WCF用户名没有证书 [英] WCF username without certificate
问题描述
我正在开发一个需要以下项目的项目。
I'm working on a project where I need the following.
- 服务器端的WCF服务/ li>
- 客户端的WPF客户端(.NET 3.0)
我必须使用(在服务器端)的身份验证和授权。我还需要在WCF服务的线程主体(站点对象)中存储一些关于用户的元数据。我这样做,以便我可以得到它在WCF服务,如果我绝对必须;一些业务逻辑可能需要它。所以我的计划是做以下...
I have an existing application that I have to use the authentication and authorization from (on the server side). I also need to store some metadata about the user in the WCF Service's Thread Principal (a site object). I do this so that I can get at it in the WCF service if I absolutely have to; some business logic may require it. So my plan was to do the following...
为服务器创建一个自定义的ServiceAuthorizationManager,在那里我将登录用户并从现有的应用程序。我将缓存站点对象,并进一步reqest从缓存拉。我还需要一个CustomPrincipal对象来保存我的自定义数据。我想模拟用户,以便我可以使用内置角色过滤在WCF像这样:
Create a custom ServiceAuthorizationManager for the server and in there I will log in the user and get the roles from the existing application. I will cache the "Site" object, and upon further reqests pull from the cache. I'll also need a CustomPrincipal object to hold my custom data. I want to impersonate the user so that I can use the builtin roles filtering in WCF like this:
[PrincipalPermission(SecurityAction.Demand, Role = "Role1")]
public string[] RolesForUser(string username){}
我试图使用ASP.NET授权与自定义角色提供程序,但我不能在当前Principal上设置任何东西。我也试图使用自定义的IAuthorizationPolicy,但问题出现了。这些问题涉及到能够使用WCFClient.exe应用程序,当它发现(使用mex endpoing)它不会提供任何凭据,所以登录会失败。我最终决定一个ServiceAuthorizationManager是正确的方式,但我对其他建议开放。
I attempted to use the ASP.NET authorization with a custom roles provider, but I wasn't able to set anything on the Current Principal. I also attempted to use a custom IAuthorizationPolicy, but problems arose. These problems dealt with being able to use the WCFClient.exe application, when it was discovering (using the mex endpoing) it wouldn't give any credentials, so the login would fail. I eventually decided that a ServiceAuthorizationManager was the right way to go, but I'm open to other suggestions.
在客户端我将收集凭据,并把它们放入WCF代理类,如下所示。
On the client I will gather the credentials and put them into the WCF proxy class, as follows.
proxy.ChannelFactory.Credentials.UserName.UserName = userName;
proxy.ChannelFactory.Credentials.UserName.Password = password;
当我开始走这条路线时,我注意到我无法获取用户名/ password在我的经理类的CheckAccessCore方法。进一步的调查表明,我真的应该在自定义UserNamePasswordValidator中进行身份验证。所以我创建了其中之一。问题是验证方法从未被调用。
As I started to go down this route, I noticed that I wasn't able to get the username/password in the CheckAccessCore method of my manager class. Further investigation showed that I should really be authenticating in a custom UserNamePasswordValidator. So I created one of those. The problem is that the validate method never got called.
进一步的调查表明,为了验证方法被调用我的WCF服务必须有消息或传输级别安全。问题是,我不知道如何有一个消息或传输级安全没有 X.509 证书。这个产品将进入几百个令人难以置信的锁定机器,并且安装证书是不可能的。
Further investigation showed that in order for the validate method to be called my WCF service has to have either message or transport level security. The problem with that is that I can't figure out how to have a message or transport level security without an X.509 certificate. This product is going into several hundred incredibly locked down machines, and installing a certificate is not possible.
有没有办法,我问没有安装证书?
Is there a way to do what I'm asking without installing a certificate?
推荐答案
你不能。一旦您使用用户名/密码,您需要某种安全的渠道。
Short answer; you can't. As soon as you use username/password you need some sort of secure channel.
但是,您不需要客户端上的证书;只在服务器上。
However you don't need certificates on the clients; only on the server.
这篇关于WCF用户名没有证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
