使用 WCF 的身份验证服务 [英] Authentication Service using WCF

问题描述

我有一个自定义 MembershipProvider，如下所示.它根据 Active Directory 验证用户名和密码.我想将其作为身份验证服务".即使客户端使用表单身份验证或 Windows 身份验证，这也应该有效.

I have a custom MembershipProvider as shown below. It validate user name and password against Active Directory. I would like to make this as an "authentication service". This should work even if the client uses forms authentication or windows authentication.

有一个 WCFHR 服务"，提供员工信息.HR UI"网站使用的是HR Service"WCF服务.现在我们需要确保任何使用人力资源服务"的客户端在访问人力资源服务"的操作之前都应该使用身份验证服务"进行身份验证.如果客户端应用程序已通过一次身份验证，则下次不应再次对其进行验证(直到应用程序关闭).当客户端应用程序的新实例打开时，它需要从头开始进行身份验证.

There is a WCF "HR Service" which is providing employee information. The "HR UI" website is using "HR Service" WCF service. Now we need to ensure that any client using the "HR Service" should be authenticated using "authentication service" before accessing the operation of "HR Service". If the client application is authenticated once, next time onwards it should not be validated again (till the application is closed). When a new instance of the client application is opened it need to be authenticated from beginning.

我们如何实现它?我们有端到端流程演示的代码示例吗?

How do we achive it? Do we have any code samples for the end to end flow demonstration?

注意:我应该能够使用自托管服务对其进行测试.

Note: I should be able to test it using self hosted services.

注意:客户端可以是任何平台(例如 Java).

Note: The client can be of any platform (e.g. Java).

namespace LijosCustomValidation
{
public sealed class LijoMembershipProvider : MembershipProvider
{

    public override bool ValidateUser(string username, string password)
    {
        bool isValid = true;
 //my logic to validate the user name and password
        return isValid;
    }

   //other implementations of Abstract Methods from MembershipProvider
  }

推荐答案

如果认证成功，您的认证服务应该返回一个令牌.然后，应将此令牌提供给 HR 服务.

Your auth service should return a token if the auth is successful. This token in turn should then be presented to the HR service.

对于此时 HR 服务的作用，您有多种选择.它可以知道验证令牌的秘密，或者需要调用身份验证服务来验证令牌.

You have a couple of options as to what the HR service does at this point. It can either know the secret to validate the token, or it needs to call the auth service to validate the token.

令牌应该是一些可以在您知道秘密的情况下进行验证的值，因此它可以是对称加密的东西，例如用户 ID.理想情况下，它应该包含一个时间组件以防止重放攻击.

The token should be some value that can be validated if you know the secret, so it could something, say the users id, that is symmetrically encrypted. Ideally it should have a time component in it to prevent replay attacks.

我会建议一些类似的东西

I'd suggest some something like

<hash value>|<token issue time>|<user id>

散列值应该是第一个管道之后的所有内容的散列值(sha1、md5 等).然后，您可以对结果进行 base64 编码并将其传递.验证令牌然后可以检查发行日期是否在特定时间范围内.

The hash value should be hash (sha1, md5, etc) of everything after the first pipe. You can then base64 encode the result and pass it around. Validating the token could then check the issue date was within a certain time-frame.

您还可以选择将令牌存储在客户端的 cookie 中并作为 cookie 传递给服务，或将其作为您服务的参数.可能还有其他选择，具体取决于您的客户端架构您希望如何构建服务.

You also have the option of storing the token in the client in a cookie and passing as a cookie to the services, or making it a parameter on your services. There may be other options, depending on your client architecture & how you want to structure your services.

这篇关于使用 WCF 的身份验证服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！