WCF安全,用户名密码无证书
我是 WCF 的新手。我习惯了 *.asmx,但它将被弃用,因此我决定深入研究 WCF。我想要为我的服务进行简单的用户名+密码身份验证,但网络上的任何地方都与 X509 证书有关。我想在 IIS 中托管我的服务,因此我将在那里启用 SSL。
我已经遵循了一些关于 WCF 的 hello world 教程,但对所有新事物、数据契约、OperationContract、ServiceContract、所需接口、web.config 中的所有绑定、basicHttpBinding 等有点困惑。
我目前在 文件 ->新项目->视觉 C# -> WCF-> WCF 服务应用程序
我有一种 hello world 应用程序,想知道保护它的最佳和最简单的方法是什么。我读过很多不同的东西,以至于我不知道什么最适合我的情况。
IIS 中托管的服务将在 Internet 上提供(启用 ssl),并且我想将用户名和密码发送给几个值得信赖的人。
请建议我最简单且合适的安全性。
<system.serviceModel>
<services>
<service behaviorConfiguration="WcfServiceSimStars.MyServiceTypeBehaviors" name="FarmService.CustomerDeskOperations">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="RequestUserName" contract="WcfServiceSimStars.ISimService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="RequestUserName" >
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://mytestserver/simservice.svc" binding="WSHttpBinding"
bindingConfiguration="WSHttpBinding_ISimService" contract="WcfServiceSimStars.ISimService"
name="WSHttpBinding_ISimService" />
</client>
<behaviors>
<serviceBehaviors>
<behavior name="WcfServiceSimStars.MyServiceTypeBehaviors">
<serviceMetadata httpGetEnabled="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfServiceSimStars.UserValidatorr, WcfServiceSimStars" />
<serviceCertificate findValue="Farm" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
我假设我的 web.config和解决方案资源管理器
: 
编辑2: 我尝试使用 Visual Studio 工具菜单中的 Microsoft 服务配置编辑器 打开 web.config 并收到此错误:
I am new to WCF. I was used to *.asmx but it will become deprecated, so I decided to dive into WCF. I want a simple username + password authentication for my service, but everywhere on the web it's all about X509 certificates. I'd like to host my service in IIS, so I will enable SSL there.
I have followed some hello world tutorials on WCF but am a bit confused with all the new things, datacontract, OperationContract, ServiceContract, required interfaces, all the bindings in web.config, basicHttpBinding etc.
I am currently at File -> New project -> Visual C# -> WCF -> WCF Service Application
I have a kind of hello world app, and would like to know what the best and easiest way is to secure it. I have read so much different things that I just don't have a clue what is the best for my situation.
The service hosted in IIS will be available on the internet (with ssl enabled) and the usernames and passwords i'd like to send out to several trusted people.
Please advice me for the easiest and suitable security.
Edit
I am trying to follow this blogpost:
http://codebetter.com/petervanooijen/2010/03/22/a-simple-wcf-service-with-username-password-authentication-the-things-they-don-t-tell-you/
but I have trouble with publishing the metadata. I assume that there is an error in my web.config
<system.serviceModel>
<services>
<service behaviorConfiguration="WcfServiceSimStars.MyServiceTypeBehaviors" name="FarmService.CustomerDeskOperations">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="RequestUserName" contract="WcfServiceSimStars.ISimService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
<bindings>
<wsHttpBinding>
<binding name="RequestUserName" >
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://mytestserver/simservice.svc" binding="WSHttpBinding"
bindingConfiguration="WSHttpBinding_ISimService" contract="WcfServiceSimStars.ISimService"
name="WSHttpBinding_ISimService" />
</client>
<behaviors>
<serviceBehaviors>
<behavior name="WcfServiceSimStars.MyServiceTypeBehaviors">
<serviceMetadata httpGetEnabled="true"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="WcfServiceSimStars.UserValidatorr, WcfServiceSimStars" />
<serviceCertificate findValue="Farm" storeLocation="LocalMachine" storeName="TrustedPeople" x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
and my solution explorer:
Edit 2:
I tried to open my web.config with the Microsoft Service Configuration Editor from visual studio tools menu and got this error:
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您想使用 SSL,则需要使用 X509 证书。
如果要将其托管在 IIS 上并启用 SSL,则需要提供证书,出于调试目的,您可以从 IIS 中生成自签名证书。
在 IIS 中设置完毕后,您将需要编辑 WCF 绑定以启用 SSL。
您将需要与安全模式传输集和安全行为的绑定
,以下指定将使用的 ssl 证书。
然后您需要创建一个安全端点
一旦托管,您就可以在网站上使用 SSL。
要从客户端连接,您将使用以下命令(假设是 C#)。
另一种方法是使用加密而不是 SSL。在客户端加密密码并将加密数据发送到服务,但我不太确定这样做的最佳实践。
希望这有助于
编辑
如果您想将用户名和密码发送到服务,您只需要在服务中创建一个新方法。
您将在接口文件 (IService1.cs) 中定义操作协定,
然后在服务类 (Service1.svc) 中创建方法,
这可能是最简单的方法。另一种更复杂的方法是使用自定义会员资格提供程序来验证用户身份。
您需要创建一个继承自 MembershipProvider 的类并覆盖 ValidateUser 方法
,现在您需要告诉 webconfig 使用表单身份验证并使用您的自定义会员资格提供程序
现在您已经设置了会员资格提供程序,您可以从以下位置更改您的登录代码将上面的代码添加到以下代码中,此代码将对用户进行身份验证并设置授权 cookie。
现在,当您在服务上调用方法时,您可以检查用户是否经过身份验证,如果是,您可以运行该命令,否则不要运行。
如果您需要我澄清任何事情,请告诉我
If you want to use SSL you will need to use X509 certificates.
If you are going to host it on IIS and enable SSL there you will need to provide a certificate, for debug purposes you can generate a self signed certificate from within IIS.
Once you have set it up within IIS you will need to edit the WCF Binding to enable SSL.
You will need a binding with security mode transport set
and a secure behaviour, the following specifies the ssl certificate that will be used.
you then need to create a secure endpoint
That should enable you to used SSL on your site once it is hosted.
To connect from your client you would use the following (assuming C#)
The other method would be to use encryption instead of SSL. Encrypt the password on the client side and send the encrypted data to the service, i'm not really sure on the best practices for doing that though.
Hope this helps
EDIT
If you wanted to send a username and password to the service you would just need to create a new method within the service.
You would define an operation contract within the interface file (IService1.cs)
then you would create the method within the service class (Service1.svc)
Thats probably the simplest way to do it. Another more complex way would be to use a custom Membership provider to authenticate users.
You would need to create a class that inherits from MembershipProvider and override the ValidateUser method
now you need to tell the webconfig to use forms authentication and to use your custom membership provider
Now that you have your membership provider set up you can change your login code from above to the following code, this code will authenticate the user and sets an authorisation cookie.
Now when ever you call a method on your service you can check if the user is authenticated and if they are you can run the command otherwise don't.
Let me know if you need me to clarify anything