WCF-SSO身份验证令牌和POX接口 [英] WCF - SSO authentication token and POX interfaces

问题描述

这就是我想要做的.

我们提供了SSO身份验证服务，其他面向外部的网页和服务则用于对用户进行身份验证.用户尝试访问服务，如果未找到包含身份验证令牌的cookie，则会将其重定向到SingleSignOn身份验证服务. auth服务完成它的工作，并将用户(HTTP 302)重定向到原始URL，并在URL中使用其加密的身份验证令牌.很好.

We have a SSO authentication service that other externally facing web pages and services use to authenticate users. A user tries to reach a service, if no cookie is found containing an authentication token, they are redirected to the SingleSignOn authentication service. The auth service does it's work, and redirects the user (HTTP 302) to the original URL with their encrypted authentication token in the URL. Great.

如何从WCF POX服务中调用它?这里没有SOAP，只有带有XML响应的HTTP GET/POST.

How can I invoke this from a WCF POX service? No SOAP here, just HTTP GET/POST with XML responses.

我当前正在做的是，在每种服务方法实现方法中，检查Cookie的标头.如果cookie存在，请验证auth令牌并处理请求.如果该cookie不存在或auth令牌已过期，则使用以下命令进行响应:

What I'm currently doing is, in each service method implementation method, checking the headers for the cookie. If the cookie exists, verify the auth token and process the request. If the cookie doesn't exist or the auth token has expired, then respond with:

  WebOperationContext.Current.OutgoingResponse.StatusCode = System.Net.HttpStatusCode.Redirect;
  WebOperationContext.Current.OutgoingResponse.Location = string.Format( authServiceURL, returnURL );

这可行，但是没有与WCF的任何功能集成，并且需要我为大量场景手动编码.有没有一种方法可以使用这些类来实现:

That works, but isn't integrated with any of the WCF features, and requires me to manually code for a whole bunch of scenarios. Is there a way I could implement this using these classes:

                <serviceCredentials>
                    <issuedTokenAuthentication>
                    </issuedTokenAuthentication>

还是使用其他方式检查对服务的每个请求?

or use some other means that checks each request to the service?

我一直在阅读以下页面:如何:创建自定义令牌，但我看不到它如何满足我的需求.

I've been reading pages like: How to: Create a Custom Token, but I don't see how it applies to my needs.

任何建议将不胜感激.我正在研究这个问题，因为我有一些时间要开始我的项目，并且我想正确地实施该项目并尽可能多地了解WCF.

Any suggestions would be appreciated. I'm looking into this because I have some time before my project kicks off, and I'd like to implement this project correctly and learn about WCF as much as I can.

推荐答案

我不愿回答自己的问题，但是我将发布最终为此做的事情.

I hate to answer my own question, but I'll post what I ended up doing for this.

我们有一个身份验证服务，我们可以将(Http 301)客户端重定向到该服务，该客户端将在URL中添加身份验证令牌后将其重定向回我们的服务.使用它，这就是我的服务所采取的步骤.

We have an authentication service that we can redirect (Http 301) clients to, that will redirect them back to our service after appending an authentication token in the url. Using that, here's the steps my service takes.

我添加了System.ServiceModel.ServiceAuthorizationManager实现，并覆盖CheckAccessCore方法以检查cookie/header或url中的身份验证令牌.如果找到，我将验证令牌是否有效.该方法仅返回true或false，指示请求是否通过身份验证.如果消息通过，我创建了一个IExtension对象以包含一些数据，并将其添加到OperationContext扩展中.

I added a System.ServiceModel.ServiceAuthorizationManager implementation, and overrode the CheckAccessCore method to check for the authentication token in either a cookie/header or the url. If found, I'd verify that the token is valid. That method simply returns true or false, indicating if the request passed authentication or not. If the message passed, I created a IExtension object to contain some data and added it to the OperationContext extensions.

我还添加了一个IDispathMessageInspector的实现.它具有AfterReceiveRequest和BeforeSendReply方法.我使用了BeforeSendReply方法劫持了响应.如果消息未通过身份验证(OperationContext扩展中没有我的IExtension对象)，则将WebOperationContext.Current.OutgoingResponse.StatusCode设置为重定向，并将Location设置为身份验证服务的url.

I also added an implementation of a IDispathMessageInspector. This has AfterReceiveRequest and BeforeSendReply methods. I used the BeforeSendReply method to hijack the response. If the message didn't pass authentication (didn't have my IExtension object in the OperationContext extensions), I set the WebOperationContext.Current.OutgoingResponse.StatusCode to redirect and the Location to the url of the authentication service.

如果它确实通过了身份验证，则确保auth令牌位于BeforeSendReply方法的响应消息cookie/标头中.

If it did pass authentication, I made sure the auth token was in the response message cookie/header in the BeforeSendReply method.

这篇文章帮助我弄清楚了如何进行处理.这是最好的方法吗?不知道.但这适用于我的WCF/REST服务.它甚至阻止所有未经身份验证的消息进入我的ServiceContract实现，从而将所有请求重定向到身份验证服务.

This article helped me figure out how to hook things up. Is this the best way? No idea. But this works for my WCF/REST service. It blocks all unauthenticated messages from even getting to my ServiceContract implementation, redirecting all requests to the authentication service.

这篇关于WCF-SSO身份验证令牌和POX接口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！