IAuthorizationPolicy +没有AspNetCompatibility + IIS身份验证 [英] IAuthorizationPolicy + No AspNetCompatibility + IIS Authentication

问题描述

你好，

我遇到了部分代码麻烦，我真的不明白会发生什么.

I get in trouble with a part of my code and I really don't understand what happen.

致
为简化起见，我对开发人员做了一些WCF行为和扩展
并且管理员可以使用某些功能，例如
基于角色的授权访问，错误处理等.

To
simplify, I make some WCF behaviors and extensions that our developer
and administrators would be able to use for some functionalities such as
Role based authorization access, Error handling and more.

• 我们的WCF服务托管在IIS 7.5上.
• 现有的服务是使用.NET Framework 3.5开发的.
• 行为和扩展是使用.NET Framework 4.0开发的.

我在开发机器上进行了所有测试. Windows 7.

I made all my tests on my development machine. A Windows 7.

一个扩展是IAuthorizationPolicy，它基于来自IIS的Windows身份设置一些全局变量.

One extensions is an IAuthorizationPolicy who is setting some global variables based on the Windows Identity coming from IIS.

这是主要的方法代码:

// called after the authentication stage
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
    if (state == null || !(bool)state)
    {
        // If using the IIS VPCred2 Authentication module, we should use the HttpContext.
        HttpContext context = HttpContext.Current;
        if (context != null)
        {
            HttpContext.Current.User = (GenericPrincipal)context.Items["VPPrincipal"];
            evaluationContext.Properties["Principal"] = context.User;
            evaluationContext.Properties["Identities"] = new List<IIdentity>() { context.User.Identity };
            System.Threading.Thread.CurrentPrincipal = context.User;
        }
        else // If not, we use the WCF context.
        {
            // get the authenticated client identity from the evaluation context
            IIdentity client = GetClientIdentity(evaluationContext);

            // set the principal
            GenericPrincipal principal = new GenericPrincipal(client, null);
            evaluationContext.Properties["Principal"] = principal;
            evaluationContext.Properties["Identities"] = new List<IIdentity>() { client };
            System.Threading.Thread.CurrentPrincipal = principal;
        }
        
        state = true;
    }

    return true;
}

我必须在我的配置文件中将aspNetCompatibilityEnabled属性设置为true:

I have to set the aspNetCompatibilityEnabled property to true in my config file :

<system.serviceModel>
	<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
</system.serviceModel>

我的机器上一切正常.但是，在服务器上，出现此错误:

Everything work fine on my machine. But, on the server, I get this error :

服务不能为
已激活，因为它不支持ASP.NET兼容性. ASP.NET
已为此应用程序启用兼容性.关闭ASP.NET兼容性
模式在web.config中，或将AspNetCompatibilityRequirements属性添加到
要求模式设置为允许"或必需"的服务类型.

The service cannot be
activated because it does not support ASP.NET compatibility. ASP.NET
compatibility is enabled for this application. Turn off ASP.NET compatibility
mode in the web.config or add the AspNetCompatibilityRequirements attribute to
the service type with RequirementsMode setting as 'Allowed' or 'Required'.

因此，我阅读了许多文档和线程，并且我了解到服务应该具有该死的属性:

So I read a lot of documentations and threads and I understood that services should have this damned attributes :

[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]

问题是我们已经有很多服务，我不能要求团队更新那里所有的代码来设置此属性.

Problem is that we already have a lot of services and I cannot ask teams to update all there code to set this attributes.

有两个问题:

• 为什么它在我的开发计算机上正常工作?
• 如何在WCF和IIS之间获取/传递经过身份验证的主体?

谢谢！

推荐答案

好的，

我只是发现我没有提到我在IIS中使用自定义Http模块来验证凭据.

I just figured out that I didn't mention that I'm using a custom Http Module in IIS that validate credentials.

我们有自己的用户帐户和角色数据库.因此，可以通过以下方式访问我们的服务:

We have our own database of user accounts and roles. So our services can be accessed with :

• 将与此提供用户角色的数据库对照的登录名/密码.在这种情况下，Http模块从基本身份验证中获取标识元素.
• Windows帐户.在这种情况下，在IIS验证了用户之后，我们仅使用其用户名针对我们的数据库对其进行验证.我们还在此处获得用户角色.
• 匿名

主要观点是IIS负责验证和获取用户角色. WCF负责检查经过身份验证的用户是否具有访问被调用方法(Principal.IsInRole)的权限.

The main view is that IIS is responsible for validating and getting roles of a user. WCF is responsible to check if the authenticated user as the right to access to called method (Principal.IsInRole).

所以我已经在使用OperationContext.Current.ServiceSecurityContext，但是我使用的是PrimaryIdentity属性. Windows身份始终是匿名的.

So I'm already using OperationContext.Current.ServiceSecurityContext, but I use the PrimaryIdentity property. The Windows Identity is always Anonymous.

也许我错过了在IIS HttpModule上做某事的事情?

Maybe I missed to do something on my IIS HttpModule ?

谢谢.

这篇关于IAuthorizationPolicy +没有AspNetCompatibility + IIS身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！