UserNamePasswordValidator 是否可以抛出除 MessageSecurityException 以外的任何异常?
我有一个 WCF 服务通过我的 web.config 连接到 UserNamePasswordValidator,没有问题。在我的验证器中,我重写 Validate,检查凭据并在必要时抛出FaultException。
示例:
public class CredentialValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
if (userName != "dummy")
{
throw new FaultException<AuthenticationFault>(new AuthenticationFault(), "Invalid credentials supplied");
}
}
}
如果我自己在 .NET 应用程序中使用此服务并提供无效凭据,则会引发 MessageSecurityException 并显示以下消息:
“从另一方收到不安全或安全不正确的故障。请参阅内部FaultException以获取故障代码和细节。”
我所期望的FaultException 是MessageSecurityException 的InnerException。
有没有办法让客户端只收到FaultException?
MessageSecurityException 并没有特别描述异常的真正原因(快速搜索 SO 会产生各种问题,包括服务器/客户端时间)同步..),并且由于第三方将使用该服务,我想尽可能清楚。
I have a WCF service hooked up with a UserNamePasswordValidator through my web.config, no problem there. In my validator, I override Validate, check the credentials and throw a FaultException if necessary.
Example:
public class CredentialValidator : UserNamePasswordValidator
{
public override void Validate(string userName, string password)
{
if (userName != "dummy")
{
throw new FaultException<AuthenticationFault>(new AuthenticationFault(), "Invalid credentials supplied");
}
}
}
If I consume this service myself in a .NET application and provide invalid credentials, a MessageSecurityException is thrown with the following message:
"An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail."
The FaultException I had expected is the InnerException of the MessageSecurityException.
Is there any way to have the client receive just the FaultException?
The MessageSecurityException isn't particularly descriptive concerning the true cause of the exception (a quick search on SO yields a variety of problems including server/client time sync..), and since a third party will be consuming the service, I'd like to be as clear as possible.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
几个月前我遇到了同样的问题,经过一些研究,我得出的结论是,您可以从验证器代码中抛出任何您想要的内容,但客户端仍然会收到 MessageSecurityException,其中根本不包含任何有用的信息。
然而,我们必须让客户知道到底发生了什么 -
1.用户名/密码错误
2.密码已过期,需要更改
3.其他一些自定义应用程序特定状态
因此我们更改了 CredentialValidator 逻辑,使其仅在情况 1 中抛出异常。在其他情况下,它实际上允许调用真正的 WCF 方法,但我们也会检查密码过期等如果出现一些问题,方法体中已经抛出了FaultException。
在我们的例子中,这仅适用于具有这种类型验证的服务(即登录服务)——因此客户端总是知道为什么他没有经过身份验证。
I had the very same issue some months ago and after some research I came to the conclusion that you may throw whatever you want from validator code, but client will still get MessageSecurityException, which contains no useful information at all.
We had to however give the client to know what actually happened -
1. wrong username/password
2. password expired, change needed
3. some other custom application specific states
So we changed CredentialValidator logic in a way that it throws exception only in case 1. In other cases it would actually allow the real WCF method to be called, but there we would check also for password expiration etc. and in case of some problems throw FaultException already from method body.
In our case this worked well for only service with this type of validation was log-in service - so the client would always know why exactly he wasn't authenticated.
从自定义密码验证器中,您可以返回描述错误的错误代码:
From custom password validator you can return FaultCode that describe what's wrong:
将错误作为 MessageSecurityException 抛出,并将内部异常作为FaultException 抛出
Throw the error as MessageSecurityException with inner exception as FaultException