ServiceStack 网络服务安全 [英] ServiceStack web services security
问题描述
我是 Servicestack 的新手,已经下载了他们非常全面的 bootstrapapi 示例并正在使用它,但仍然存在一些问题.问题在于安全性,正在发生的事情是我在尝试访问受保护的服务时收到 405 错误.使用身份验证服务似乎我正在正确进行身份验证.请帮忙解释一下.这是代码:
Hi I am new to working with Servicestack and have downloaded their very comprehensive bootstrapapi example and am working with it, but am still having some issues. The issue is with security, what is happening is I am getting 405 errors when trying to access the protected services. Using the authenticate service it appears that I am authenticating correctly. Please help and explain. Here is the code:
public class Hello
{
public string Name { get; set; }
}
public class AuthHello
{
public string Name { get; set; }
}
public class RoleHello
{
public string Name { get; set; }
}
public class HelloResponse
{
public string Result { get; set; }
}
服务:
public class HelloService : ServiceBase<Hello>
{
//Get's called by all HTTP Verbs (GET,POST,PUT,DELETE,etc) and endpoints JSON,XMl,JSV,etc
protected override object Run(Hello request)
{
return new HelloResponse { Result = "Hello, Olle är en ÖL ål " + request.Name };
}
}
[Authenticate()]
public class AuthHelloService : RestServiceBase<AuthHello>
{
public object Execute(Hello request)
{
return new HelloResponse { Result = "Hello, " + request.Name };
}
}
[RequiredRole("Test")]
public class RoleHelloService : RestServiceBase<RoleHello>
{
public object Execute(Hello request)
{
return new HelloResponse { Result = "Hello, " + request.Name };
}
}
这是 AppHost:
Here is the AppHost:
public class HelloAppHost : AppHostBase
{
//Tell Service Stack the name of your application and where to find your web services
public HelloAppHost() : base("Hello Web Services", typeof(HelloService).Assembly) { }
public override void Configure(Container container)
{
//Register all Authentication methods you want to enable for this web app.
Plugins.Add(new AuthFeature(() => new AuthUserSession(), new IAuthProvider[] {new CustomCredentialsAuthProvider(), //HTML Form post of UserName/Password credentials
}));
container.Register<ICacheClient>(new MemoryCacheClient() { FlushOnDispose = false });
//register user-defined REST-ful urls
Routes
.Add<Hello>("/hello")
.Add<Hello>("/hello/{Name}")
.Add<AuthHello>("/AuthHello")
.Add<RoleHello>("/RoleHello");
}
}
更新
如果您将 : RestServiceBase 替换为 : ISevice ,一切都会按预期进行,所以现在的问题是为什么.
Everything works as expect if you replace : RestServiceBase with : ISevice so now the question is why.
推荐答案
先查看 wiki 文档
我将首先阅读 ServiceStack 的 Authentication Wiki 中的文档更好地了解 ServiceStack 的身份验证是如何工作的.wiki 中有很多文档,所以如果你不确定某些东西,你应该先参考它.这是一个社区维基,如果您认为它可以帮助他人,请随时扩展那里的内容.
Check the wiki documentation first
I would first go through the documentation in ServiceStack's Authentication Wiki to get a better idea about how ServiceStack's Authentication works. There's a lot of documentation in the wiki, so if you're unsure of something you should refer to that first. It's a community wiki so feel free to expand whats there if you think it can help others.
如果你不确定要做什么,你应该参考RequiredRole 源代码 作为其工作方式的主权威.RequiredRole 只是一个 请求过滤器属性在每个具有该属性的服务之前运行.
If you're unsure of what something does you should refer to the RequiredRole source code as the master authority as how it works. RequiredRole is just a Request Filter Attribute which gets run before every service that has the attribute.
RequiredRole 属性只是将您的 session.HasRole() 方法调用为 见这里:
The RequiredRole attribute just calls your session.HasRole() method as seen here:
public bool HasAllRoles(IAuthSession session)
{
return this.RequiredRoles
.All(requiredRole => session != null
&& session.HasRole(requiredRole));
}
因为它只是调用您的会话,所以如果您有自定义会话,您可以覆盖 session.HasRole() 的实现.
Because it just calls your session you can override the implementation of session.HasRole() if you have a custom session.
Social BootstrapApi 项目确实实现了自己的 CustomSession 它在这里注册a> 但不会覆盖 HasRole() 实现,因此它使用基础 AuthUserSession.HasRole() 看起来像 Roles 集合,以查看用户是否在其会话 POCO 中具有指定的角色:
The Social BootstrapApi project does implement its own CustomSession that it registers here but does not override the HasRole() implementation so it uses the built-in implementation in the base AuthUserSession.HasRole() which simply looks like the Roles collection to see if the user has the specified role in their Session POCO:
public virtual bool HasRole(string role)
{
return this.Roles != null && this.Roles.Contains(role);
}
由 AuthUserRepository 填充的会话属性
Roles 属性(以及用户会话上的大多数其他属性)由您指定的 AuthUserRepository 填充,例如如果您使用的是 OrmLiteAuthRepository 喜欢 SocialBootstrapApi 在这里Roles 属性保留在 UserAuth RDBMS 表.根据 AuthUserRepository,您使用的 UserAuth/UserOAuthProvider POCO 将存储为 OrmLite 中的 RDBMS 表或存储为 Redis 中的文本 blob 等.
Session properties populated by AuthUserRepository
The Roles property (as well as most other properties on a users Session) is populated by the AuthUserRepository that you have specified e.g. if you're using the OrmLiteAuthRepository like SocialBootstrapApi does here than the Roles attribute is persisted in the Roles column in the UserAuth RDBMS table. Depending on the AuthUserRepository you use the UserAuth / UserOAuthProvider POCOs get stored as RDBMS tables in OrmLite or as text blobs in Redis, etc.
因此,对于具有所需角色(和通过授权)的用户,应将此角色添加到其 UserAuth db 行条目中.ServiceStack 的 AuthFeature 包括 2 个用于管理用户的服务权限和角色:
So for a user to have the required role (and authorization to pass), it should have this Role added to its UserAuth db row entry. ServiceStack's AuthFeature includes 2 services for managing users permissions and roles:
这些服务确实需要 具有管理员角色的用户已通过身份验证.您可以通过手动更改特定用户 UserAuth.Role 列以包含值Admin"来实现此目的.Social Bootstrap API 项目通过在其 CustomUserSession 只是检查是否在 Web.Config 中声明了经过身份验证的用户名,如果是,则调用 AssignRoles 服务提供该经过身份验证的用户管理员角色:
These services does require a user with the Admin Role to be already authenticated.
You can do this by manually changing a specific users UserAuth.Role column to include the value "Admin". The Social Bootstrap API project instead does this by handling the OnAuthenticated() event on its CustomUserSession that simply checks to see if the authenticated username is declared in the Web.Config and if it is, calls the AssignRoles service giving that authenticated user the Admin Role:
if (AppHost.Config.AdminUserNames.Contains(session.UserAuthName)
&& !session.HasRole(RoleNames.Admin))
{
var assignRoles = authService.ResolveService<AssignRolesService>();
assignRoles.Execute(new AssignRoles {
UserName = session.UserAuthName,
Roles = { RoleNames.Admin }
});
}
这篇关于ServiceStack 网络服务安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
