WCF 授权服务。有现成的模式吗?建议?
在我们的应用程序中,我们有很多不同的配置文件。每个配置文件使用户能够访问服务的特定功能或执行特定次数的特定操作。
我们正在考虑创建一个 WCF 授权服务来集中所有事物的逻辑,因此“从属”应用程序将仅反映此“裁判”应用程序告诉它们执行的操作。
你认为这是个好主意吗?是您已经使用过的模式吗?网上有什么可以学习的吗?
谢谢你的意见。
马可
in our application we have a lot of different profiles. Each profile enables the user to access to specific functions of the service or to perform particular actions for a specific number of times.
We are thinking about creating a WCF Authorization Service to centralize the logic of everything and so "slave" applications will just reflect what this "referee" application tells them to do.
Do you think this is a good idea? Is a pattern you already used? Is there anything on the net that can be studied?
Thanks for your opinion.
Marco
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可能想了解一下通过 Windows Identity Foundation (WIF) 进行的基于声明的身份验证。在此模型中,您的“从属”服务成为所谓的依赖方 (RP),每个服务都信任身份验证令牌的颁发者 (STS)。该令牌包含可以针对每个 RP 进行定制的声明。它建立在开放标准的基础上,并且可能会比您自己的标准更加安全和面向未来。
所有这些都将通过扩展 IPrincipal 和 IIdentity 的相对简单的 WIF API 在您的服务中呈现。也许现在需要做更多的工作,但从长远来看肯定会提供更好的解决方案?
更多信息
编辑:
您的服务将信任 STS。因此,当用户带着 STS 发出的一组声明走向您的服务时,您会将这些声明视为有效。您的服务不需要包含任何查找角色的逻辑,因为它全部包含在 STS 定义的声明中。作为服务开发人员,您所做的就是根据这些声明来决定用户可以做什么或不能做什么。以下开发人员白皮书可能会有所帮助 (PDF)。
You might want to take a look at claims based authentication through Windows Identity Foundation (WIF). In this model your "slave" services become what's known as a relying party (RP) which each trust the issuer (STS) of an authentication token. This token contains claims that can be customised to each RP. It's built on open standards and will likely prove far more secure and future proof that rolling your own.
All of this will be surfaced in your services through the relatively easy WIF API that extends IPrincipal and IIdentity. Perhaps a little more work up front now but certainly providing a better solution long term?
More info here
Edit:
Your services will trust the STS. Therefore when the user walks up to your service with a set of claims issued by the STS you take these as valid. Your services don't need to contain any logic for looking up roles as it's all contained in the claim which has been defined by the STS. All you do as a service developer is decide what the user can or cannot do based on those claims. The following developer whitepaper may help (PDF).