基本身份验证似乎没有安全标头 [英] Basic Authentication appears to have no security header
问题描述
我写了一个非常简单的WFCSerice,它返回提供的Windows用户名.这是客户端代码:
I have written a very simple WFCSerice that returns the Windows username supplied. Here is the client side code:
public Form1()
{
ServiceReference1.Service1Client s1 = new ServiceReference1.Service1Client();
s1.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
string str = s1.ReturnWindowsUsername();
InitializeComponent();
}
我可以使用Fidddler在HTTP标头中查看凭据:
I can see the credentials in the HTTP Header using Fidddler:
我尝试对基本身份验证(访问另一个支持基本身份验证的Web服务)做同样的事情.这是客户端代码:
I have tried to do the same thing with Basic Authentication (accessing another web service that supports Basic Authentication). Here is the client side code:
public Form1()
{
InitializeComponent();
ServiceReference1.Service1Client s1 = new ServiceReference1.Service1Client();
s1.ClientCredentials.UserName.UserName = "testuser";
s1.ClientCredentials.UserName.Password = "testpassword";
string str = s1.GetData(1);
}
以下是使用基本身份验证时Fiddler的屏幕截图:
Here is the screenshot from Fiddler when using Basic Authentication:
为什么使用基本身份验证时标头中没有任何内容.基本身份验证服务似乎按预期方式工作.这是响应(有趣的是,似乎有两个请求和两个响应):
Why is there nothing in the header when using Basic Authentication. The Basic Authentication service seems to work as expected. Here is the response (interestingly there appear to be two requests and two responses):
推荐答案
基本身份验证在HTTP级别上起作用.总体流程是:客户端请求资源,然后服务器发出质询,然后客户端发出包含Authorization标头的新请求.如果Authorization标头中的用户名和密码被服务器接受,则客户端通常将为后续请求添加标头,而无需再次执行request - challenge - re-request-with-authorization步骤.
Basic authentication works on the HTTP level. The general flow is that the client requests a resource, then the server issues a challenge, then the client issues a new request with an Authorization header included. If the username and password in the Authorization header are accepted by the server, the client will usually then add the header for subsequent request without going through the request - challenge - re-request-with-authorization steps again.
如果所有设置都正确设置,则应该在Fiddler中看到两个请求.
If you have everything setup correctly, you should expect to see two requests in Fiddler.
- 一个不包含
Authorization标头的请求.服务器对该请求的响应将是带有WWW-Authenticate: Basic realm="your realm"标头的401. - 然后,您应该看到第二个请求,其中已经从客户端发送了
Authorization标头.
- One request with no
Authorizationheader included. The response from the server for this request will be a401with aWWW-Authenticate: Basic realm="your realm"header attached. - Then you should see a second request where an
Authorizationheader has been sent from the client.
这是我的环境中的一个样本:
Here is a sample from my environment:
如果您没有看到来自服务器的401质询,则说明基本身份验证的设置不正确.
If you don't see the 401 challenge from the server, then basic authentication is not correctly set up.
为了使服务代理提供标头,您需要将客户端绑定配置为使用<transport clientCredentialType="Basic"/>.还是我所做的,谁知道WCF拥有无数的配置选项.
In order for the service proxy to supply the header, you need to configure your client binding to use <transport clientCredentialType="Basic"/>. Or that's what I did, who knows with WCF with it's myriad of configuration options.
编辑:我在服务端使用了此
EDIT: I used this on the service side:
<bindings>
<basicHttpBinding>
<binding name="httpTransportCredentialOnlyBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic" />
</security>
</binding>
</basicHttpBinding>
</bindings>
在客户端上:
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding_IService1">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Basic"/>
</security>
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost:53156/Service1.svc" binding="basicHttpBinding"
bindingConfiguration="BasicHttpBinding_IService1" contract="WcfTest_CBT.IService1"
name="BasicHttpBinding_IService1" />
</client>
我使用basicHttpBinding,TransportCredentialOnly和Basic来轻松进行此测试,而不会遇到SSL麻烦等问题.
I use basicHttpBinding, TransportCredentialOnly and Basic in order to test this easily without SSL hassle etc.
这篇关于基本身份验证似乎没有安全标头的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
