基于 AD 组的 WCF Web 服务身份验证 [英] WCF Web Service Authentication based on AD groups
问题描述
我有一个 C# 客户端应用程序正在使用的 WCF Web 服务,我还有 4 个组存储在 Active Directory 中.客户端应用程序应通过传递登录凭据来连接此 Web 服务.
I have a WCF Web Service which is being consumed by a C# client application, and I also have 4 groups stored in Active Directory. Client application should connect this web service by passing login credentials.
要求:
- 根据存储在 AD (Active Directory) 中的 Windows 用户凭据组限制 Web 服务功能
- 将特定用户凭据从客户端应用程序传递到此 Web 服务
问题:
如何在连接到此 Web 服务时验证或验证登录用户,将调用哪个事件处理函数来验证登录用户凭据.
How to authenticate or validate logged in user on connecting to this web service, which event handler function will be invoked to validate logged in user credentials.
如果有人知道,请告诉我
If anybody knows about this then please do let me know
推荐答案
你需要将两个概念分开:
You need to two keep concepts apart:
身份验证是确定给您打电话的人的过程,并确保他确实是他声称的那个人;这可以使用用户名/密码、Windows 凭据(他已经通过登录对自己的 Windows 设备进行身份验证)或要求调用者提供一些信息(证书)来完成
AUTHENTICATION is the process of determining who it is that's calling you, and making sure he really is who he claims to be; this can be done using username/password, Windows credentials (he had already authenticated himself to his Windows box through logging on), or by requiring the caller to have some information (certificate)
授权是一个过程 - 一旦您知道是谁在给您打电话,以确定该来电者可以做什么(或他不能做什么)
AUTHORIZATION is the process - once you know who is calling you, to determine what that caller can do (or what he cannot do)
为了使用 Active Directory 组,您需要在 WCF 中使用支持 Windows 凭据的安全模式.最简单的方法是从一开始就使用 Windows 凭据,这是 wsHttpBinding 和 netTcpBinding 的默认设置——在这种情况下,调用者将始终在每次调用时传递他的 Windows 凭据,您可以通过查看服务器端的ServiceSecurityContext.Current.WindowsIdentity:
In order to use Active Directory groups, you need to use a security mode in WCF that supports Windows credentials. The easiest is to use Windows credentials from the beginning, which is the default for wsHttpBinding and netTcpBinding - in this case, the caller will always pass along his Windows credentials with every call, and you can inspect those on the server side by looking at the ServiceSecurityContext.Current.WindowsIdentity:
WindowsIdentity caller = ServiceSecurityContext.Current.WindowsIdentity;
这在 Intranet 场景中效果很好 - 每个人都在公司防火墙后面,并且无论如何都在他们的机器上进行了身份验证.要启用此功能,只需使用 wsHttp 或 netTcp 绑定(在这种情况下我建议使用 netTcp).
This works well in an Intranet scenario - everyone is behind a corporate firewall and authenticated on their machines anyway. In order to enable this, just use wsHttp or netTcp binding (I'd recommend netTcp in this case).
另一种稍微复杂的情况是,当您让客户端提供 X.509 证书,然后在服务器端将其映射到网络中现有的 AD 用户.然而,这是相当先进的.
The other slightly more complicated case is when you have your client present a X.509 certificate, and you then map that on the server side to an existing AD user in your network. That's rather advanced, however.
一旦您的来电者通过身份验证,例如您知道谁在呼叫,您可以使用常规的基于角色的安全模型来限制权限.只需将 [PrincipalPermission(....)] 属性添加到您要保护的方法中,如果用户不符合这些要求中的任何一个,则会抛出安全异常,方法不会被执行.
Once your caller is authenticated, e.g. you know who is calling, you can use the regular role-based security model to limit privileges. Just add [PrincipalPermission(....)] attributes to your methods that you want to protect, and if the user doesn't match any of those requirements, a security exception will the thrown and the method will not be executed.
[PrincipalPermission(SecurityAction.Demand, Role = "Administrators")]
[PrincipalPermission(SecurityAction.Demand, Name = "JohnDoe")]
public string SayHello(string caller)
{
......
}
您可以拥有多个PrincipalPermission"属性,并且它们以OR"方式匹配在一起 - 如果其中任何一个与当前调用者匹配,他将被允许拨打电话.
You can have multiple of those "PrincipalPermission" attributes, and they're matched together in an "OR"-fashion - if any one of them matches the current caller, he'll be allowed to make the call.
查看本文的第 4 页WCF 安全基础 有关如何使用基于角色的安全性的更多详细信息.
Check out page 4 of this article Fundamentals of WCF Security for more details on how to use role-based security.
马克
这篇关于基于 AD 组的 WCF Web 服务身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
