使用HTTP的WCF自定义userName身份验证 [英] WCF custom userName authentication using HTTP

问题描述

我正在尝试将我的WCF服务配置为使用HTTP和我的ASP.NET开发服务器上的自定义用户名验证程序。以下是serviceModel的部分...

I am trying to configure my WCF service to use a custom username validator over HTTP and my ASP.NET Development server. Following are the parts of the serviceModel...

<basicHttpBinding>
    <binding name="Authentication" >
      <security mode="TransportCredentialOnly" >
        <message clientCredentialType="UserName"/>
      </security>
    </binding>
</basicHttpBinding>

  <service behaviorConfiguration="ApiBehavior" name="CriticalWatch.AuthenticationAPI.AuthenticationAPI">
    <endpoint address="/" binding="basicHttpBinding" bindingConfiguration="AuthenticationBinding" name="Authentication" contract="CriticalWatch.AuthenticationAPI.IAuthenticationAPI" />
  </service>

然后我有验证者的行为......

I then have a behavior for the validator...

  <serviceBehaviors>
    <behavior name="ApiBehavior">
      <serviceMetadata httpGetEnabled="true" />
      <serviceDebug includeExceptionDetailInFaults="true" />
      <serviceCredentials>
        <userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="Service.CustomUserNameValidator, MyService" />
      </serviceCredentials>

    </behavior>
  </serviceBehaviors>

我的CustomUserNameValidator继承自UserNamePasswordValidator。验证器类被实例化，但从不调用Validate方法。此外，客户可以在不传递任何用户名和密码的情况下调用该方法。

My CustomUserNameValidator inherits from the UserNamePasswordValidator. The validator class gets instantiated, but the Validate method is never called. Plus, the client can call the method without passing any username and password.

我缺少什么？

目前，我想要一个不需要HTTPS的解决方案。我想依靠随消息传递的用户名和密码。

At this time, I want a solution that does not require HTTPS. I want to rely on the username and password passed with the message.

推荐答案

另外，请参阅我的博客文章，了解如何实现绑定，允许您通过HTTP传递用户名和密码而不使用SSL： http://blog.tonysneed.com/2012/06/18/building-scalable-and-secure-wcf-services/ 请记住，通过并不是一个好主意通过非安全传输清除凭据。我描述的技术假设您正在使用其他机制（例如IPSec）来保护传输，并且它对于支持SSL终止以实现更好可伸缩性的负载均衡器非常有用。

Also, see my blog post on how to implement a binding that will allow you to pass username and password over HTTP without SSL: http://blog.tonysneed.com/2012/06/18/building-scalable-and-secure-wcf-services/ Keep in mind, however, it's not a good idea to pass credentials in the clear over a non-secure transport. The technique I describe assumes you are using another mechanism, such as IPSec, to secure the transport, and it is useful for a load balancer that supports SSL termination for better scalability.

为了专门针对您的场景，我建议您咬紧牙关并使用SSL设置开发环境，以便您可以使用HTTPS绑定WCF和用户名密码验证器。这比实现自定义绑定元素容易得多，并不像您想象的那么困难。实际上，如果安装了IIS Express，您将获得一个自签名证书，您可以轻松地将其用作IIS上的证书或Windows服务。

To specifically address your scenario, I would recommend that you bite the bullet and set up your development environment with SSL so that you can use the HTTPS binding with WCF and your username-password validator. This is much easier than implementing a custom binding element and is not as difficult as you might think. In fact, if you have IIS Express installed, you get a self-signed certificate that you can easily use as a certificate on IIS, or with a Windows Service.

干杯，
Tony Sneed

Cheers, Tony Sneed

这篇关于使用HTTP的WCF自定义userName身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！