为Wcf服务添加第二层安全性 [英] Adding Second Layer Security for Wcf Service

问题描述

我托管了一个Wcf服务

I have hosted a Wcf Service

当用户登录到他的用户帐户时，它是我对wcf服务的第一层安全性。这是正常的Windows登录验证。我想在访问Wcf服务之前提供第二层安全性。第二层安全性可以是用户名检查或用户名和密码检查。另外，在第二层安全性中，如果用户与当前登录的用户相同，则不会要求进行身份验证。否则，请求身份验证作为第二层安全性的一部分。

When user login to his user account, it is my First layer security for the wcf service. that is normal windows login authentication. I want to provide a second layer security before accessing the Wcf Service. Second layer security can be username checking or username and password checking. And one more, in the second layer security, if the user is same as that is currently logged in, then it would not ask for authentication. Else, ask for authentication as part of Second layer security.

我应该如何实现这个逻辑？

How should I implement this logic?

推荐答案

答案取决于您是否正在使用您的WCF服务，如Web服务器（使用REST，BasicHttpBinding，WSHttpBinding或WebHttpbinding），或者您是否使用类似网络的协议NetNamedPipeBinding。使用类似网络的协议，您可以在用户登录后建立可以持续的实时会话。

The answer depends on whether you're using your WCF service like a web server (using REST, BasicHttpBinding, WSHttpBinding, or WebHttpbinding), or whether you're using a more network-like protocol like NetNamedPipeBinding. With a network-like protocol, you can establish live sessions that persist for as long as you want after the user has signed in.

但是，假设您正在使用一个在以网络为中心的协议中，您无法真正设置第一，第二，第n层安全性。你可以发送一个自定义凭证监听器（就像Paramosh指出的那样），在他/她到达服务之前捕获用户，但就是这样。在认证事件和请求命中风扇之间没有其他事件可以说。

However, assuming you're using one of the web-centric protocols, you can't really set up first, second, n-th layers of security. You can sent up a custom credential listener (like what Paramosh points to) that catches the user BEFORE he/she gets to the service, but that's it. There are no further events, so to speak, between the authentication event and when the request hits the fan.

所以这就是我的建议：因为http通信几乎总是一组重复的请求和响应，所以在首次联系时进行身份验证，给予用户（在他们提交凭证之后）一个SessionID（GUID）令牌，他们可以随时返回，只要你愿意。 SessionID令牌需要存储在某个地方的数据库中，并且在每次后续访问时，用户都需要提供该令牌以进行验证，但之后您有效地获得了一个可以防止不必要的入侵的实时会话场景。并且可以通过上面列出的自定义凭据功能检查此SessionID（或您使用的任何内容）。

So this is what I'd suggest: since http communication is nearly always a repeating set of requests and responses, have your authentication occur on first contact, giving the user (after they've submitted credentials) a SessionID (GUID) token that they can return with in as long as you want. The SessionID token would need to be stored on a DB somewhere, and on each subsequent visit the user would need to present that token for validation, but after that you've effectively got a live session scenario that should prevent unwanted intrusions. And this SessionID (or whatever you use) can be checked by the custom credentials function listed above.

这篇关于为Wcf服务添加第二层安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！