在WCF基于令牌的认证 [英] Token-Based Authentication in WCF
问题描述
我创建一个网站,该网站将包含ASP.NET页面和一个Flash小程序。我想封装中,将通过两个端点暴露出来的WCF服务我的商业逻辑:在通过HTTP(S)互联网一个易触及,由Flash客户端使用,一个数据中心使用的应用程序服务器中访问。如果这似乎不是一个好办法,然后停止我在这里;否则,我会继续前进......
I am creating a website which will contain both ASP.NET pages and a Flash applet. I want to encapsulate my business logic in a WCF service which will be exposed through two endpoints: One accesssible over the Internet through HTTP(S), for use by the Flash client, and one accessible within the data center for use by the application servers. If this does not seem like a good approach, then stop me here; otherwise, I'll move on...
现在的问题是如何进行身份验证从Flash客户机的请求。因为我不想存储用户密码在浏览器中的cookie,就不要希望每个请求发送密码,不希望有初始登录后使用HTTPS,我打算用token-基于身份验证系统。我也不希望用户必须登录到Flash客户端已经登录到网站本身之后,所以我打算使用Javascript启动时通过令牌Flash客户端。
The question is how to authenticate requests coming from the Flash client. Since I don't want to store the user's password in a browser cookie, don't want to send the password with every request, and don't want to have to use HTTPS after the initial login, I plan on using a token-based authentication system. I also don't want the user to have to log into the Flash client after already logging into the site itself, so I plan on using Javascript to pass the token to the Flash client when it starts.
我知道使用WCF支持.NET Framework的内置安全框架(System.Security)强制访问控制,我想利用这个优势。
I know WCF supports using the .NET Framework's built-in security framework (System.Security) to enforce access control, and I would like to take advantage of this.
问题的话,就是:如何做我通过令牌WCF服务时,它是由Flash调用,以及如何处理服务器上的标记
- WCF有一个颁发的令牌身份验证模式,但它似乎这是为了在一个完全成熟的联合方案中要使用带有安全令牌服务和SAML令牌 - 更多的复杂性,我真正想要的。它可以使用此模式与我自己的简单随机字符串标记?如果是这样,怎么样?请记住,这需要与闪存兼容。
- 我可能会传递一个头令牌(无论是SOAP头或HTTP标头)。在这种情况下,一旦我下定决心已经该用户发出请求,我怎么通知的框架,以使System.Security检查是否行得通呢?
- 是否有不同的做法完全是我应该考虑?凡是避免了每次请求发送密码,让我用System.Security,并与Flash作品是一种可能性。
推荐答案
,因为它似乎原来的问题已经回答了我会记住这简短,但一个方法确实是通过身份验证令牌在HTTP报头和覆盖的checkAccess(的OperationContext的OperationContext,参考消息消息)在自定义的 ServiceAuthorizationManager 。
As it seems the original question has been answered I'll keep this brief, but one approach would indeed be to pass the authentication token in an http header and override CheckAccess(OperationContext operationContext, ref Message message) in a custom ServiceAuthorizationManager .
您将有previously配置为使用自定义策略服务实现 IAuthorizationPolicy 。
You will have previously configured the service to use a custom policy that implements IAuthorizationPolicy.
剩下的工作就是实现简单的的IIdentity 和的IPrincipal 类来存储您的授权状态。
All that remains is to implement simple IIdentity and IPrincipal classes to store your authorization state.
在这个问题上存在的一些好文章:
A number of good articles exist on this subject:
的http://msdn.microsoft.com/en-us/library/system.identitymodel.policy.iauthorizationpolicy.aspx
的http://msdn.microsoft.com/en-us/library/system.servicemodel.serviceauthorizationmanager.aspx
我想这可能仍然觉得自己像一个滚你自己的解决方案,但它至少让人放心,当你在以下既定模式。它也有从服务方法的黑拳的授权code的优势。
I guess this may still feel like a "roll-your-own" solution, but its at least reassuring when you're following an established pattern. It does have the advantage of black-boxing your authorization code from your service methods.
这篇关于在WCF基于令牌的认证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
