如何在单个WCF< service>中混合WIF和非WIF端点? [英] How to mix WIF and non-WIF endpoints in a single WCF <service>?
问题描述
基于WIF的WCF服务需要调用方法 FederatedServiceCredentials.ConfigureServiceHost(),或放置等效的元素 web.config 文件中的< federatedServiceHostConfiguration> ,即可正常工作。这是服务级别的设置,换句话说,它适用于所有端点。
A WIF-based WCF service needs to call method FederatedServiceCredentials.ConfigureServiceHost(), or put the equivalent element <federatedServiceHostConfiguration> in the web.config file, to work. This is a setting on the service level, in other words it applies for all endpoints.
根据方法文档, ServiceHostBase 实例以几种特定于WIF的方式进行了修改。例如,授权被基于WIF的授权类代替。
According to the method documentation, the ServiceHostBase instance is modified in several WIF-specific ways. For example, the authorization is replaced by a WIF-based authorization class.
现在,我想拥有一个< service> (在< system.serviceModel>< services> 内部)具有多个< endpoint> ,其中一个端点是基于WIF的,而其他端点则使用普通的Windows身份验证。
Now I'd like to have a single <service> (inside <system.serviceModel><services>) with multiple <endpoint>s, where one endpoint is WIF-based, and the others are using plain Windows authentication.
Update。 >回应下面的答案,让我解释为什么我们要混合使用WIF和非WIF端点。如果仅使用WIF,则每个客户都需要一个STS,例如AD FS。进行设置并不困难,但这是一个障碍,尤其是如果他们只是想测试我们的软件。因此,我们要做的是安装在使用Windows集成身份验证的模式下(用于我们的Web服务以及前端),然后以后他们可以切换到使用AD FS的模式。
Update. In response to an answer below, let me explain why we want to mix WIF and non-WIF endpoints. If we only use WIF, then each of our customers needs an STS, like AD FS. Setting this up is not difficult, but it is a hurdle, especially if they just want to test drive our software. So what we do is install in a mode where Windows integrated authentication is used (for our web services, and also for our front end), and then later they can switch to a mode where AD FS is used.
因此,基本上,我们希望能够在没有AD FS的情况下进行安装,以降低进入应用程序的障碍。
So basically we want to be able to install without AD FS to lower the barrier to entry of our application.
为此,< service> 需要一个< federatedServiceHostConfiguration> 。但是-这是我的问题-这也会影响同一服务的非WIF端点:例如,它们突然使用WIF授权管理器(类 ClaimsAuthorizationManager )。
To do this, the <service> needs a <federatedServiceHostConfiguration>. However -- and here is my problem -- this affects also the non-WIF endpoints for that same service: for example, they suddenly use the WIF authorization manager (an instance of class ClaimsAuthorizationManager).
所以我的问题是:在单个WCF < service> 中将WIF和非WIF端点混合的推荐方法是什么? ?
So my question is: what is the recommended way to mix WIF and non-WIF endpoints in a single WCF <service>?
推荐答案
我认为您不能。但是,根据您的情况,您应该只让一个WIF端点将多凭证支持留给STS。
I don't think you can. In your situation though, you should only have the one WIF endpoint have leave the multiple credential support to the STS.
您可以在STS上放置多个端点,以处理不同类型的身份验证。一个用于Windows,一个用于用户名/密码。
You can put multiple endpoints on your STS to handle different types of authentication. One for Windows, one for username/password for example.
我去年进行了一次代码露营盎司会议,就证明了这一点。来源附在我的博客文章中,网址为 http://www.neovolve.com/post/2010/11/21/CodeCampOz-Not-a-WIF-of-federation.aspx 。看看 NotAWif Demo\4-身份委托\NotAWif.DelegationSTS 中的web.config。
I did a code camp oz session last year that demonstrated this. The source is attached to my blog post at http://www.neovolve.com/post/2010/11/21/CodeCampOz-Not-a-WIF-of-federation.aspx. Have a look at the web.config in NotAWif Demo\4 - Identity Delegation\NotAWif.DelegationSTS.
<system.serviceModel>
<services>
<service behaviorConfiguration="ServiceBehavior"
name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract">
<endpoint address="UserName/IWSTrust13"
binding="ws2007HttpBinding"
bindingConfiguration="ws2007HttpBindingUserNameConfiguration"
contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
<endpoint address="Windows/IWSTrust13"
binding="ws2007HttpBinding"
bindingConfiguration="ws2007HttpBindingWindowsConfiguration"
contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />
<endpoint address="mex"
binding="mexHttpsBinding"
contract="IMetadataExchange" />
<host>
<baseAddresses>
<add baseAddress="https://localhost/NotAWif.DelegationSTS/Service.svc" />
</baseAddresses>
</host>
</service>
</services>
<bindings>
<ws2007HttpBinding>
<binding name="ws2007HttpBindingUserNameConfiguration">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message clientCredentialType="UserName"
establishSecurityContext="false" />
</security>
</binding>
<binding name="ws2007HttpBindingWindowsConfiguration">
<security mode="TransportWithMessageCredential">
<transport clientCredentialType="None">
<extendedProtectionPolicy policyEnforcement="Never" />
</transport>
<message clientCredentialType="Windows"
establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="DefaultApplicationCertificate"
x509FindType="FindBySubjectName" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
</system.serviceModel>
这是我配置STS以支持多种身份验证的方式。 RP应该只处理版权声明,而不应该处理Claims | WindowsIdentity。 STS负责将特定类型的身份验证转换为RP将使用的一组声明。
This is how I configured the STS to support multiple types of authentication. The RP should only deal in claims, not claims|WindowsIdentity. It is the STS's responsibility to convert a particular type of authentication into a set of claims that the RP will use.
这篇关于如何在单个WCF< service>中混合WIF和非WIF端点?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
