每个端点的服务行为不同 [英] Different Service behaviors per endpoint

问题描述

情况

我们正在某些WCF服务上实现不同类型的安全性。
ClientCertificate，UserName&密码和匿名。

We are implementing different sort of security on some WCF service. ClientCertificate, UserName & Password and Anonymous.

我们有2个ServiceBehaviorConfigurations，一个用于httpBinding，一个用于wsHttpBinding。
（我们具有用于基于声明的安全性的自定义授权策略）
作为一项要求，我们需要为每个服务使用不同的终结点。
3个端点具有httpBinding，1个端点具有wsHttpBinding。

We have 2 ServiceBehaviorConfigurations, one for httpBinding and one for wsHttpBinding. (We have custom authorization policies for claim based security) As a requirement we need different endpoints for each service. 3 endpoints with httpBinding and 1 with wsHttpBinding.

一种服务的示例：

• basicHttpBinding：匿名


• basicHttpBinding：UserNameAndPassword


• basicHttpBinding：BasicSsl


• wsHttpBinding：BasicSsl

• basicHttpBinding : Anonymous
• basicHttpBinding : UserNameAndPassword
• basicHttpBinding : BasicSsl
• wsHttpBinding : BasicSsl

注意：我们正在使用.NET 3.5

问题

第1部分：我们不能两次指定相同的服务，一次只能使用http服务配置，一次使用wsHttp服务配置。

Part 1: We cannot specify the same service twice, once with the http service configuration and once with the wsHttp service configuration.

第2部分：我们无法在端点上指定服务行为。 （引发和异常，未发现终结点行为...无法将服务行为设置为终结点行为）

Part 2: We cannot specify service behaviors on an endpoint. (Throws and exception, No endpoint behavior was found... Service behaviors cant be set to endpoint behaviours)

配置

对于第1部分：

<services>
  <service name="Namespace.MyService" behaviorConfiguration="securityBehavior">
   <endpoint address="http://server:94/MyService.svc/Anonymous" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="Anonymous">
    </endpoint> 
    <endpoint address="http://server:94/MyService.svc/UserNameAndPassword" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="UserNameAndPassword">
    </endpoint>
    <endpoint address="https://server/MyService.svc/BasicSsl" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="BasicSecured">
    </endpoint>
  </service>
  <service name="Namespace.MyService" behaviorConfiguration="wsHttpCertificateBehavior">
    <endpoint address="https://server/MyService.svc/ClientCert" contract="Namespace.IMyService" binding="wsHttpBinding" bindingConfiguration="ClientCert"/>
  </service>
</services>

服务行为配置：

<serviceBehaviors>
<behavior name="securityBehavior">
  <serviceAuthorization serviceAuthorizationManagerType="Namespace.AdamAuthorizationManager,Assembly">
    <authorizationPolicies>
      <add policyType="Namespace.AdamAuthorizationManager,Assembly" />
    </authorizationPolicies>
  </serviceAuthorization>
</behavior>
<behavior name="wsHttpCertificateBehavior">
  <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/>
  <serviceAuthorization serviceAuthorizationManagerType="Namespace.AdamAuthorizationManager,Assembly">
    <authorizationPolicies>
      <add policyType="Namespace.AdamAuthorizationManager,Assembly" />
    </authorizationPolicies>
  </serviceAuthorization>
  <serviceCredentials>
    <clientCertificate>
      <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/>
    </clientCertificate>
    <serviceCertificate findValue="CN=CertSubject"/>
  </serviceCredentials>
</behavior>

我们如何指定其他WsHttpBinding终结点上的服务行为？
或者我们如何对wsHttpBinding和basicHttpBinding采用不同的授权策略。我们将使用端点行为，但无法在端点行为上指定授权策略

How can we specify a different service behaviour on the WsHttpBinding endpoint? Or how can we apply our authorization policy in a different way for wsHttpBinding then basicHttpBinding. We would use endpoint behavior but we can't specify our authorization policy on an endpoint behavior

推荐答案

授权是服务级别的责任。您不能按端点进行更改。

Authorization is a service level responsibility. You can’t vary it by endpoint.

在较高级别上，您应该：

At a high level you should:

1. 定义端点绑定以使用所需的不同安全配置（您确实需要这样做）


2. 创建自定义 ClaimsAuthenticationManager 根据不同绑定将呈现的不同身份来分配声明。

1. Define the endpoints bindings to use the different security configurations that you need (which you did)
2. Create a custom ClaimsAuthenticationManager to assign claims based on the different identities that the different bindings will present.

从概念上讲，ClaimsAuthenticationManager充当服务中的STS，基于不同的凭据添加声明。从那里，您可以在服务中进行基于声明的授权。

Conceptually the ClaimsAuthenticationManager acts as an "in service STS" adding claims based on the varying credentials. From there you do claims based authorization in your service.

我不知道会不会想要任何可配置的授权管理器，因此您必须自己编写（如果证明我错了，请发布）

I’m not aware of any configurable authorization managers that will do want you want, so you’ll have to write your own (if you prove me wrong, please post what you find).

实施ClaimsAuthenticationManager需要 Windows身份框架。以下是我使用的.NET 4.0实现的摘要（在4.5中可能会更容易）。抱歉，代码无法编译且不完整，但我不必花时间清理所有公开帖子。

Implementing the ClaimsAuthenticationManager requires Windows Identity Framework. Below is a summary of a .NET 4.0 implementation that I used (this might be easier in 4.5). I apologize that the code doesn’t compile and isn’t complete, but I don’t have to time to scrub everything for a public post. This should point you in the right direction though.

继承自 Microsoft.IdentityModel.Claims.ClaimsAuthenticationManager 并实现Authenticate（）。它应该看起来像这样：

Inherit from Microsoft.IdentityModel.Claims.ClaimsAuthenticationManager and implement Authenticate(). It should look something like this:

namespace MyWCF.ClaimsInjection
{
    public class ClaimsAuthenticationManager : Microsoft.IdentityModel.Claims.ClaimsAuthenticationManager
    {
        public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal)
        {
            if (incomingPrincipal == null)
            {
                throw new ArgumentNullException("incomingPrincipal", "ClaimInjectionClaimsAuthenticationManager requires a principal.");
            }

            IClaimsPrincipal resultPrincipal = base.Authenticate(resourceName, incomingPrincipal);
            foreach (IIdentity identity in resultPrincipal.Identities)
            {
                if (identity is ClaimsIdentity)
                {
                    // Add claims based on client cert here…
                    Claim identityClaim = ((ClaimsIdentity)identity).Claims.First(c => c.ClaimType == ClaimTypes.Thumbprint);
                    ((ClaimsIdentity)identity).Claims.Add(new Claim("MyType", "Myvalue"));
                }
                else if (identity is WindowsClaimsIdentity)
                {
                    // Add claims based on window group or account here…
                }

                // continue checking different identity types...
            }
            return resultPrincipal;
        }
    }
}

现在只需安装自定义管理器（仅包括有趣的部分）：

Now just install the custom manager (only including the interesting parts):

<configuration>
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>

  <system.serviceModel>
    <behaviors>
      <serviceBehaviors>
        <behavior name="serviceBehavior">
          <federatedServiceHostConfiguration />
        </behavior>
      </serviceBehaviors>
    </behaviors>

    <extensions>
      <behaviorExtensions>
        <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </behaviorExtensions>
    </extensions>
  </system.serviceModel>

  <microsoft.identityModel>
    <service>
      <claimsAuthenticationManager type="MyWCF.ClaimsAuthenticationManager, MyWCF"/>
    </service>
  </microsoft.identityModel>
</configuration>

这篇关于每个端点的服务行为不同的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！