使用 System.ServiceModel.ServiceAuthenticationManager 自定义 WCF 身份验证?
我正在研究自定义 WCF 身份验证和授权,并找到了一些关于 UserNamePasswordValidator 和 ServiceAuthorizationManager 的文章.
I'm working on custom WCF authentication and authorization and found some articles about UserNamePasswordValidator and ServiceAuthorizationManager.
我还发现了有关使用自定义 System.ServiceModel.ServiceAuthenticationManager(死链接)的线索,但 msdn 并没有提供太多关于它 ( http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthenticationmanager.aspx).
I also found clues about using a custom System.ServiceModel.ServiceAuthenticationManager (dead link ), but msdn does not tell a lot about it ( http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthenticationmanager.aspx ).
所以我来了:有人知道更多关于 ServiceAuthenticationManager 的信息吗?
So here I am: anyone knows more about ServiceAuthenticationManager ?
一般来说,您将如何设置自定义 WCF 身份验证?
In general, how would you set up custom WCF authentication ?
你说得对,关于这个的文档根本没有帮助.
You're right, the documentation on this is no help at all.
我使用这个类的方式如下.覆盖 Authenticate() 方法以:
The way I have used this class is as follows. Override the Authenticate() method to:
- 从传入的消息中提取身份验证令牌(例如用户名/密码)
- 验证令牌并使用它们来创建 IPrincipal 对象.这将是在调用服务操作期间使用的主体.
- 将 IPrincipal 对象添加到 message.Properties 集合,以便稍后在 WCF 处理管道中使用
此时不能只设置线程主体,因为它稍后会被 WCF 更改.
You can't just set the thread principal at this point as it is changed later on by WCF.
ServiceAuthenticationManager.Authenticate() 方法中的代码如下所示:
The code in the ServiceAuthenticationManager.Authenticate() methods would look something like this:
public override ReadOnlyCollection<IAuthorizationPolicy> Authenticate(ReadOnlyCollection<IAuthorizationPolicy> authPolicy, Uri listenUri, ref Message message)
{
int tokenPosition = message.Headers.FindHeader("Token", "http://customnamespace.org");
string token = message.Headers.GetHeader<string>(tokenPosition);
IPrincipal user = new CustomPrincipal(token);
message.Properties["Principal"] = user;
return authPolicy;
}
然后你添加一个自定义授权策略
Then you add a custom authorization policy that
- 从消息中检索 IPrincipal(使用 System.ServiceModel.EvaluationContext.Current.IncomingMessageProperties 集合).
- 将 IPrincipal 推送到 EvaluationContext.Properties 集合中
- 基于 IPrincipal.IsInRole() 方法进行声明
IAuthorizationPolicy() 方法中的代码如下
The code in the IAuthorizationPolicy() method would look like
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
IPrincipal user = OperationContext.Current.IncomingMessageProperties["Principal"] as IPrincipal;
evaluationContext.Properties["Principal"] = user;
evaluationContext.Properties["Identities"] = new List<IIdentity> { user.Identity };
IList<Claim> roleClaims = this.GetRoleClaims(user);
evaluationContext.AddClaimSet(this, new DefaultClaimSet(this.Issuer, roleClaims));
return true;
}
在服务行为配置中,需要设置principalPermissionMode="Custom",以便WCF将IPrincipal设置为实际服务操作调用的执行线程上的principal.
In the service behaviour configuration, you need to set principalPermissionMode="Custom" in order for WCF to set the IPrincipal as the principal on the executing thread for the actual service operation invocation.
<serviceAuthorization principalPermissionMode="Custom"...