使用支持流的 basicHttpBinding 保护 WCF 服务 [英] Securing WCF service using basicHttpBinding which supports streaming
问题描述
我的问题是关于保护仅向我们公司的内部用户公开的 WCF 服务的访问的最佳(又名最不痛苦")方法.目标是确保只能通过我们每个用户都安装的单个 Windows 窗体应用程序访问该服务.当服务被调用时,我希望服务能够验证它是从允许的应用程序调用的.
My question is in regards to the best (aka "least painful") way to secure access to a WCF service that is only exposed to our company's internal users. The goal is to ensure that the service is only accessed via a single Windows forms application that each of our users has installed. When the service is called, I want the service to be able to validate that it was called from the permitted application.
要保护的服务使用basicHttpBinding,它支持流式传输,所以我相信我仅限于传输级别的安全性.
The service to be secured uses basicHttpBinding, which supports streaming, so I believe I am limited to Transport level security.
以下是我的服务配置文件中
Below are simplified versions of the <bindings> and <services> sections from my service's config file.
<bindings>
<basicHttpBinding>
<binding name="Service1Binding" transferMode="Streamed"/>
</basicHttpBinding>
</bindings>
<services>
<service name="WCFServiceSecurity.Service1"
behaviorConfiguration="WCFServiceSecurity.Service1Behavior">
<endpoint address=""
binding="basicHttpBinding"
contract="WCFServiceSecurity.IService1"
bindingConfiguration="Service1Binding"/>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange"/>
</service>
</services>
任何人都可以提供一些关于我需要采取哪些措施来实施此服务的安全性的详细信息?
Can anyone offer some details as to what actions I would need to take in order to implement security on this service?
注意:我是 WCF 的新手,根本不熟悉安全性,所以如果我没有提供足够的细节,请告诉我.
如 由 marc_s 建议,我想使用某种用户名/密码机制来保护 WCF 服务.这为答案提供了更多方向,但我对如何实际执行此操作仍然有些模糊.
As suggested by marc_s, I'd like to secure the WCF service using some sort of username/password mechanism. This gives a little more direction towards an answer, but I'm still somewhat blurry on how to actually do this.
因为我的服务需要启用流式传输,所以我必须使用 basicHttpBinding 和传输级别的安全性(对吗?);更进一步,我的服务中包含的方法只能接受一个 Stream 对象.
Because my service requires streaming to be enabled, I have to use basicHttpBinding and Transport level security (right?); further to that, the method contained in my service can only accept a Stream object.
考虑到这些限制以及我对使用用户名/密码验证的偏好...
Taking those constraints into consideration along with my preference to use username/password validation...
- 我应该如何修改我的服务的配置文件以强制提供用户名/密码凭据?
- 我的服务将如何验证提供的凭据?
- 我的客户端应用程序如何在调用时向服务传递凭据?
- 这是否需要使用 SSL?如果需要,所有客户端计算机都需要证书吗?
在向我的老板解释了我在保护这项服务时遇到的麻烦之后,我被允许尝试 Windows 身份验证路由.可悲的是,我在使用我的流服务 (argh) 实现这种类型的身份验证方面没有运气.进行适当的更改后(如此处所述 - 唯一的例外是我的 transferMode="Streamed") 并访问我的服务时,出现以下错误:
After explaining the trouble I've been having with securing this service to my boss, I was given the go-ahead to try the Windows Authentication route. Sadly, I've had no luck in implementing this type of authentication with my Streamed service (argh). After making the appropriate changes (as outlined here - the only exception being that my transferMode="Streamed") and accessing my service, I was presented with the following error:
HTTP 请求流不能与 HTTP 身份验证结合使用.禁用请求流或指定匿名 HTTP 身份验证.
HTTP request streaming cannot be used in conjunction with HTTP authentication. Either disable request streaming or specify anonymous HTTP authentication.
然后我偶然发现了以下引用 此处 提供了一些说明:
I then stumbled upon the following quote here which offers some clarification:
您不能进行传输身份验证.如果必须使用 HTTP 请求流,则必须在没有安全性的情况下运行.
You can't do transport auth. with streaming. If you have to use HTTP request streaming, you'll have to run without security.
安全的工作方式是:
WCF 客户端向服务器发出 http 请求.
WCF Client makes an http request to the Server.
服务器回应说:你没有被授权,给我发送一个基本/摘要/等凭据."
The Server responds with something saying, "You aren't authorized, send me a basic/digest/etc credential."
客户端收到该响应并使用附加的凭据重新发送其消息.
The Client gets that response and resends its message with the credentials tacked on.
现在服务器收到消息,验证凭据,然后继续.请求流并非旨在与该安全模式一起使用.如果是这样,它会非常慢,因为客户端将发送整个流,从服务器获取它未经授权的消息,然后它必须使用凭据重新发送整个流.
Now the Server gets the message, verifies the credentials, and continues. Request Streaming isn't designed to work with that security pattern. If it did, it would be really slow, since the Client would send the entire stream, get the message from the Server that it wasn't authorized, then it would have to resend the entire stream with credentials.
所以现在我正在寻找意见,您将如何保护支持流式传输的 WCF 服务? 如前所述,某种用户名/密码机制将是首选.随意在这个问题上跳出框框思考......
So now I'm looking for opinions, how would you secure your streaming-enabled WCF service? As mentioned previously, some sort of username/password mechanism would be preferred. Feel free to think outside the box on this one...
非常感谢任何帮助!
推荐答案
嗯,我在解决这个问题时发现了很多围绕安全/流媒体的问题.我最终采用的 hack(呃......嗯......解决方法)是创建一个新的 DataContract,它继承 MemoryStream 并用 BaseStream 属性(用于保存我想要流式传输的数据)以及用于简单的身份验证.
Well, I found a lot of issues surrounding security/streaming while working on this problem. The hack (er...um...workaround) I finally ended up going with was to create a new DataContract that inherits MemoryStream and decorated it with a BaseStream property (for holding the data I want streamed) along with appropriate properties used for simple authentication.
这是生成的 DataContract:
Here is the resulting DataContract:
[DataContract]
[KnownType( typeof( MemoryStream ) )]
public class StreamWithCredentials : MemoryStream
{
[DataMember]
public Stream BaseStream { get; set; }
[DataMember]
public string Username { get; set; }
[DataMember]
public string Password { get; set; }
}
上述 DataContract 最终成为我的服务方法的输入参数.我的服务采取的第一个操作是根据已知的有效值对提供的凭据进行身份验证,并在适当时继续操作.
The above DataContract ends up being the input parameter of my service's method. The first action my service takes is to authenticate the supplied credentials against known valid values and to continue as appropriate.
现在我知道这不是最安全的选择,但我的指示是避免使用 SSL(我什至不确定是否可能使用 SSL)无论如何 - 如此处所述) 用于此内部流程.
Now I do know that this is not the most secure option but my directive was to avoid using SSL (which I'm not even sure is possible anyway - as stated here) for this internal process.
话虽如此,这是我能想到的上述问题的最佳解决方案,希望这能帮助其他遇到此问题的人.
That being said, this was the best solution to the above stated problem I could come up with, hope this helps anyone else stricken with this issue.
感谢所有回复的人.
这篇关于使用支持流的 basicHttpBinding 保护 WCF 服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
