WCF REST 身份验证行为

发布于 2025-01-05 19:16:08 字数 890 浏览 2 评论 0原文

我希望能够对 WCF Rest Web 服务进行身份验证，但我不太确定如何进行。看起来许多其他问题与 .net 3.5 WCF 中的内容（例如 WebServiceHost2）相关，但这些内容似乎不再存在。

我想使用自定义用户名和密码在 WCF 服务上进行基于消息的身份验证。据我所知，这可以通过常规 WCF 中的以下操作来完成：

<behaviors>
  <serviceBehaviors>
    <behavior name="PasswordValidator">
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom"
                                customUserNamePasswordValidatorType="MyNamespace.PasswordValidator, MyNamespace"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

但是，当我使用 Rest 时，我无法让这个基于 web.config 的行为配置运行。我不知何故需要在我的 serviceRoute 中执行此操作。

RouteTable.Routes.Add(new ServiceRoute("", new WebServiceHostFactory(), typeof(HelloService)));

有谁知道如何做到这一点，或者有关于 Rest 和 WCF 4.0 基于消息的安全性的任何好的教程吗？

原文

I want to be able to authenticate a WCF Rest webservice but I'm not really sure how to go about it. It looks like many of the other questions relate to stuff in .net 3.5 WCF (such as WebServiceHost2) which no longer seems to exist.

I am wanting to do message based authentication on the WCF service with custom usernames and passwords. From what I can tell this can be done by the following in regular WCF:

<behaviors>
  <serviceBehaviors>
    <behavior name="PasswordValidator">
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom"
                                customUserNamePasswordValidatorType="MyNamespace.PasswordValidator, MyNamespace"/>
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>

however as I am using Rest I cant get this web.config based behaviour config going. I somehow need to do this in my serviceRoute.

RouteTable.Routes.Add(new ServiceRoute("", new WebServiceHostFactory(), typeof(HelloService)));

does anyone know how to do this or have any good tutorials on Message Based security with Rest and WCF 4.0?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

笑咖 2025-01-12 19:16:08

我解决这个问题的方法是实现一个自定义授权属性，该属性查看我添加到 HTTP 标头集合中的两个自定义字段。

这似乎运作得很好。

public class UserAndPasswordAuthenticationAttribute : Attribute, IOperationBehavior, IParameterInspector
    {
        public void ApplyDispatchBehavior(
            OperationDescription operationDescription,
            DispatchOperation dispatchOperation)
        {
            dispatchOperation.ParameterInspectors.Add(this);
        }

        public void AfterCall(string operationName, object[] outputs,
                              object returnValue, object correlationState)
        {
        }

        public object BeforeCall(string operationName, object[] inputs)
        {
            string username = WebOperationContext.Current
                                   .IncomingRequest.Headers["username"];
            string password = WebOperationContext.Current
                                   .IncomingRequest.Headers["password"];


            if (username != "bob" || password!= "123")
            {
                WebOperationContext.Current.OutgoingResponse.StatusCode =
                    HttpStatusCode.Unauthorized;
                throw new UnauthorizedAccessException("");
            }

            return null;
        }

        public void AddBindingParameters(OperationDescription operationDescription, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
        {
        }

        public void ApplyClientBehavior(OperationDescription operationDescription, ClientOperation clientOperation)
        {
        }

        public void Validate(OperationDescription operationDescription)
        {
        }
    }

然后我可以将此属性添加到合同中的方法中以保护它们

The way I solved this was to implement a custom authorize attribute which looks at two custom fields which I added into the HTTP headers collection.

This seems to work pretty well.

public class UserAndPasswordAuthenticationAttribute : Attribute, IOperationBehavior, IParameterInspector
    {
        public void ApplyDispatchBehavior(
            OperationDescription operationDescription,
            DispatchOperation dispatchOperation)
        {
            dispatchOperation.ParameterInspectors.Add(this);
        }

        public void AfterCall(string operationName, object[] outputs,
                              object returnValue, object correlationState)
        {
        }

        public object BeforeCall(string operationName, object[] inputs)
        {
            string username = WebOperationContext.Current
                                   .IncomingRequest.Headers["username"];
            string password = WebOperationContext.Current
                                   .IncomingRequest.Headers["password"];


            if (username != "bob" || password!= "123")
            {
                WebOperationContext.Current.OutgoingResponse.StatusCode =
                    HttpStatusCode.Unauthorized;
                throw new UnauthorizedAccessException("");
            }

            return null;
        }

        public void AddBindingParameters(OperationDescription operationDescription, System.ServiceModel.Channels.BindingParameterCollection bindingParameters)
        {
        }

        public void ApplyClientBehavior(OperationDescription operationDescription, ClientOperation clientOperation)
        {
        }

        public void Validate(OperationDescription operationDescription)
        {
        }
    }

I can then just add this attribute to methods in my contract to secure them

回复收藏 0 原文

~没有更多了~