基于用户组限制 WCF Web 服务功能 [英] Restrict WCF Web Service functionality based on User Group

问题描述

我有一个由 C# 客户端应用程序使用的 WCF Web 服务.我还在 Active Directory 中存储了 4 个组.客户端应用程序正在传递用户凭据以连接此网络服务.

I have a WCF Web Service which is consuming by C# client application. I’m also having 4 groups stored in Active Directory. Client application is passing user credentials to connect this web service.

Web 服务公开多个 API 或方法供客户端应用程序访问，如下所示:

Web service exposing multiple APIs or Methods to be accessed by Client application as follows:

    [OperationContract]
    bool Read();


    [OperationContract]
    bool Write();

Read() 方法应该可供所有客户端访问

Read() method should be accessible for all clients

Write() 方法只能由属于 Active Directory 维护的特定 Windows 用户组的用户访问.

Write() method should be accessible by only users those belongs to specifc windows user group maintained by Active Directory.

问题:我们如何根据客户端在 AD 中维护的用户组来过滤或限制客户端暴露的接口或方法?

Question: How can we filter or restrict an exposed interface or method by client based on its user group maintain in AD?

杰斯塔，感谢您的回复.我尝试了与 PrincipalPermission 相同的指令，如下所示:

jrista, Thanks for your reply. I tried the same directives as PrincipalPermission as follows:

[PrincipalPermission(SecurityAction.Demand, Role = "Readers")]
[OperationContract]
bool Read();

[PrincipalPermission(SecurityAction.Demand, Role = "Writers")]
[OperationContract]
bool Write();

但它不起作用.Read组用户也可以调用Writer()方法，Writer组用户也可以调用Write()方法.

But it does not work. Read group user is also able to call the Writer() method and Writer group user is also able to call the Write() method.

我想告诉你的一件事是，我在我的 web.config 文件中使用 BasicHttpBind，如下所示:

One thing I want to tell you is that I'm using BasicHttpBind in my web.config file as follows:

  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBind">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" proxyCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="DXDirectory.DXDirectoryService" behaviorConfiguration="DXDirectory.Service1Behavior">
        <!-- Service Endpoints -->
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="BasicHttpBind"
                  name="BasicBinding" contract="DXDirectory.IDXDirectoryService">
          <!-- 
              Upon deployment, the following identity element should be removed or replaced to reflect the 
              identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity 
              automatically.
          -->
          <identity>
            <dns value="localhost" />
          </identity>
        </endpoint>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="DXDirectory.Service1Behavior">
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceAuthorization principalPermissionMode="UseWindowsGroups"/>          
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

是否需要为该功能实现 wsHttpBinding?如果是，那么如何在我的 Web 服务中实现 wsHttpBinding?

Is it required to implement wsHttpBinding for this functionality? If yes, then how can I implement wsHttpBinding in my Web Service?

推荐答案

我不确定如何将 AD 凭据集成到普通的 .NET 安全框架中.但是，这是可能的(我会看看我是否能找到一些链接)，一旦找到，您应该能够使用标准安全属性来检查与您的 AD 组相对应的角色":

I am not sure off the top of my head how to integrate AD credentials into the normal .NET security framework. However, it is possible (I'll see if I can find some links), and once you do, you should be able to use the standard security attribute to check for a "role", which would correspond to your AD group:

[OperationContract]
bool Read();

[PrincipalPermission(SecurityAction.Demand, Role = "Writers")]
[OperationContract]
bool Write();

要使用 AD 组，请配置服务行为:

To utilize AD groups, configure a service behavior:

<system.serviceModel>
  <behaviors>
    <serviceBehaviors>
      <adServiceBehavior>
        <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
      </adServiceBehavior>
    </serviceBehaviors>
  </behaviors>
</system.serviceModel>

有另一个想法.有时甚至希望接口上根本没有 Write() 方法.使用 WCF，您可以在单个服务类上实现多个服务协定接口.一个理想的解决方案可能是创建两个服务契约接口，一个使用 Read() 和 Write()，一个只使用 Read().根据登录到客户端的用户，您可以将 Read() 接口用于只有读取访问权限的用户，而 Read()/Write() 接口用于具有两者访问权限的用户.这还允许您将最安全的服务合同公开给不应具有写访问权限的客户端，同时在内部使用读/写合同进行管理.您永远不会公开可能以这种方式被利用的代码.

Had another thought. Sometimes the desire is to not even have the Write() method on the interface at all. With WCF, you can implement multiple service contract interfaces on a single service class. An ideal solution might be to create two service contract interfaces, one with Read() and Write(), one with just Read(). Depending on the user logged into the client, you could use the Read() interface for those who only have read access, and the Read()/Write() interface for those with access to both. This would also allow you to expose the safest service contract to clients that shouldn't have write access, while utilizing the read/write contract internally for administrative purposes. You never expose code that could be potentially exploited this way.

这篇关于基于用户组限制 WCF Web 服务功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！