基于声明的身份验证和授权 [英] Claim based authentication and authorization

问题描述

我想为 WCF实施基于令牌的身份验证和授权服务（多个）其中用户名和密码将与加密格式生成的自定义令牌一起发送。还需要提供运营合同授权。我不会使用aspnet管理表，而是为用户和角色使用简单的自定义表。



工作流程有点像：



用户消费服务。

提供用户名和密码。

创建一个令牌，并附上UserName和Password，并发送给DB进行身份验证。

回复和用户调用操作合同。

发送UserName，Pwd和Token进行授权。

消费服务授权和方法。





请提供可行的解决方案。

Hi,

I want to implement token based authentication and authorization for my WCF services(multiple) where username and password will be sent along with custom token generated in encrypt format. Also need to provide authorization on operation contract. i will not be using aspnet management table but simple custom table for users and roles.

Workflow will be somewhat like:

User consumes service(s).
Provides UserName and Password.
A token is created and attached with UserName and Password and sent to DB for authentication.
Responses back and user call the operation contract.
UserName,Pwd and Token is sent for authorization.
Service authorises and method is consumed.


Please provide a workable solution.

推荐答案

您可以将所有服务文件放在文件夹和文件夹中。为它安排表单身份验证。

但是当便携式设备要使用你的服务时，它可能会有缺点。



否则你可以关注以下链接的服务合同级别安全&加密：



使用消息合同的WCF服务方法级别安全性 [ ^ ]



WCF常见问题解答：第3部分 - 与安全相关的常见问题解答 [ ^ ]



现在我相信当您在用户浏览器中存储用户身份时，您将需要所有这些加密/解密。在服务器级别Coz一切都是安全的。

如果你想实现编码，你可以按照以下链接：



如何在asp.net中加密和解密密码 [< a href =http://www.codeproject.com/Questions/195713/how-to-encrypt-and-decrypt-password-in-asp-nettarget =_ blanktitle =New Window> ^ ]



http：// forums。 asp.net/t/1784129.aspx/1 [ ^ ]



因此，根据您的要求，通过加密将用户身份存储在用户的浏览器中，您可以按照下面提到的链接：



HttpSecureCookie，一种使用ASP.NET 2.0加密Cookie的方法 [ ^ ]



如果你想使用服务器端存储技术实现安全身份，那么我建议你去使用Session变量。 />


我相信这可以在某种程度上帮助你。

You can put all your Service files in a Folder & Arrange Forms Authentication for it.
But it might come with demerits when portable devices are going to consume your Service.

Otherwise you can follow the below links for Service contract level Security & Encryption:

WCF Service Method Level Security using Message Contract[^]

WCF FAQ: Part 3 – 10 security related FAQ[^]

Now what I believe you going to need all this encryption/decryption when you are storing the user Identity in User''s Browser. Coz at server level everything is Secure.
So you can follow the below links if you want to implement Encrption:

how to encrypt and decrypt password in asp.net[^]

http://forums.asp.net/t/1784129.aspx/1[^]

So as per your requirement to store the Identity of User in user''s Browser by Encrypting it, you could follow the below mentioned link:

HttpSecureCookie, A Way to Encrypt Cookies with ASP.NET 2.0[^]

Still if you want to implement a Secure Identity using Server side storing technique, then I''d suggest you to go for Session variable.

I believe this could help you to some extent.

这篇关于基于声明的身份验证和授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！