来自MVC 5的WCF授权 [英] WCF authorization from MVC 5

问题描述

如果没有任何描述的做法是好的，那应该怎么做?

如果您可以发布一些教程，说明如何使用MVC 5进行制作，那就太好了.特别是在客户端实现中，我不知道创建客户端实例是否足够.

解决方案

我正在与用户一起使用ASP.NET应用程序(基于ASP.NET身份2).每个用户都可以将数据发布到WCF服务.在系统中是Identity 2的角色.我想限制每个用户对WCF的访问权限.

关于用户可以执行或不执行操作的限制适用于UI上的客户端，MVC控制器和业务逻辑层年龄域对象中的业务规则.

如果用户"被盗，我也想保护WCF.尝试创建自己的应用程序并连接到服务，他不应该做任何非法的事情，而应该做那些违法的事情.

如果您在受保护的LAN上拥有WCF服务，并且它没有直接暴露于公共Internet中，那将是一个问题.  如果您在MVC解决方案中使用n层体系结构，其中层是 实施并分离问题以进一步保护服务.

基本上是关于授权的.我不知道什么是最佳做法.我应该使用标题用户名和一些令牌发送到WCF吗?

如果所有WCF服务都是通过受保护LAN上的DB传递到后端进行CRUD操作的，那又有什么意义，特别是如果WCF服务永远不会直接暴露于公共Internet的话? /p>

如果您担心直接公开到公共Internet的一种或多种服务的安全性，那么也许您应该研究服务层.

https://msdn.microsoft.com/en-us/library/ee658090.aspx

如果您以某种方式认为这是您放置在Web服务器上的解决方案，则该解决方案将使用IIS在Windows O/S上公开给公共Internet，然后将O/S，IIS，文件系统，注册表和使用帐户不会遭到攻击， 那么您只是在设置黑客诱饵和一个让黑客攻击其他网络的起点，而WCF的安全性则是最少的问题.

有一千本关于加强Windows O/S攻击以暴露于公共Internet的书，而专家几乎无法做到这一点.

话虽如此，您正在考虑将解决方案公开到公共Internet，那么您应该研究Web托管服务.

Hi,

I am having ASP.NET application with users (based on ASP.NET Identity 2). Each user can post data to WCF service. In system are roles from Identity 2. I would like to have limited access to WCF per user. I mean "basic" user can't do things what administrator can. Also I want to protect WCF if "user" tries to create own application and connect to service he shouldn't do any illegal things, only those what are available as logged in website.

Basicly its about authorization. What I don't know is what is best practice. Should I send to WCF in header username and some token? I think its not best practice to store password after login in session or keep it somehow. Another idea is to do on website security checks and make WCF communication available just from one specific application by certificate or something else that guarantee to accept just that specific website app?

If not any described practice is good then how it should be?

I read some dynamic implementations like https://blogs.technet.microsoft.com/meamcs/2011/05/11/implementing-dynamic-authorization-for-a-wcf-service-using-sql-providers/ I think its for older asp or is it working aswell for MVC 5?

If you could post some tutorial how to make it with MVC 5 it would be nice. Especially with client implementation, I don't know if creating client instance is enough.

Thanks for sharing your knowledge :)

解决方案

I am having ASP.NET application with users (based on ASP.NET Identity 2). Each user can post data to WCF service. In system are roles from Identity 2. I would like to have limited access to WCF per user.

The limitations as to what a user can do or not do is applied on the client side at the UI,  at the MVC controller and business rules in the business logic layer ageist domain objects. 

Also I want to protect WCF if "user" tries to create own application and connect to service he shouldn't do any illegal things, only those what are available as logged in website.

It's kind of questionable if you have the WCF service on the protected LAN, and it's not being exposed to the public Internet directly.  It would be kind of questionable if you were using a n-tier architecture with the MVC solution where layers were implemented and Separation of Concerns were implemented to further protect the service.

Basicly its about authorization. What I don't know is what is best practice. Should I send to WCF in header username and some token?

If all the WCF service is is some pass-through to the backend for CRUD operations with a DB on the protected LAN, then what is the point, particularly so if the WCF service is never directly exposed to the public Internet?

If you are that concerned about the security of a service or services exposed directly to the public Internet, then maybe you should look into a service layer.

https://msdn.microsoft.com/en-us/library/ee658090.aspx

If you are somehow thinking that this is a solution you put on a Web server, the solution is going to be exposed to the public Internet on the Windows O/S using IIS, then if the O/S, IIS, file system, registry, and use accounts are not harden to attack, then you are just putting up hack-bait and a jumping off point for hackers to attack other network, with security of WCF being the least of your problems.

There are 1,000 page books on hardening the Windows O/S to attack being exposed to the public Internet and the experts can hardly do it. 

With that being said and you are thinking of exposing the solution to the public Internet, then you should look into a Web hosting service.

这篇关于来自MVC 5的WCF授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！