Windows Azure的WCF安全 [英] Windows Azure WCF Security

问题描述

我已经部署到云中的WCF服务。任何人都可以guuide我通过最佳实践我如何能确保在蔚蓝的终点吗？

I've a wcf service deployed to the cloud. Could anyone guuide me through best practices on how I can secure the end point in azure please?

感谢。

推荐答案

在我看来，最简单的方法是使用的AppFabric访问控制服务（ACS）来生成一个安全的Web令牌（SWT），您传递给WCF通过授权HTTP标题的服务。在服务方法，你就可以读取和头验证SWT。

In my opinion, the easiest approach is to use the AppFabric Access Control Service (ACS) to generate a Secure Web Token (SWT) that you pass to the WCF service via an authorization HTTP header. In the service method, you can then read and validate the SWT from the header.

这是pretty简单，特别是如果你动态地创建代理，而不是使用服务引用。

It's pretty straightforward, particularly if you create proxies dynamically rather than using Service References.

这是我是如何从ACS获得SWT：

This is how I get the SWT from ACS:

private static string GetToken(string serviceNamespace, string issuerKey, string appliesto)
{
    WebClient client = new WebClient();

    client.BaseAddress = String.Format("https://{0}.accesscontrol.windows.net", serviceNamespace);
    client.UseDefaultCredentials = true;

    NameValueCollection values = new NameValueCollection();

    values.Add("wrap_name", serviceNamespace);
    values.Add("wrap_password", issuerKey);
    values.Add("wrap_scope", appliesto);

    byte[] responseBytes = client.UploadValues("WRAPv0.9", "POST", values);

    string response = System.Text.Encoding.UTF8.GetString(responseBytes);

    string token = response
                        .Split('&')
                        .Single(value => value.StartsWith("wrap_access_token=", StringComparison.OrdinalIgnoreCase))
                        .Split('=')[1];

    return token;
}

issuerKey ，因为它是在ACS V1称现在是从服务标识在ACS V2密码。

issuerKey, as it was referred to in ACS v1 is now the Password from the Service Identity in ACS v2.

要拨打的服务：

string accessToken = GetToken(serviceNamespace, issuerKey, appliesto);

string authHeaderValue = string.Format("WRAP access_token=\"{0}\"", HttpUtility.UrlDecode(accessToken));

// TInterface is the service interface
// endpointName refers to the endpoint in web.config
ChannelFactory channelFactory = new ChannelFactory<TInterface>(endpointName);

TInterface proxy = channelFactory.CreateChannel();

OperationContextScope scope = new OperationContextScope(proxy as IContextChannel);

WebOperationContext.Current.OutgoingRequest.Headers.Add(HttpRequestHeader.Authorization, authHeaderValue);

// Call your service
proxy.DoSomething();

在服务端，你提取头中的令牌，并验证它。我可以找出code表示，这是不是你想要采取的方法。

On the service-side, you extract the token from the header and validate it. I can find out the code for that, if this looks like the approach you want to take.

尝试<一个href=\"http://blogs.msdn.com/b/alikl/archive/2011/06/02/windows-azure-appfabric-access-control-service-acs-wcf-swt-rest-oauth-scenario.aspx\"相对=nofollow>这个博客帖子由阿利克莱的一个很好的起点。

Try this blog post by Alik Levin as a good starting point.

这篇关于Windows Azure的WCF安全的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！