WCF - IErrorHandler 与身份验证
我正在编写一个带有一些身份验证和自定义错误处理程序的 WCF 服务。但是,我遇到了这个问题:当身份验证引发异常时,我的 IErrorHandler
实现没有受到影响,但在其他异常情况下运行得很好。
身份验证是否在构建 IErrorHandler
之前运行?我是否在向错误的树吠叫,试图让它捕获这些错误?
是的,我已经尝试(并且正在)在身份验证中抛出 FaultException
,而不是 SecurityTokenException
。
I'm writing a WCF service with some authentication and a custom error handler. However, I'm coming up against this problem: my implementation of IErrorHandler
is not getting hit when the authentication throws an exception, but runs just fine with other exeptions.
Does authentication run before IErrorHandler
gets built? Am I barking up the wrong tree trying to get it to catch those errors?
Yes, I have tried (and am) throwing a FaultException
in my authentication, not SecurityTokenException
.
因此,第一件事是确保您的自定义错误处理程序也实现 IServiceBehavior。 IServiceBehavior 要求您实现几个其他方法,但重要的一个是“ApplyDispatchBehavior”,您必须在其中将 ErrorHandler 添加到通道调度程序。
C#
那么你需要添加 CustomErrorHandler 作为服务行为,并添加行为
web.config
这样你所有抛出的异常都会被转换为错误返回给客户端。
对于 SecurityTokenExceptions,您不希望立即将它们转换为故障异常。实际上,您确实希望在自定义验证中将它们作为 SecurityTokenException 抛出,以便服务/服务器识别安全授权失败,并自动返回“403:访问被拒绝”的错误。我不是 100%,但我认为自定义身份验证和验证部分发生在自定义服务行为(如错误处理程序)加载之前。不幸的是,如果您需要对身份验证中的某些问题进行故障排除,则需要在服务上打开 WCF 跟踪,请参阅标题为“如何打开 WCF 跟踪”。
如果您需要记录失败的身份验证尝试,您可能需要将其直接放入自定义验证器中。
So first thing is to make sure that your custom Error Handler is also implementing IServiceBehavior. IServiceBehavior requires that you implement a couple other methods but the important one is "ApplyDispatchBehavior", in which you must add the ErrorHandler to the channel dispatchers.
C#
Then you need to add the CustomErrorHandler as a service behavior and add the behavior
web.config
This way all your thrown exceptions will be converted to faults to return back to the client.
In the case of SecurityTokenExceptions, you do not want to convert those to Fault Exceptions right away. You actually do want to throw these as SecurityTokenExceptions in the custom validation in order for the service/server to recognize that the security authorization failed, and automatically returns as a fault equiv of a "403 : Access Denied". I am not 100% but I think that the custom auth and validation pieces happen before custom service behaviors, like the error handler, are loaded. Unfortunately, if you need to troubleshoot something in your auth, you will need to turn on WCF tracing on the service, see this article titled "How to turn on WCF Tracing".
If you need to log failed auth attempts, you will probably need to put it directly in your custom validator.