如何对每个 WCF 调用进行身份验证和授权? [英] How to Authenticate and Authorize every WCF call?
问题描述
我有 WPF 客户端使用 IIS 中托管的 WCF 服务.对于身份验证,我正在考虑证书或用户名身份验证.客户端调用 WCF 中的几个方法并传递一些消息.
I have WPF client consuming WCF service hosted in IIS. For authentication I am thinking of either certificate or user name authentication. Client calls couple of methods in WCF and passes some message.
- 对于 WCF 的每个呼叫,我想要对用户进行身份验证.
- 要在数据库中放置消息,我必须知道谁是呼叫者,他们的用户名是什么以及关于用户的其他一些属性.如何在每次调用时传递这些信息[可能是一个小对象]?
推荐答案
这是推荐的默认行为 - 对 WCF 服务的每次调用都会获得该服务的一个新实例,并且每次调用都经过身份验证和授权.
This is the recommended default behavior - each call to the WCF service gets a new instance of the service, and each call is authenticated and authorized.
请确保不要在 WCF 中启用诸如会话模式之类的功能,并且不要走 WCF 单例的道路.
Just make sure not to enable things like session mode in WCF, and don't go down the path of a WCF singleton.
只需保持一个常规的、标准的每次调用"WCF 服务 - 没有问题.
Just keep a regular, standard "per-call" WCF service - no issue there.
如果您在公司 LAN 上,您还可以考虑使用 Windows 凭据进行身份验证(这是 wsHttpBinding 和 netTcpBinding 的默认设置).
If you're on a corporate LAN, you could also think about using Windows credentials for authentication (which is the default for wsHttpBinding and netTcpBinding).
有一个非常广泛的 WCF 安全指南,其中包含大量示例和有关如何设置的操作指南WCF 安全的某些场景.
There's a really extensive WCF Security Guide which has tons of samples and how-to guides on how to set up certain scenarios of WCF security.
我还建议您查看WCF 安全基础WCF 及其安全机制的精彩介绍.
I would also recommend you check out The Fundamentals of WCF Security for a great intro to WCF and its security mechanisms.
更高级的是声明WCF安全的想法其中 Juval Lowy 介绍了五个安全场景(非常值得一读!)并将它们封装到安全属性中以应用于您的服务合同.
A bit more advanced is the idea of Declarate WCF Security in which Juval Lowy introduces five security scenarios (that's a very worthy read!) and encapsulates them into security attributes to be applied to your service contract(s).
这篇关于如何对每个 WCF 调用进行身份验证和授权?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
