如何在 Active Directory/Windows 身份验证中使用 Servicestack 身份验证? [英] How to use Servicestack Authentication with Active Directory/Windows Authentication?
问题描述
我正在创建一个安全 (SSL) 公共服务,其中用户凭据驻留在 Active Directory 中.我想利用 ServiceStack 的身份验证并阅读了 wiki 文章.我已经编写了代码来使用 AD 验证用户凭据.我有几个问题.
I am creating a secure (SSL) public service where the users credentials reside in Active Directory. I want to leverage ServiceStack's Authentication and have read over the wiki article. I already have code written to verify the user credentials with AD. I have a few questions.
- 我使用哪个身份验证提供程序?凭据、基本身份验证还是自定义?该服务需要 SSL,因此基本身份验证是安全的,但密码将被加密以增加安全性.
- 我还需要存储 UserAuth 并缓存 AuthUserSession 吗?
- 单点触控客户端是否支持身份验证?
更新 2:我最终使用 CredentialsAuthProvider 制作了一个与 AD 集成的测试 SS 服务.然而,我的最终目标是拥有 1 个站点,当客户端调用时它是一个 api.所以基本上是一个 SS MVC 站点.
Update 2: I did end up making a test SS service that integrated with AD, using CredentialsAuthProvider. However my ultimate goal it to have 1 site that is an api when called by clients. So basically a SS MVC site.
更新:
经过进一步研究,我了解到 SS 正在考虑做一个未来可能支持 Windows 身份验证的商业产品.我在 SS Google 小组 mythz 的评论中读到了这一点.我问这个 SO 问题的原因是我的公司使用 IWA 构建内部应用程序,并且没有 IWA 很难采用 SS MVC.我想我读到您可以从使用 IWA 的 ASP.NET 站点托管 SS MVC 站点,但我还没有尝试过.
It is my understanding after doing some more research that SS is considering doing a commercial product that may support Windows Authentication in the future. I read this in a comment from mythz on the SS Google group. The reason I asked this SO question is that my company builds internal applications using IWA and adopting SS MVC is hard without IWA. I think I read that you could host the SS MVC site off of a ASP.NET site that uses IWA but I have not tried that yet.
推荐答案
我也将 ServiceStack 与集成的 Windows 身份验证连接起来(用于企业应用程序),关键是跳过尝试将其与 ServiceStack 的 AuthProviders 完全集成,因为 IWA 的一般方法不处理应用程序代码中的凭据——它由 Web 服务器处理.我所做的是:
I've also hooked up ServiceStack with Integrated Windows Authentication (for a corporate application), and the key was to skip trying to integrate it with ServiceStack's AuthProviders entirely, since the general approach of IWA doesn't deal with credentials in your application code -- it's handled by the web server. What I did was:
在 IIS 中配置站点/应用程序,以便 Windows 身份验证是唯一启用的选项.(不允许匿名访问.)这意味着 IIS 本身将处理未经身份验证的用户的质询-响应 (HTTP 401/200) 序列,并为您处理流程的身份验证部分.
Configure the site/application in IIS so that Windows Authentication was the only enabled option. (No Anonymous access allowed.) This means IIS itself will take care of the challenge-response (HTTP 401/200) sequence with unauthenticated users, and handles the authentication part of the process for you.
实现 ServiceStack 的 IHasRequestFilter(一个 HTTP 预请求过滤器)作为一个属性(例如,[AdminOnly]).此过滤器的 RequestFilter 方法从 HttpContext (HttpContext.User.Identity.Name) 获取当前用户名,从存储库(可能是 SQL 数据库、平面文件等)中查找它,缓存结果使用 ServiceStack 的 ICacheClient(内存缓存、Redis 等),如果未授权则抛出 403 HttpError.
Implement ServiceStack's IHasRequestFilter (an HTTP pre-request filter) as an Attribute (e.g., [AdminOnly]). This filter's RequestFilter method fetches the current username from HttpContext (HttpContext.User.Identity.Name), looks it up from a repository (which could be a SQL database, flat file, etc.), caches results using ServiceStack's ICacheClient (memory cache, Redis, etc.), and throws a 403 HttpError if unauthorized.
完成此操作后,所需要做的就是将属性添加到需要的类或方法中(在需要的地方将此身份验证/授权放入服务管道中),并在我的 AppHost 实现中注册我需要的缓存提供程序,例如:
With this done, all that was necessary was to add the attribute to classes or methods where desired (which gets this authentication/authorization into the service pipeline where desired), and register my desired cache provider in my AppHost implementation, e.g.:
container.Register<ICacheClient>(new MemoryCacheClient() { FlushOnDispose = false });
效果很好.
这篇关于如何在 Active Directory/Windows 身份验证中使用 Servicestack 身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
