向现有项目添加 WIF STS 服务
我们有几个以以下方式设置的网站:
Site1.Web - ASP.NET Web 项目(.NET 4.0、WebForms) Common.Core - 类库项目(所有数据库交互)
Web 项目为每个站点出现一次,而 Common.Core 项目在所有站点之间共享。我们在 Web 项目中有一个登录表单,为了进行身份验证,需要调用类库。它将调用类似于下面的代码:
Common.Core.Authenticate auth = new Common.Core.Authenticate(conStr);
bool validLogin = auth.ValidateUser(userName, password);
if(validLogin)
{
Common.Core.User = auth.GetCurrentUser();
}
高层正在推动中间层服务/应用程序层,并希望使用更优雅的解决方案来处理单点登录。因此,决定使用 WIF 服务来处理登录和验证。此外,我们希望尽量减少每个 Web 项目中必须更改的代码,即尝试在 Common.Core 中保留尽可能多的更改。
我看过一些示例,展示了如何向 Web 项目添加 STS 引用。在用户验证未纳入 Core.Common 等其他项目的情况下,这会很有效。然而,在我们的场景中,我们如何在仍然使用公共类库的同时处理验证?
理想情况下,我想添加对 Core.Common 类库的 STS 引用,并用对 STS 服务的调用替换直接数据库逻辑(上面的 auth.ValidateUser)。然而,有可能这样做吗?请求是否必须在 Web 项目中发起?如果是这样,两个地方都需要 STS 参考吗?
遵循同一网络项目的任何教程或资源 ->类库-> STS 服务路径将不胜感激。
We have several websites that are set up in the following fashion:
Site1.Web - ASP.NET Web Project (.NET 4.0, WebForms)
Common.Core - Class Library Project (all db interaction)
The web project appears once for each site while the Common.Core project is shared among all sites. We have a login form in the web project that, in order to authenticate, calls into the class library. It would call off a code similar to below:
Common.Core.Authenticate auth = new Common.Core.Authenticate(conStr);
bool validLogin = auth.ValidateUser(userName, password);
if(validLogin)
{
Common.Core.User = auth.GetCurrentUser();
}
The higher ups are pushing for a middle layer service/app tier and want to use a more elegant solution to handle single sign on. Therefore, the decision has been made to use a WIF service to handle the login and validation. Furthermore, we want to try to minimize the code that has to change in each web project, i.e. try to keep as many changes as possible in Common.Core.
I have seen a few samples that show how to add an STS reference to a web project. This would work well in a scenario where the user validation isn't factored into another project like Core.Common. However, in our scenario, how could we handle validation while still going through the common class library?
Ideally, I would like to add an STS reference to the Core.Common class library and replace the direct db logic (auth.ValidateUser above) with a call to an STS service. However, is it even possible to do that? Does the request have to initiate in the web project? If so, is the STS reference required in both places?
Any tutorials or resources which follow the same web project -> class library -> STS service path would be greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我还建议使用 WIF :-)
在基于声明的场景中,身份验证过程是“相反的”。您的应用程序不会呼叫任何人,它将从受信任的来源(STS)接收所需的信息。
“STS 参考”不是库参考。它是您的应用程序与安全令牌的可信来源之间的逻辑连接。令牌是您的应用程序将用来决定如何处理用户请求的工件。
我同意 @nzpcmad 的观点,您可能可以完全删除对 Common.Core 库的调用。看看你还能用它做什么可能会很有用。 Common.Core.User 对象为您提供了什么?
如果它只是用户的属性(例如姓名、电子邮件、角色等),您很可能只需创建一个简单包装IPrincipal的新版本由 WIF(ClaimsPrincipal)提供。
例如(大约没有错误处理,伪代码):
正如@nzpcmad所说,您可以使用ADFS或其他一些STS。你的应用程序不会关心。
I would also recommend using WIF :-)
In a claims based scenario the authentication process is "reversed". Your app will not call anyone, it will receive the needed information from a trusted source (the STS).
The "STS Reference" is not a library reference. It's a logical connection between your app and the trusted source of security tokens. A token is the artifact your app will use to decide what to do with the user request.
I'd agree with @nzpcmad that it is likely you could entirely remove the calls to you Common.Core library. It might be useful to see what else can you do with it. What does the Common.Core.User object give you?
If it is just properties of a user (e.g. name, e-mail, roles, etc) it is very likely you could just create a new version that simply wraps the IPrincipal supplied byt WIF (a ClaimsPrincipal).
For example (approx. no error handling, pseudo-code):
As @nzpcmad says, you can use ADFS or some other STS. Your apps would not care.
实现此目的的一种方法是使用 ADFS 实例来 FedUtil ASP.NET 项目。本质上,身份验证现在已“外包”,您只需从应用程序中删除对核心库的调用即可。然后,ADFS 设置为返回程序授权所需的任何属性作为声明。您可能需要将这些声明属性转换为在后续调用中传递回公共核心的任何属性。
或者,您可以使公共核心“声明感知”,因为它现在识别“声明属性”而不是“公共核心”属性。这涉及使用不同的 .NET 类 - 不需要连接到 ADFS。
警告的话 - 您的身份验证似乎都与数据库相关。 ADFS 无法针对数据库进行身份验证。它只能针对安装 ADFS 的域中的 AD 实例(或其他 AD,如果 AD 之间存在信任关系)进行身份验证。
如果您想针对数据库进行身份验证,则需要一个自定义 STS,然后将其与 ADFS 联合。请参阅此处:身份服务器。
One way to achieve this is to FedUtil the ASP.NET project with an instance of ADFS. Essentially, authentication is now "outsourced" and you can simply remove the call to the core library from your app. ADFS is then setup to return whatever attributes the program needs for authorisation as claims. You may need to transform these claims attributes to whatever attributes are passed back to the common core in subsequent calls.
Or you could make the common core "claims aware" in the sense that it now recognizes "claims attributes" as opposed to "common core" attributes. This involves using different .NET classes - no hookup to ADFS is required.
Word of warning - your authentication seems to be all DB related. ADFS cannot authenticate against a DB. It can only authenticate against an instance of AD in the domain that ADFS is installed in (or other AD if trust relationship between AD).
If you want to authenticate against a DB you need a custom STS which is then federated with ADFS. See here: Identity Server.