使用 WSHttpBinding 时如何限制本地计算机对 WCF 服务的访问?

发布于 2024-12-04 07:57:45 字数 632 浏览 0 评论 0原文

我使用 WCF 在我的计算机上使用 WSHttpBinding 进行进程间通信,并且我想限制该服务,以便只有当前计算机上的进程可以调用该服务。我该怎么做?

我更喜欢使用 NetNamedPipesBinding ,它本质上会执行此限制,但是这在我的场景中是不可能的,所以我想要一种使用 WSHttpBinding 来限制它的方法。我无法使用 NetNamedPipesBinding 的原因是该服务的客户端之一正在低完整性进程(Internet Explorer 处于保护模式)中运行,并且无权连接到更高完整性的命名管道(没有大量未记录的 jiggery-pokery 像这样看起来不错,但我宁愿避免)。

一种选择是添加一个按 IP 地址进行限制的 IDispatchMessageInspector,如此处所述。这是最好的方法吗?

更新: 该软件将部署到数百台机器上,因此使用证书之类的解决方案可能会比预期的工作量更多。

I'm using WCF to do inter-process communication on my machine, using WSHttpBinding, and I'd like to restrict the service so only processes on the current machine can call the service. How can I do this?

I would prefer to use NetNamedPipesBinding which inherently would perform this restriction, however this is not possible in my scenario, so I'd like a way to restrict it using WSHttpBinding. The reason I can't use NetNamedPipesBinding is that one of the clients to the service is running within a low-integrity process (Internet Explorer in Protected Mode) and doesn't have access to connect to a higher-integrity named pipe (without a lot of undocumented jiggery-pokery like this which looks good but I'd prefer to avoid).

One option would be to add an IDispatchMessageInspector that restricts by IP Address as described here. Is that the best approach?

UPDATE:
This software will be deployed to hundreds of machines, so a solution like using certificates would likely be more work than desired.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

作死小能手 2024-12-11 07:57:45

您可以尝试使用 X509 证书来创建安全签名。这样,你就可以拿着锁和钥匙了。其他 IP 可以访问您的服务,但无法通信。您可以执行以下操作:

在服务中:

          <behaviors>
  <serviceBehaviors>
    <behavior name="wsHttpCertificateBehavior">
      <dataContractSerializer maxItemsInObjectGraph="50000"/>
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
        </clientCertificate>
        <serviceCertificate findValue="CN=WSE2QuickStartServer" storeLocation="LocalMachine"
          storeName="My" x509FindType="FindBySubjectDistinguishedName" />
      </serviceCredentials>
    </behavior>
    <behavior name="">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
    </behavior>
  </serviceBehaviors>
</behaviors>

在客户端中:

    <behaviors>
  <endpointBehaviors>
    <behavior name="wsHttpCertificateBehavior">
      <dataContractSerializer maxItemsInObjectGraph="50000" />
      <clientCredentials>
        <clientCertificate findValue="CN=WSE2QuickStartClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
        <serviceCertificate>
          <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" trustedStoreLocation="LocalMachine" />
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

<client>
  <endpoint address="https://localhost/ClientService.svc" behaviorConfiguration="wsHttpCertificateBehavior" binding="wsHttpBinding" bindingConfiguration="ApplicationServicesBinding" contract="GAINABSApplicationServices.Contracts.ServiceContracts.IClientService" name="ClientService">
    <!--<identity>
      <certificateReference storeName="AddressBook" storeLocation="CurrentUser"
        x509FindType="FindBySubjectName" findValue="WSE2QuickStartServer"
        isChainIncluded="true" />
    </identity>-->
  </endpoint>
 </client>

您可能需要客户端上的身份标记来声明您在与服务通信时明确使用证书作为身份。希望这有帮助!

You could try using X509 certificates to create a security signature. That way, you can hold the lock and the key. Other IPs would be able to hit your service, but not communicate. You could do something like:

In the Service:

          <behaviors>
  <serviceBehaviors>
    <behavior name="wsHttpCertificateBehavior">
      <dataContractSerializer maxItemsInObjectGraph="50000"/>
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
      <serviceCredentials>
        <clientCertificate>
          <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" />
        </clientCertificate>
        <serviceCertificate findValue="CN=WSE2QuickStartServer" storeLocation="LocalMachine"
          storeName="My" x509FindType="FindBySubjectDistinguishedName" />
      </serviceCredentials>
    </behavior>
    <behavior name="">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="false" />
    </behavior>
  </serviceBehaviors>
</behaviors>

In the Client:

    <behaviors>
  <endpointBehaviors>
    <behavior name="wsHttpCertificateBehavior">
      <dataContractSerializer maxItemsInObjectGraph="50000" />
      <clientCredentials>
        <clientCertificate findValue="CN=WSE2QuickStartClient" storeLocation="CurrentUser" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
        <serviceCertificate>
          <authentication certificateValidationMode="ChainTrust" revocationMode="NoCheck" trustedStoreLocation="LocalMachine" />
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>

<client>
  <endpoint address="https://localhost/ClientService.svc" behaviorConfiguration="wsHttpCertificateBehavior" binding="wsHttpBinding" bindingConfiguration="ApplicationServicesBinding" contract="GAINABSApplicationServices.Contracts.ServiceContracts.IClientService" name="ClientService">
    <!--<identity>
      <certificateReference storeName="AddressBook" storeLocation="CurrentUser"
        x509FindType="FindBySubjectName" findValue="WSE2QuickStartServer"
        isChainIncluded="true" />
    </identity>-->
  </endpoint>
 </client>

You may optionally need the Identity tag on the client to state that you are explicitly using the cert for the identity when communicating with the service. Hope this helps!

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文