有没有办法在 webHttpBinding wcf 服务中从原始浏览器传递域凭据?
有没有办法在 webHttpBinding WCF 服务中从原始浏览器传递域凭据? 我认为这应该是可能的,因为当我登录到 IIS 中启用了 Windows 身份验证的任何 aspx 页面时,我可以获得调用用户的域凭据。我将如何以这种方式设置我的 WCF 服务?目前我在 WCF 服务中获得的用户身份是 svc 运行的应用程序池的用户身份?
编辑
我没有 .NET 4 - 我的配置文件如下,但我仍然收到错误:
此服务的安全设置需要“匿名”身份验证 但托管此服务的 IIS 应用程序未启用它。
我应该在 IIS 中明确为该路径启用匿名吗?我认为这会抵消我获得域名的努力。
<behaviors>
<endpointBehaviors>
<behavior name="Awesome.Project.OperationsBehavior">
<enableWebScript />
</behavior>
</endpointBehaviors>
</serviceBehaviors>
<behavior name="Awesome.Project.OperationsServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="Awesome.Project.OperationsServiceBehavior"
name="Awesome.Project.Operations">
<endpoint address="" binding="webHttpBinding"
contract="Awesome.Project.Operations"
behaviorConfiguration="Awesome.Project.OperationsBehavior"
bindingName="windowsSecurityWebHttpBinding">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<!--<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />-->
</service>
</services>
<bindings>
<webHttpBinding>
<binding name="windowsSecurityWebHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</webHttpBinding>
</bindings>
Is there a way to pass domain credentials from the originating browser in webHttpBinding WCF service?
I'm thinking this should be possible as when I log into any aspx page with Windows Authentication enabled in IIS, I can get the calling user's domain credentials. How would I setup my WCF service in such a manner? Currently the user identity I get in the WCF service are those of the app pool the svc is running under?
EDIT
I don't have .NET 4 -- My configuration file is below, but I still get an error:
Security settings for this service require 'Anonymous' Authentication
but it is not enabled for the IIS application that hosts this service.
Should I explicitly enable Anonymous for that path in IIS? I think this would undo my efforts to get the domain name.
<behaviors>
<endpointBehaviors>
<behavior name="Awesome.Project.OperationsBehavior">
<enableWebScript />
</behavior>
</endpointBehaviors>
</serviceBehaviors>
<behavior name="Awesome.Project.OperationsServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<services>
<service behaviorConfiguration="Awesome.Project.OperationsServiceBehavior"
name="Awesome.Project.Operations">
<endpoint address="" binding="webHttpBinding"
contract="Awesome.Project.Operations"
behaviorConfiguration="Awesome.Project.OperationsBehavior"
bindingName="windowsSecurityWebHttpBinding">
<identity>
<dns value="localhost" />
</identity>
</endpoint>
<!--<endpoint address="mex" binding="mexHttpBinding"
contract="IMetadataExchange" />-->
</service>
</services>
<bindings>
<webHttpBinding>
<binding name="windowsSecurityWebHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows"/>
</security>
</binding>
</webHttpBinding>
</bindings>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要在服务中打开身份验证 - 假设 .NET 4 将以下内容添加到
.NET 3.5 或 3.0 的配置中,您需要
编辑其他问题:
WCF 通常不会通过非安全传输传递凭据- 这就是为什么 mode="Transport" 很重要。如果你去掉它,它与 WebHttpBinding 的 Mode="None" 相同。
如果该站点被认为位于 Intranet 区域,那么 IE 将自动传递用户的凭据。然而,非 IE 浏览器不会,因此会在收到 401 错误并发送凭据之前匿名访问该网站。初始请求需要 IIS 支持匿名访问,因为 WCF 处理身份验证机制。
如果您需要获取 HttpContext,可以使用 Asp.NET 兼容性。但是在 WCF 中,您可以使用 ServiceSecurityContext.Current.PrimaryIdentity.Name 来获取经过身份验证的用户
You need to turn on authentication in the service - assuming .NET 4 add the following to your config
for .NET 3.5 or 3.0 you need
Edit for additional questions:
WCF will generally not pass credentials over non secured transports - that's why mode="Transport" is important. If you got rid of it its the same as Mode="None" for WebHttpBinding
If the site is considered to be in the intranet zone then IE will pass the user's credentials automatically. However, non-IE browsers will not and so will hit the site anonymously before getting a 401 and then sending the credentials. The intial request requires anonymous access to be supported in IIS as WCF handles the authentication mechanism
If you need to get hold of HttpContext you can use Asp.NET Compatibility. However in WCF you can use ServiceSecurityContext.Current.PrimaryIdentity.Name to get the authenticated user
如何:通过 Web 应用程序在 WCF 调用中模拟原始调用者 给出有关如何执行此操作的演练。
How to: Impersonate the Original Caller in WCF Calling from a Web Application gives a walkthrough on how to do this.