IIS7，WCF Rest，自定义身份验证模块的模拟 [英] Impersonation with IIS7, WCF Rest, custom authentication module

问题描述

因此，我正在努力设置由iis7托管的WCF服务.该服务是REST服务.

So I am working on setting up a WCF service, hosted in iis7. The service is a REST service.

到目前为止，我们对身份验证的要求是只有域帐户才能连接到该服务.我们正在使用基本身份验证并使用模拟来通过我们的业务层向数据库进行呼叫.

Up till now our requirements for authentication were that only domain accounts were going to connect to the service. We are using basic authentication and using impersonation for making calls through our business layer to our DB.

一切正常.

现在，我们需要允许非域帐户使用我们的服务.由于IIS的原因，我实现了此(http://custombasicauth.codeplex.com/)和一个自定义成员资格提供程序，该提供程序将(根据传入的用户名)尝试针对Active Directory或针对asp.net成员资格进行身份验证提供者.这部分工作正常.

Now we have the need to allow non-domain accounts to use our service. Due to somethings with IIS I implemented this (http://custombasicauth.codeplex.com/) and a custom membership provider that will (depending on the username passed in) either attempt to Auth against Active Directory, or against a asp.net membership provider. This part is working correctly.

我现在遇到的问题是模拟无法正常工作(这是可以理解的.)现在，这是我迷路的地方，需要指导或清除所有迷雾的帮助.我想做的(而且我不知道这是否可行)是这样的:

The issue now that I have is that impersonation is not working (which is understandable.) Now, this is where I am lost and need help with direction or clearing of all the fog. What I want to do (and I don't know if this is possible) is this:

如果用户是域用户，则模拟其帐户. 如果不是域用户，则模拟通用用户域帐户". 作为奖励，我希望这种情况发生在幕后"，这样我们拥有的每种方法都不需要添加特殊的逻辑即可处理.

IF a user is a domain user THEN impersonate their account. IF NOT a domain user THEN impersonate the "generic user domain account". As a bonus I would like to this to happen "behind the scene" so that each method we have doesn't need special logic added to handle this.

我已经阅读了很多有关身份，策略提供者，角色提供者的内容，现在我感到非常困惑.

I have read a bunch of stuff about identities, policy providers, role providers...and now I am thoroughly confused.

有人对此有见识吗?

推荐答案

因此，在网上寻找有关IIS的模拟工作的更多信息之后，我找不到很多有用的信息.因此，我开始更多地研究入侵"它.

So after a lot of looking online for more information on impersonation works with IIS, I couldn't find much helpful info. So I began to look more into "hacking" it in.

我正在使用此(http://custombasicauth.codeplex.com/)来允许我们使用WCF进行自定义基本身份验证.

I was using this (http://custombasicauth.codeplex.com/) to allow us to have custom basic authentication with WCF.

该模块的运行方式为 LeastPrivilege.CustomBasicAuthentication.CustomBasicAuthenticationModule.OnEnter()
建立连接时调用.依次调用 LeastPrivilege.CustomBasicAuthentication.CustomBasicAuthenticationModule.AuthenticateUser()，最终调用 LeastPrivilege.CustomBasicAuthentication.CustomBasicAuthenticationModule.SetPrincipal(字符串用户名)

how this module flows is LeastPrivilege.CustomBasicAuthentication.CustomBasicAuthenticationModule.OnEnter()
is called when a connection is established. This in turn calls LeastPrivilege.CustomBasicAuthentication.CustomBasicAuthenticationModule.AuthenticateUser() which, eventually calls LeastPrivilege.CustomBasicAuthentication.CustomBasicAuthenticationModule.SetPrincipal(string username)

我将SetPrincipal更改为也接受密码 私有静态无效SetPrincipal(字符串用户名，字符串密码)

I changed SetPrincipal to accept a password also private static void SetPrincipal(string username, string password)

在这里，我对用户名进行简单的if(检查我们的域前缀)以确定用户是否是域帐户.如果是域帐户，则使用他们的用户名/密码创建一个 WindowsIdentity (我使用了 http://www.codeproject.com/KB/dotnet/UserImpersonationInNET.aspx ，只需进行一些重构即可获得 WindowsIdentity ).如果用户不是域帐户，那么我将使用一个已知的硬编码域帐户. 然后，我使用这个 WindowsIdentity 并创建一个 WindowsPrincipal ，并将其设置为 HttpContext.Current.User

In here I do a simple if on the username (checking for a our domain prefix) to determine if the user is a domain account or not. If it is a domain account I use their username/password to create a WindowsIdentity (I used http://www.codeproject.com/KB/dotnet/UserImpersonationInNET.aspx with a little refactoring to get just the WindowsIdentity). If the user wasn't a domain account I use a known hardcoded domain account for them. I then take this WindowsIdentity and create a WindowsPrincipal and I set that to HttpContext.Current.User

所以这对我们有用.模拟正在起作用.这样做的副作用是，我们不需要使用 [OperationBehavior(Impersonation = ImpersonationOption.Required)] 属性来修饰WCF方法.我不知道这是否是正确"的方式，但我认为这非常接近.我认为IIS检测到当前用户"中存在WindowsPrincipal，并自动模拟该帐户.

So this works for us. Impersonation is working. As a side effect of this we don't need to decorate our WCF methods with the [OperationBehavior(Impersonation = ImpersonationOption.Required)] attribute. I don't know if this is the "Correct" way of doing it, but I think it is pretty close. I think IIS detects that there is a WindowsPrincipal in Current User and automatically impersonates that account.

这篇关于IIS7，WCF Rest，自定义身份验证模块的模拟的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！