WCF授权 - 通过索赔获得运营 [英] WCF Authorization - access to operations via claims

问题描述

我试图实现对WCF服务授权，但我遇到了一些困难，显著。我想我需要使用一个混合解决方案相结合的自定义身份验证和主张，但我不知道这是否是正确的。

我的应用程序使用Windows身份验证连接到应用程序。一旦用户已经被授权，需要根据存储在数据库中的权限信息被授权访问的功能。

用户可以通过应用程序界面分配权限。权限层次结构的一个级别对应于访问单个WCF功能：

• 访问模块（纯粹的组织）
  
  
  
  • 访问功能（访问WCF功能，自动检查）
    
    
    
    • 功能特定的权限（在code动态检查）
    
    
  
  

样的结构和用法：

• 运输
  
  
  
  • 可以创建装运
    
    
    
    • 可以覆盖命名约定
    
    
  
  
  • 可以打包装运
    
    
    
    • 必须由监督员进行验证
    
    
    • 可以生成海关文件
      ...
    
    
  
  

类ShippingService：IShippingService
{
    //访问对应于可以创建出货权限
    公共BOOL  CreateShipment （字符串名称）
    {
        ...        //检查特定功能的权限动态。
        如果（！ConformsToNamingConvention（名称）&&！的checkPermission（Permissions.CanOverrideNamingConvention）的）
            返回false;
        ....
        返回true;
    }
}

我想我需要做的是建立通过实施IAuthorizationPolicy一个自定义的授权策略。这将连接到数据库，拉权限的用户，并添加为每个权限的索赔。然后，我将需要创建一个自定义的授权管理器将所要求的行动的权利要求的列表进行比较，以确定是否连接的用户被授权。

这是解决这个正确的方法，还是我：

一）过于复杂的问题，或者

b）使用WCF组件不正确（如索赔，IAuthorizationPolicy，AuthorizationManager ...）

在此先感谢您的帮助，和最诚挚的问候。

解决方案

你必须用这种方式与几乎所有其他方法的问题是要允许业务用户创建和删除角色的事实飞。你怎么连要检查在code？通常情况下，你会限制方法或服务调用的执行特定角色（或一组角色） - 这是怎么回事工作，如果你想有一个获得在运行时动态创建的角色

如果你可以用pre定义的角色生活，还有一些解决方案。你已经检查出 ASP.NET角色提供？它是更普遍的ASP.NET成员资格和角色提供集的一部分，但它可以在它自己的使用，也

要激活它，在你的配置使用这个片段（一旦你已经设置了ASP.NET的角色提供的东西的基础设施）：

 ＆LT;＆行为GT;
 ＆LT; serviceBehaviors＆GT;
  ＆LT;行为NAME =CalculatorServiceBehavior＆GT;
   ＆LT; serviceAuthorization principalPermissionMode =UseAspNetRoles
                         roleProviderName =SqlRoleProvider/＆GT;
  ＆LT; /行为＆GT;
 ＆LT; / serviceBehaviors＆GT;
＆LT; /行为＆GT;
 

我一直在寻找的授权管理器（AzMan）唯一的其他想法：这是一套工具，让您指定相当精细原子的权限，一个企业用户就可以组合成角色和用户分配到那些。但基本上，最终，在粒状程序功能最底层（AzMan的在任务），你正在处理一组静态的权利，又

看看这个 AzMan的上MSDN文章的作一介绍和看此<一个href=\"http://wcfsecurity.$c$cplex.com/Wiki/View.aspx?title=How%20do%20I%20use%20the%20Authorization%20Store%20role%20provider%20for%20ASPNET%20role%20authorization%20in%20WCF%3F\"相对=nofollow>文章中对如何从WCF服务使用的WCF安全指导。我不知道AzMan的当前状态，我不知道这是否会发展更进一步了 - 几乎有点像是它不会（但我不是100％肯定上）

马克

I am trying to implement authorization for a WCF service but I have run into some significant difficulties. I think I need to use a hybrid solution combining custom authentication and claims, but I am not sure if this is correct.

My application uses Windows authentication to connect to the application. Once the user has been authorized, access to functions needs to be granted based on permission information stored in the database.

Users can be assigned permissions via the application interface. One level of the permission heirarchy corresponds to access to individual WCF functions:

• Access to module (purely organizational)
  • Access to function (access to WCF function, checked automatically)
    • Function-specific permissions (checked dynamically in code)

Sample structure and usage:

• Shipping
  • Can Create Shipment
    • Can override naming conventions
  • Can Package Shipment
    • Must be verified by supervisor
    • Can generate customs documentation ...

class ShippingService : IShippingService
{
    // Access corresponds to "Can create shipment" permission
    public bool CreateShipment(string name)
    {
        ...

        // Check the function-specific permission dynamically.
        if (!ConformsToNamingConvention(name) && !CheckPermission(Permissions.CanOverrideNamingConvention))
            return false;
        ....
        return true;
    }
}

I think what I need to do is to create a custom Authorization Policy by implementing IAuthorizationPolicy. This will connect to the database, pull the permissions for the user and add a claim for each of the permissions. I will then need to create a custom authorization manager that will compare the requested action with the list of claims to determine if the connecting user is authorized.

Is this the correct way to approach this, or am I:

a) overcomplicating the issue, or

b) using WCF components incorrectly (such as claims, IAuthorizationPolicy, AuthorizationManager...)

Thanks in advance for any help, and best regards.

解决方案

The problem you'll have with this approach as with just about all the other approaches is the fact you want to allow business users to create and delete roles on the fly. How are you even going to check that in code? Typically, you'd restrict execution of a method or service call to a specific role (or set of roles) - how is this going to work if you want to have roles that get created dynamically at runtime?

If you can live with pre-defined roles, there's a few solutions. Have you checked out the ASP.NET role provider? It's part of the more general ASP.NET membership and role provider set, but it can be used on its own, too.

To activate it, use this snippet in your config (once you've set up the basic infrastructure for the ASP.NET role provider stuff):

<behaviors>
 <serviceBehaviors>
  <behavior name="CalculatorServiceBehavior">
   <serviceAuthorization principalPermissionMode ="UseAspNetRoles"
                         roleProviderName ="SqlRoleProvider" />
  </behavior>
 </serviceBehaviors>
</behaviors>

The only other idea I have is looking at the Authorization Manager (AzMan): this is a set of tools to allow you to specify fairly granular "atomic" permissions that a business user can then compose into roles and assign users to those. But basically, in the end, at the bottom level of the granular program functions ("Tasks" in AzMan), you're dealing with a static set of rights, again.

Check out this MSDN article on AzMan as an introduction and see this article in the WCF security guidance on how to use it from a WCF service. I don't know the current status of AzMan and I don't know if it will be developed much further anymore - it almost seems a bit like it won't (but I'm not 100% sure on that).

Marc

这篇关于WCF授权 - 通过索赔获得运营的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！