与客户端证书身份验证创建.NET Web服务
我要限制访问我的.NET Web服务提供给客户的具体名单。他们会重视自己的客户端证书到他们的每一个要求,只得到一个适当的反应,如果他们是就行了。
I want to limit the access to my .NET web service to a specific list of clients. They will attach their client certificate to their every request and only get a proper response if they are "on the list".
但是,如何以及在何处是实现这一目标的最佳方式是什么?
But how and where is the best way to implement this?
在IIS(7.0)我可以设置需要客户端证书的选择,但我在哪里可以指定客户端证书我会允许访问?我是否需要在Web服务器计算机的证书存储在客户端证书的公共部分?
On the IIS (7.0) I can set the require client certificate option, but where do I specify which client certificates I will allow access? Do I need the public part of the client certificates in the certificate store of the web server machine?
还是必须像这样的设置在code,其中我莫名其妙地提取客户端证书ID,并匹配到一个本地列表?
Or must a setup like this be handled in code, where I somehow extract the client certificate ID and match it to a local list?
或者另一种方式?
要创建一个WCF服务IIS7上与您的安全要求的一个方法如下。
One way to create a WCF Service on IIS7 with your security requirements is as follows.
为了举办一个WCF服务,你可能需要在Web服务器上运行以下命令:
In order to host a WCF service you may need to run the following command on your web server:
"%windir%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe" -r –y
在IIS设置您的网站使用https绑定(只),并在SSL设置将其设置为要求SSL,并要求客户端证书。
On the IIS you set up your site with an https binding (only) and under SSL settings you set it to require SSL and require client certificates.
这本身将只允许使用客户端证书是否有效,并与由Web服务器信任的发布者对服务的访问(和WSDL)。
This alone will only allow access to your service (and wsdl) with a client certificate that is valid and with an issuer that is trusted by the web server.
为了限制访问特定的证书,你可以设置你的WCF配置文件与bindingConfiguration为:
In order to restrict access to specific certificates you could setup your WCF configuration file with a bindingConfiguration as:
<basicHttpBinding>
<binding name="MyBasicHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</basicHttpBinding>
和一个自定义证书验证器作为一个behaviorConfiguration:
And a behaviorConfiguration with a custom certificate validator as:
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceMetadata httpGetEnabled="false" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<clientCertificate>
<authentication certificateValidationMode="Custom"
customCertificateValidatorType="<project-namespace>.ClientCertificateValidator, <project-namespace>"/>
</clientCertificate>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
和最后实施项目中的一个新的类的自定义验证为:
And lastly implement the custom validator in a new class in your project as:
public class ClientCertificateValidator : X509CertificateValidator
{
public override void Validate(X509Certificate2 certificate)
{
if (certificate.Thumbprint != <allowed-thumbprint>)
throw new Exception();
}
}