我有一个 WCF 服务,托管在 ASP.NET MVC Web 应用程序内部的 IIS 7.0/7.5 中(通过使用带有 ServiceHost 指令的 .svc 文件)。我的配置中的安全设置如下所示:
<services>
<service name="MyServiceLib.MyService">
<endpoint address="" binding="wsHttpBinding"
bindingConfiguration="wsHttpBindingConfig"
contract="MyServiceLib.IMyService" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="AspNetSqlMembershipProvider"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
正如您所看到的,我使用 SSL 来实现传输安全,然后使用用户名和密码针对 ASP.NET 成员资格提供程序进行身份验证。到目前为止效果很好。
但我希望不仅限制经过身份验证的用户访问此服务,还限制具有特定角色且在个人资料中设置了特定值的用户。 (我在 Web 应用程序中使用 SqlProfileProvider,每个用户都有一个分配有特定值的配置文件。)
是否可以通过配置设置来实现此目的?如果没有,我可以在服务端创建某种自定义身份验证,这将允许我从传入消息中检索用户和密码,然后检查成员资格和角色并从配置文件存储中提取配置文件吗?我该怎么做?
I have a WCF service which is hosted in IIS 7.0/7.5 inside of a ASP.NET MVC web application (by using an .svc file with ServiceHost directive). The security settings in my configuration are looking like this:
<services>
<service name="MyServiceLib.MyService">
<endpoint address="" binding="wsHttpBinding"
bindingConfiguration="wsHttpBindingConfig"
contract="MyServiceLib.IMyService" />
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="wsHttpBindingConfig">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None" />
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceCredentials>
<userNameAuthentication
userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="AspNetSqlMembershipProvider"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
As you can see I'm using SSL for transport security and then authenticate with user name and password against the ASP.NET membership provider. This works fine so far.
But I want to restrict access to this service to not only authenticated users but to users who are in a specific role and who have a specific value set in their profile. (I'm using the SqlProfileProvider in the web app and every user has a profile with specific values assigned.)
Is it possible to achieve this via configuration settings? If not, can I create some kind of custom authentication on the service side which would allow me to retrieve user and password from the incoming message and then check membership and role and pull out the profile from the profile store? How can I do this?
发布评论
评论(2)
启用 WCF 角色服务怎么样?
否则,您可以实现您自己的身份验证方法。您告诉 WCF 我们想要自己验证用户(执行您自己的校验和/验证方法)
How about Enable WCF Role Service?
Otherwise, you can implement your own authentication method. You tell WCF that we want to validate a user on our own (performing your own check-sum/validation method(s))
那么,您可以通过使用“PrincipalPermissionAttribute”装饰来限制对服务中方法的访问
[PrincipalPermission(SecurityAction.Demand, Role = "User")]
public void MyMethod() { ...
您需要配置服务以使用角色提供程序:
但这只会对角色有帮助。我认为没有任何现成的东西可以帮助检查用户配置文件中的值:您可以考虑在方法体内手动执行此操作。
Well, you can restrict access to methods in your service by decorating them with the 'PrincipalPermissionAttribute'
[PrincipalPermission(SecurityAction.Demand, Role = "User")]
public void MyMethod() { ...
You need to configure the service to use role provider:
<serviceAuthorization principalPermissionMode="UseAspNetRoles" roleProviderName="SqlRoleProvider" />But that will only help with roles. I don't think there is anything out of the box that will help with checking for a value in the user profile: you may consider doing that manually inside the method body.