传递HttpContext.Current.User.Identity到WCF [英] Passing HttpContext.Current.User.Identity to WCF
问题描述
寻找一个小建议(或者甚至一个直接的答案)。
Looking for a little advice (or maybe even a direct answer).
我有一个MVC3网站。我也有运行一组WCF服务(现在一切都在同一个盒子)。
I have an MVC3 website. I also have a set of WCF services running (for now everything is on the same box).
我是什么尝试的做的就是验证客户端(这部分是工作的罚款),然后通过该认证的用户在各种WCF调用。
What I'm trying to do is authenticate the client (that part is working fine), then pass that authenticated user on to various WCF calls.
目前我已经迷上了 Application_AuthenticateRequest()方法的Global.asax ,这归结创建一个新的 GenericIdentity和放大器;的GenericPrincipal ,然后分配的本金 HttpContext.Current.User :
At the moment I've hooked up the Application_AuthenticateRequest() method in Global.Asax, which boils down to creating a new GenericIdentity & GenericPrincipal, then assigning that principal to HttpContext.Current.User:
...
GenericIdentity identity = new GenericIdentity(userName);
GenericPrincipal principal = new GenericPrincipal(identity, null);
HttpContext.Current.User = principal;
...
和这部分似乎是工作的罚款以及
And that part seems to be working fine as well.
但是,当我打我的服务,我已经完全失去了,我设置的用户。该值是空的或假的。
But when I hit my service, I have completely lost the user that I set. The values are empty or false.
我注意到的一个主事情是,在客户端中, HttpContext.Current.User.Identity 对象的类型为 { System.Web.Security.FormsIdentity} ,但在它的类型服务 {System.Security.Principal.WindowsIdentity} 。
The one main thing I've noticed is that on the Client side, the HttpContext.Current.User.Identity object is of type {System.Web.Security.FormsIdentity}, but in the service it's of type {System.Security.Principal.WindowsIdentity}.
根据一些我读过,听起来简单修改我的的web.config 使其包含 aspNetCompatibilityEnabled =真正的可能足以使这项工作正常。但是,这不是我所看到的。因此,无论我不理解的一切(一个很好的可能性),或者我已经得到的东西搞砸了(另一种很好的可能性)。
Based on some of what I've read, it sounds like simply modifying my web.config so it contains aspNetCompatibilityEnabled="true" may be enough to make this work properly. But that's not what I'm seeing. So either I'm not understanding everything (a very good possibility) or I've got something screwed up (another good possibility).
所以我的问题。这甚至可能,如果是这样 - 对我失去了我的想法?我注意到一些其他人发布类似的东西,但从来没有收到相当明确的答案(见<一href=\"http://stackoverflow.com/questions/1087271/passing-formsauthentication-cookie-to-a-wcf-service\">here和这里)。
So my question. Is this even possible, and if so - thoughts on what I'm missing? I notice a few others have posted something similar but have never quite received a definite answer (see here and here).
任何建议都非常AP preciated。
Any suggestions are very much appreciated.
推荐答案
我真的不能直接回答你的问题,但希望能帮助您找到明确的答案。
I can't really answer directly to your question but hopefully will help you find the definite answer.
您有2个服务层,似乎你的要求是共享所有层中验证身份。
You have 2 service layers, and seems your requirement is to share Authentication identity among all layers.
因此,在原则上,你需要(至少)相同的认证机制或算法技术来实现这一目标。但在这一点上,你没有使用相同的(当你看到你注意到了一个 FormsIdentity 和的WindowsIdentity 有)
So, in principle, you'd need (at least) the same Authentication mechanisms or algorithms or techniques to achieve this. But at this point you are not using the same (and you noticed when you saw a FormsIdentity and a WindowsIdentity there).
事实:
- 您需要将相同的认证机制。
- 您使用哪种机制,需要支持你想(这意味着你可以使用一个用户的身份与一个第三的服务,而不必实际凭据进行重新验证)的第3跳。
问题:
- 如果您继续使用窗体身份验证,那么你需要与你的WCF服务重新验证(当然提供身份证明,的这个的可以的帮助)。这个我觉得很难做到,除非你把密码的用户用来验证他/她通常是一个坏主意。
- 如果您继续使用Windows身份验证为你的网站,那么你如果用户从登录内部网络有问题。使用Kerberos有趣的事情(活动目录使用Kerberos)是,它让我们的用户访问远程资源不必重新...但该用户身份令牌仅在1跳好。当你的WCF和MVC服务在同一台服务器上,它会工作,但如果你最终把你的WCF服务了......这是一个3箱边界......第3跳,而Kerberos票据是不够好。
- If you continue to use Forms authentication, then you'll need to reauthenticate with your WCF service (and of course provide Identity credentials, this may help). This I find hard to do unless you keep the password the User used to authenticate him/herself which is generally a bad idea.
- If you continue to use Windows Authentication for you site, then you'll have a problem if the user is logging in from the Intranet. Funny thing with Kerberos (Active Directory uses Kerberos) is that it let's the user access remote resources without reauthenticating... but this User Identity Token is only good for 1 hop. While your WCF and MVC services are on the same server, it'll work but if you eventually take your WCF service away... that's a 3rd box boundary... a 3rd hop, and the Kerberos ticket will not be good enough.
所以...意识不到你的要求,我首先建议你:
So... being unaware of your requirements, I would first suggest you:
- 忘记验证你的WCF层上
- 请您WCF服务访问私有的(工作,你的网络技能...防火墙等)。我想通过让一个单独的IIS网站不侦听端口80(或443)WCF运行启动,并确保防火墙阻止访问到你的新的WCF端口IP地址从您的局域网外(甚至更好,你的外白列表(本地主机现在))。
- 指定用户身份,因为每个WCF调用的参数。或者,如果你感到疯狂,探索指定用户的身份直通SOAP头(如果您的WCF使用SOAP)的方法。自定义标题应该做的也很不错。你会相信那么你的网站要正确挑战并授予他们访问您的WCF服务之前验证用户身份。
我现在看到了这个运行很多次。由于没有对私人服务认证是一个很好的性能问题,但是你需要采取precautions导致一般情况下,大多数的IT的攻击来自于内部局域网。
I've seen this running many times by now. Not having authentication on a private service is a good performance deal, but you need to take precautions cause in general, most of the IT attacks come from the internal LAN.
这篇关于传递HttpContext.Current.User.Identity到WCF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
