如何使用从SharePoint服务器外部使用STS保护的WCF服务? [英] How to consume a WCF service secured with STS from outside the SharePoint server?
问题描述
您好,
我们有一个自定义WCF服务项目,它在IIS网络应用程序下面的IIS中配置为Web应用程序。
过去,身份验证设置为匿名访问,因为我们需要能够从SharePoint服务器外部调用这些Web服务,通常是Office的加载项(Word,Excel和Outlook)。 / p>
出于安全考虑,我们正试图找到一种方法来完全禁用对WCF服务的匿名访问。
我们已经考虑过使用ADFS和Kerberos就此而言,但遗憾的是,这些都不是真正的选择,因为我们不一定能够访问所有客户的域控制器。
经过数周和数周的时间研究我们偶然发现了使用SharePointSecurityToken服务保护自定义WCF服务的方法,方法是使用
SPChannelFactoryOperations.CreateChannelActingA sLoggedOnUser。
这是我们提出的方法:
///< ;总结>
///使用非匿名自定义WCF服务应用程序和声明(WS2007Federation)配置服务端点。
///< / summary>
///< typeparam name =" TChannel"> WCF网络服务的界面。< / typeparam>
///< param name =" channel">对WCF服务客户端的引用。< / param>
///< param name =" serviceInterfaceType"> WCF服务接口的类型。< / param>
///< param name =" contextUrl">确定网络服务网址的上下文。< / param>
///< param name =" serviceName">要配置的服务的名称。< / param>
///< returns>对WCF服务接口的引用< / returns>
public static TChannel ConfigureServiceEndpoint< TChannel>
(TChannel频道,类型serviceInterfaceType,Uri contextUrl,字符串serviceName),其中TChannel:class
{
TChannel returnValue;
ClientBase< TChannel> client = channel as ClientBase< TChannel> ;;
ServiceEndpoint serviceEndpoint = client.Endpoint;
string serviceUrlString;
//独立证书是,deze altijd accepteren
System.Net.ServicePointManager.ServerCertificateValidationCallback =(subsender,certificate,chain,sslPolicyErrors)=>真正; // Accepteer altijd
#if!SP2007
Uri issuerUri =((WSFederationHttpBinding)(((ClientBase< TChannel>)(client))。Endpoint.Binding))。Security.Message.IssuerAddress.Uri;
//以SharePoint方式配置频道
SPChannelFactoryOperations.ConfigureCredentials< TChannel>(client.ChannelFactory,Microsoft.SharePoint.SPServiceAuthenticationMode.Claims);
serviceUrlString =" https://" + issuerUri.Host +" CustomWebservices /" + serviceName +" .svc" ;;
serviceEndpoint.Address = new System.ServiceModel.EndpointAddress(new Uri(serviceUrlString));
TChannel service = SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser< TChannel>(client.ChannelFactory,serviceEndpoint.Address);
if(client.Endpoint.Binding是WS2007FederationHttpBinding)
returnValue = service;
else
#endif
{
#if DEBUG&& SP2007
bool isLocalHost = Context.Request.Url.Authority.StartsWith(" localhost");
if(isLocalHost)
contextUrl = new Uri(" http://intern.devsp07.windextest.local");
#endif
serviceUrlString = contextUrl.Scheme +"://" + contextUrl.Authority +" CustomWebservices /" + serviceName +" .svc" ;;
// Aanmaken endpointaddress met de meegegeven url
serviceEndpoint.Address = new System.ServiceModel.EndpointAddress(new Uri(serviceUrlString));
// Indien het schema van de service
if(serviceEndpoint.Address.Uri.Scheme.Equals(" https"))
serviceEndpoint.Binding = new WSHttpBinding(Settings .Default.SecureHttpBindingName);
else
serviceEndpoint.Binding = new BasicHttpBinding(Settings.Default.BasicHttpBindingName);
returnValue =客户端作为TChannel;
}
返回returnValue;
}
这适用于从SharePoint服务器本身完成的Web服务调用。
当然上面的代码仅适用于从那里完成的Web服务调用。
当我们从Office加载项(Word / Excel / Outlook)尝试此问题时出现问题,您无法调用SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser,因为您没有可用的Microsoft.SharePoint。
我们绝对需要从Office的这些WPF加载项调用自定义WCF服务 ;(VSTO)。
问题:是否可以使用
从SharePoint服务器外部使用 SharePoint的安全令牌服务?或者这不是可能的,我们真的需要为此目的编写自定义STS吗?
似乎您可以创建一个WCF服务来使用Windows域用户名和密码验证客户端然后调用
服务。
以下是一些链接供您参考。
最好的问候,
利
Hello,
We have a custom WCF services project that is configured as a web application in IIS beneath a SharePoint web application.
In the past the authentication was set to Anonymous access, because we need to be able to call these web services from outside the SharePoint server, typically Add-Ins for Office (Word, Excel and Outlook).
Due to security concerns, we are trying to find a way to disable anonymous access to the WCF services altogether.
We've already looked into using ADFS and Kerberos for this, but unfortunately neither of those are really an option, since we don't necessarily have access to the Domain Controllers of all of our customers.
After weeks and weeks of research we stumbled upon a way to secure custom WCF services using the SharePointSecurityToken service, by making use of SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser.
This is the method we came up with:
/// <summary>
/// Configures a service endpoint with a non-anonymous custom WCF service application and with claims (WS2007Federation) in mind.
/// </summary>
/// <typeparam name="TChannel">The interface of the WCF web service.</typeparam>
/// <param name="channel">A reference to the WCF service client.</param>
/// <param name="serviceInterfaceType">The type of the WCF service's interface.</param>
/// <param name="contextUrl">The context to determine the url for the webservice on.</param>
/// <param name="serviceName">The name for the service to configure.</param>
/// <returns>A reference to the WCF service interface</returns>
public static TChannel ConfigureServiceEndpoint<TChannel>
(TChannel channel, Type serviceInterfaceType, Uri contextUrl, string serviceName) where TChannel : class
{
TChannel returnValue;
ClientBase<TChannel> client = channel as ClientBase<TChannel>;
ServiceEndpoint serviceEndpoint = client.Endpoint;
string serviceUrlString;
//Indien er een certificaat is, deze altijd accepteren
System.Net.ServicePointManager.ServerCertificateValidationCallback = (subsender, certificate, chain, sslPolicyErrors) => true; //Accepteer altijd
#if !SP2007
Uri issuerUri = ((WSFederationHttpBinding)(((ClientBase<TChannel>)(client)).Endpoint.Binding)).Security.Message.IssuerAddress.Uri;
//configure the channel the SharePoint way
SPChannelFactoryOperations.ConfigureCredentials<TChannel>(client.ChannelFactory, Microsoft.SharePoint.SPServiceAuthenticationMode.Claims);
serviceUrlString = "https://" + issuerUri.Host + "CustomWebservices/" + serviceName + ".svc";
serviceEndpoint.Address = new System.ServiceModel.EndpointAddress(new Uri(serviceUrlString));
TChannel service = SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser<TChannel>(client.ChannelFactory, serviceEndpoint.Address);
if (client.Endpoint.Binding is WS2007FederationHttpBinding)
returnValue = service;
else
#endif
{
#if DEBUG && SP2007
bool isLocalHost = Context.Request.Url.Authority.StartsWith("localhost");
if (isLocalHost)
contextUrl = new Uri("http://intern.devsp07.windextest.local");
#endif
serviceUrlString = contextUrl.Scheme + "://" + contextUrl.Authority + "CustomWebservices/" + serviceName + ".svc";
//Aanmaken endpointaddress met de meegegeven url
serviceEndpoint.Address = new System.ServiceModel.EndpointAddress(new Uri(serviceUrlString));
//Indien het schema van de service
if (serviceEndpoint.Address.Uri.Scheme.Equals("https"))
serviceEndpoint.Binding = new WSHttpBinding(Settings.Default.SecureHttpBindingName);
else
serviceEndpoint.Binding = new BasicHttpBinding(Settings.Default.BasicHttpBindingName);
returnValue = client as TChannel;
}
return returnValue;
}This works perfectly for web service calls done from within the SharePoint server itself.
Of course above code only works for web service calls that are done from there.
The problems arise when we try this from an Office add-in (Word / Excel / Outlook), where you can't call SPChannelFactoryOperations.CreateChannelActingAsLoggedOnUser since you don't have Microsoft.SharePoint available.
We absolutely need to call the custom WCF services from these WPF add-ins for Office (VSTO).
Question: Is it possible to consume a WCF service from outside the SharePoint server using SharePoint's security token service? Or isn't this possible and do we really need to write a custom STS for this purpose?
Hi,
Seems you could create a WCF service to authenticate a client with a Windows domain username and password and then call the service.
Here are some links for your reference.
Best Regards,
Lee
这篇关于如何使用从SharePoint服务器外部使用STS保护的WCF服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
