WCF 数据服务身份验证
编辑:我决定使用 WCF 数据服务而不是 MVC3
现在我已经决定使用 WCF 数据服务 - 我需要一种对用户进行身份验证和授权的方法。
已经考虑过设置 SQLMembership DB,但正在努力对用户进行实际身份验证。我的客户端不会是 .NET 应用程序 - 最有可能是 iPhone/Android 应用程序,它将调用 RESTFul WCF 数据服务来获取数据...
EDIT: I've decided to go for WCF Data Services as opposed to MVC3
Now that I have decided to go for WCF Data Services - I need a way to authenticate and authorise users.
Have looked at setting up a SQLMembership DB, but am struggling to actually authenticate the users. My clients won't be .NET applications - most likely will be an iPhone/Android app that will call the RESTFul WCF Data Service to get data...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
身份验证
WCF 数据服务允许多种身份验证选项,如 MSDN:保护 WCF 数据服务中所述。从可用的方法来看,Windows 身份验证是最安全的,使用 NTLM 或 Kerberos 机制。由于跨平台可用性的限制,可以使用的最合适、最安全的身份验证方法是 NTLM,因为它在几乎所有当前平台上都可用:Android(从版本 4.0“Ice Cream Sandwich ")、iOS、Linux、UNIX、Windows。
为 IIS 上托管的 OData 服务设置 Windows 身份验证意味着禁用匿名访问并启用集成 Windows 身份验证。可以在 Odata 和 Windows 身份验证。
为了对允许访问服务的用户进行更细粒度的控制,可以直接从配置文件(即 web.config)向用户角色/组以及特定用户授予或拒绝访问权限。下面描述了允许特定用户访问的语法。为了获得最大的安全性,建议拒绝所有用户/组的访问,然后根据需要显式允许访问。授权标记之间的规则按顺序执行(即允许用户 DOMAIN\user 访问优先于拒绝所有用户)。
如果授权标记未在配置文件中明确定义,则 IIS 将进行身份验证并允许所有用户访问连接已识别的用户(在 Active Directory 或本地计算机中)。
可以在跨域环境中设置 Windows 身份验证,但需要:
或者
对服务器域有效。
此<中更详细地描述了此类情况的可用选项/a> 博客文章。
模拟
为了能够登录数据库并使用发送到 WCF 数据服务的 Windows 帐户凭据检索所需的数据,该服务需要模拟用户。这可以通过代码或配置来完成
必须:
如果不希望整个服务运行在
连接用户的凭据,可以设置模拟
如果需要,可以通过以下方式以编程方式:
<块引用>
lUser = TryCast(HttpContext.Current.User.Identity, WindowsIdentity)
lUserContext = WindowsIdentity.Impersonate(lUser.Token)
Authentication
WCF Data Services allow for a variety of authentication options, as described on MSDN : Securing WCF Data Services. From the available methods, Windows authentication is the most secure, using either the NTLM or Kerberos mechanism. Due to the constraints on cross-platform availability, the most appropriate and secure authentication method that can be used is NTLM, as it is available on almost all current platforms: Android (from version 4.0 "Ice Cream Sandwich"), iOS, Linux, UNIX, Windows.
Setting up Windows authentication for an OData service hosted on IIS means disabling Anonymous Access and enabling Integrated Windows authentication. A more detailed guide can be found at Odata and Windows Authentication.
For a more fine-grained control of the users allowed to access the service, access can be granted or denied to both user roles/groups, as well as specific users, directly from the configuration file (i.e. web.config). The syntax for allowing access for a specific user is described below. For maximum security, it is advised to deny access to all users/groups, and then explicitly allow access, as required. The rules in between the authorization tags are taken in order (i.e. allowing user DOMAIN\user access takes precedence over the denial for all users)
If the authorization tag is not explicitly defined in the configuration file, then IIS will authenticate and allow access for all connecting users that are recognized (in the Active Directory or local machine).
Setting up Windows authentication in a cross-domain environment is possible, but requires either:
or
valid for the server domain.
The available options for such situations are described in more detail in this blog post.
Impersonation
In order to be able to log in to the database, and retrieve the desired data using the Windows Account credentials sent to the WCF Data Service, the service needs to impersonate the user. This can be done in either in code, or in configuration
must be made:
If it is not desired for the entire service to run under the
credentials of the connecting user, impersonation can be set up
programmatically, where needed, in the following way:
我建议将 ServiceStack.net 与 MVC 3 结合使用。ServiceStack 是一个 Web 服务框架,可以很好地与 MVC 3 配合使用,包括一个用于设置所有内容的 NuGet 包,并且可以在本机上使用 JSON。它的最大优点是无需配置(与 WCF 不同)以及简单而强大的代码优先方法。它也非常快。请参阅 servicestack.net 下载和我的 教程 开始使用它。在我的教程中,您可以用您自己的数据库代码替换存储库中的 Tridion 代码来存储数据。
I would suggest using ServiceStack.net with MVC 3. ServiceStack is a Web Service framework that plays very well with MVC 3, includes a NuGet package to set everything up, and works natively with JSON. The best thing about it is no configuration (as opposed to WCF) and the simple and powerful code-first approach. It is also very fast. See servicestack.net for the download and my tutorial for getting started with it. From my tutorial you can replace the Tridion code in the repository with your own DB code to store data.