear />
<add
name="MyRoleProvider"
type="WcfServiceLibrary1.MyRoleProvider"
connectionStringName="Service1"
applicationName="InfraTest"
writeExceptionsToEventLog="true" />
</providers>
</roleManager>
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport **clientCredentialType="Windows"** />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1">
<endpoint address="WcfAuthenticationTest" binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpointBinding" name="BasicHttpEndpoint"
contract="WcfService1.IService1">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost/WcfAuthentication"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceAuthorization **principalPermissionMode="UseAspNetRoles"**/>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
在我的 Web.config 中使用我的自定义角色提供程序,它应该访问 Oracle DB 以检查角色。但我无法让它发挥作用。有什么方法可以使 PrincipalPermissionAttribute 以这种方式工作,或者整个概念可能是错误的?我想过实现我的自定义 CodeAccessSecurityAttribute 但它并不那么简单,所以我不想这样做 有人对这个问题有任何想法吗?我会很高兴得到一些答案
I'm working on a new security infrastracture for my organization. Since we develop systems for the inside organization use I'd like to use Windows Authentication, but for the authorization we manage a separate Oracle DB (for historical reasons). My idea was to use PrincipalPermissionAttribute defining
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);
in Global::Application_Start
and
<system.web>
<compilation debug="true" targetFramework="4.0" />
<authorization>
<deny users="?"/>
</authorization>
<roleManager **defaultProvider="MyRoleProvider"**
enabled="true"
cacheRolesInCookie="true"
cookieName=".ASPROLES"
cookieTimeout="30"
cookiePath="/"
cookieRequireSSL="false"
cookieSlidingExpiration="true"
cookieProtection="All" >
<providers>
<clear />
<add
name="MyRoleProvider"
type="WcfServiceLibrary1.MyRoleProvider"
connectionStringName="Service1"
applicationName="InfraTest"
writeExceptionsToEventLog="true" />
</providers>
</roleManager>
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpEndpointBinding">
<security mode="TransportCredentialOnly">
<transport **clientCredentialType="Windows"** />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1">
<endpoint address="WcfAuthenticationTest" binding="basicHttpBinding"
bindingConfiguration="BasicHttpEndpointBinding" name="BasicHttpEndpoint"
contract="WcfService1.IService1">
<identity>
<dns value="localhost"/>
</identity>
</endpoint>
<host>
<baseAddresses>
<add baseAddress="http://localhost/WcfAuthentication"/>
</baseAddresses>
</host>
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceAuthorization **principalPermissionMode="UseAspNetRoles"**/>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
</system.webServer>
in my Web.config using my custom role provider that should access the Oracle DB to check the role. But I can not make it work. Is there any way to make the PrincipalPermissionAttribute work in this way or may be the entire concept is wrong? I thought of implementing my custom CodeAccessSecurityAttribute but it is not that simple so I prefer not to do it
Does anybody have any idea of the issue? I'll be glad to get some answers
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
最近我学到了两件事。首先,我的概念是正确的,我可以将 PrinciplePermissionAttribute 与自定义角色提供程序一起使用,第二是我对 web.config 标签完全感到困惑。 tag 用于asp .net 设置,而用于WCF 设置。所以一点点配置就解决了整个问题。这是正确的配置
There are two things that I've learned lately. First af all my concept was right, I can use PrinciplePermissionAttribute with costom role provider, the second is that I was totaly confused with the web.config tags. tag is used for the asp .net settings, while is used for WCF settings. So a liitle bit configuration solved the entire problem. Here is the right configuration
除非您需要模拟,否则不需要包含
impersonateCallerForAllOperations="true"You need not include
impersonateCallerForAllOperations="true"unless you need impersonation