ASP.NET为WCF - 直通安全? [英] ASP.NET to WCF - passthrough security?
问题描述
我有一个MVC网站上WCF服务的顶部坐镇。 WCF服务也是使用邮件安全和证书用户名/密码认证互联网访问。这是设置和工作。
I have a MVC website that sits on top of a WCF service. The WCF service is also accessible to the internet with username/password authentication using message security and certificates. This is setup and working.
这两个网站和服务使用相同的会员店,采用会员API。
Both the website and the service use the same membership store, using the membership API.
一个用户可以登录到任何网站或使用相同的凭据服务。但是,当网站调用服务,它需要通过当前登录用户的凭据。我可以从
A user can log onto either the website or the service using the same credentials. However, when the website calls the service, it needs to pass the credentials of the currently logged on user. I can get the username from
Membership.GetUser().UserName
但我不能得到密码!
but I can't get the password!
有另一种方式基本上通过该网站的用户凭据的服务?
Is there another way to essentially pass the website user credentials to the service?
任何帮助非常AP preciated ...
Any help much appreciated...
推荐答案
这是很奇怪的架构。为什么要两次验证用户?刚刚成立不同的端点(net.pipe)为你的MVC和避免二次认证。如果您需要了解该服务认证的用户,以及你有两个选择dependend的信任你的MVC应用程序:
this is very strange architecture. Why to authenticate user twice? Just set up different endpoint (net.pipe) for your MVC and avoid second authentication. If you need to know authenticated user on the service as well you have two choices dependend on the trust to your MVC application:
- 发送的用户名作为自定义邮件头。缺点:如果一个黑客绕过您的验证她可以调用与任何用户名服务
- 请不要直接在MVC验证用户。相反,总是WCF验证用户,并创建自定义的MVC成员资格提供程序,它将调用验证服务。该服务还将生成令牌,你的身份验证的用户,每个操作将验证令牌。缺点:复杂性
编辑:有<一个href=\"http://stackoverflow.com/questions/3451578/wcf-authentication-using-sql-membership-provider\">related帖子有类似的问题。你可以找到有另一种建议。
There is related post with similar question. You can find there another suggestions.
这篇关于ASP.NET为WCF - 直通安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
