RESTful WCF 服务安全

发布于 2024-12-27 19:13:04 字数 140 浏览 0 评论 0原文

我们如何验证/授权 WCF RESTful 服务（使用 webHttpBinding（而不是 wsHttpBinding，如 SOAP 情况））？即我们想要使用成员身份/角色来允许（或禁止）用户根据其角色使用每个 Web 方法。

提前致谢。宜兰.

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

云裳 2025-01-03 19:13:04

您可以使用证书来保护服务或在标头中发送用户名和密码。然后，您可以通过向服务实现 IAuthorizationPolicy 来添加行为，这样您就不必在公开的每个 Web 服务方法中实现安全检查。

public class CertificateAuthorizationPolicy : IAuthorizationPolicy
{

    public bool Evaluate(EvaluationContext evaluationContext, ref object state)
    {
        IIdentity identity;
        object untypedIdentities;
        if (!evaluationContext.Properties.TryGetValue("Identities", out untypedIdentities))
        {
            identity = null;
            return false;                                                                                                             
        }

        var identities = (IEnumerable<IIdentity>)untypedIdentities;

        identity = identities.Where(item => item.AuthenticationType == "X509").FirstOrDefault();

        var claimSet = (X509CertificateClaimSet)evaluationContext.ClaimSets[0];
        var certificate = claimSet.X509Certificate;

    }

在 web.config 中，您告诉服务使用授权策略

    <behavior name="CertificateSecurityServiceBehavior">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
          <add policyType="CertificateAuthorizationPolicy, MyAssembly.Security" />
        </authorizationPolicies>
      </serviceAuthorization>
      <dataContractSerializer maxItemsInObjectGraph="2147483647" />
    </behavior>

另一种选择是在 IIS 服务器上设置 SSL，以便它需要 SSL 和客户端证书才能连接到任何页面。

You can use certificates to secure the service or send the username and password in the header. You can then add a behavior by implementing IAuthorizationPolicy to the service so that you don't have to implement the security check in every web service method that you expose.

public class CertificateAuthorizationPolicy : IAuthorizationPolicy
{

    public bool Evaluate(EvaluationContext evaluationContext, ref object state)
    {
        IIdentity identity;
        object untypedIdentities;
        if (!evaluationContext.Properties.TryGetValue("Identities", out untypedIdentities))
        {
            identity = null;
            return false;                                                                                                             
        }

        var identities = (IEnumerable<IIdentity>)untypedIdentities;

        identity = identities.Where(item => item.AuthenticationType == "X509").FirstOrDefault();

        var claimSet = (X509CertificateClaimSet)evaluationContext.ClaimSets[0];
        var certificate = claimSet.X509Certificate;

    }

In web.config you tell the service to use the authorization policy

    <behavior name="CertificateSecurityServiceBehavior">
      <serviceMetadata httpGetEnabled="true" httpsGetEnabled="false" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceAuthorization principalPermissionMode="Custom">
        <authorizationPolicies>
          <add policyType="CertificateAuthorizationPolicy, MyAssembly.Security" />
        </authorizationPolicies>
      </serviceAuthorization>
      <dataContractSerializer maxItemsInObjectGraph="2147483647" />
    </behavior>

Another option is to setup SSL on the IIS Server so that it requires SSL and client certificate to connect to any page.

回复收藏 0 原文

~没有更多了~