What is the best approach to make sure you only need to authenticate once when using an API built on WCF?
在使用基于WCF构建的API时,确保只需要进行一次身份验证的最佳方法是什么?
My current bindings and behaviors are listed below
我目前的绑定和行为如下所示
<bindings>
<wsHttpBinding>
<binding name="wsHttp">
<security mode="TransportWithMessageCredential">
<transport/>
<message clientCredentialType="UserName" negotiateServiceCredential="false" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="NorthwindBehavior">
<serviceMetadata httpGetEnabled="true"/>
<serviceAuthorization principalPermissionMode="UseAspNetRoles"/>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"/>
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
Next is what I am using in my client app to authenticate (currently I must do this everytime I want to make a call into WCF)
接下来是我在我的客户端应用程序中使用的身份验证(目前我必须在每次要调用WCF时执行此操作)
Dim client As ProductServiceClient = New ProductServiceClient("wsHttpProductService")
client.ClientCredentials.UserName.UserName = "foo"
client.ClientCredentials.UserName.Password = "bar"
Dim ProductList As List(Of Product) = client.GetProducts()
What I would like to do is auth w/ the API once using these credentials, then get some type of token for the period of time my client application is using the web service project. I thought establishsecuritycontext=true did this for me?
我想做的是使用这些凭据授权API,然后在我的客户端应用程序使用Web服务项目的一段时间内获取某种类型的令牌。我认为establishsecuritycontext = true为我做了这个吗?
2 个解决方案
#1
3
If you're on an intranet, Windows authentication can be handled for "free" by configuration alone.
如果您在Intranet上,则可以仅通过配置“免费”处理Windows身份验证。
If this isn't appropriate, token services work just fine, but for some situations they may be just too much.
如果这不合适,令牌服务工作正常,但在某些情况下,它们可能太多了。
The application I'm working on needed bare-bones authentication. Our server and client run inside a (very secure) intranet, so we didn't care too much for the requirement to use an X.509 certificate to encrypt the communication, which is required if you're using username authentication.
我正在处理的应用程序需要进行简单的身份验证。我们的服务器和客户端在(非常安全的)Intranet内部运行,因此我们对使用X.509证书加密通信的要求并不太在意,如果您使用用户名身份验证,则需要这样做。
So we added a custom behavior to the client that adds the username and (encrypted) password to the message headers, and another custom behavior on the server that verifies them.
因此,我们向客户端添加了一个自定义行为,用于将用户名和(加密)密码添加到邮件头,以及验证它们的服务器上的另一个自定义行为。
All very simple, required no changes to the client side service access layer or the service contract implementation. And as it's all done by configuration, if and when we need to move to something a little stronger it'll be easy to migrate.
一切都非常简单,不需要对客户端服务访问层或服务契约实现进行任何更改。而且,所有这一切都是通过配置来完成的,如果我们需要转移到更强大的东西,那么移植起来就很容易了。
#2
1
While I hate to give an answer I'm not 100% certain of, the lack of responses so far makes me think a potentially correct answer might be okay in this case.
虽然我不愿意给出答案,但我不是100%肯定的,到目前为止缺乏回应让我认为在这种情况下可能是正确的答案。
As far as I'm aware there isn't the kind of session token mechanism you're looking for out-of-the-box with WCF which means you're going to have to do some heavy lifting to get things working in the way you want. I should make it clear there is a session mechanism in WCF but it's focused on guaranteeing message orders and is not the ideal tool for creating an authentication session.
据我所知,没有那种会话令牌机制,你正在寻找与WCF开箱即用的方式,这意味着你将不得不做一些繁重的工作来让事情在你想要的方式。我应该明确说明WCF中有一个会话机制,但它专注于保证消息顺序,并不是创建认证会话的理想工具。
I just finished working on a project where we implemented our own session mechanism to handle all manner of legacy SOAP stacks, but I believe the recommended way to implement authenticated sessions is to use a Secure Token Service (STS) like Pablo Cibraro's.
我刚刚完成了一个项目,我们实现了自己的会话机制来处理各种遗留SOAP堆栈,但我相信实现经过身份验证的会话的推荐方法是使用像Pablo Cibraro这样的安全令牌服务(STS)。
If you want more details please shout, but I suspect Pablo's blog will have more than enough info for you to steam ahead.
如果你想要更多的细节请大声喊叫,但我怀疑Pablo的博客将有足够的信息让你继续前进。
#1
3
If you're on an intranet, Windows authentication can be handled for "free" by configuration alone.
如果您在Intranet上,则可以仅通过配置“免费”处理Windows身份验证。
If this isn't appropriate, token services work just fine, but for some situations they may be just too much.
如果这不合适,令牌服务工作正常,但在某些情况下,它们可能太多了。
The application I'm working on needed bare-bones authentication. Our server and client run inside a (very secure) intranet, so we didn't care too much for the requirement to use an X.509 certificate to encrypt the communication, which is required if you're using username authentication.
我正在处理的应用程序需要进行简单的身份验证。我们的服务器和客户端在(非常安全的)Intranet内部运行,因此我们对使用X.509证书加密通信的要求并不太在意,如果您使用用户名身份验证,则需要这样做。
So we added a custom behavior to the client that adds the username and (encrypted) password to the message headers, and another custom behavior on the server that verifies them.
因此,我们向客户端添加了一个自定义行为,用于将用户名和(加密)密码添加到邮件头,以及验证它们的服务器上的另一个自定义行为。
All very simple, required no changes to the client side service access layer or the service contract implementation. And as it's all done by configuration, if and when we need to move to something a little stronger it'll be easy to migrate.
一切都非常简单,不需要对客户端服务访问层或服务契约实现进行任何更改。而且,所有这一切都是通过配置来完成的,如果我们需要转移到更强大的东西,那么移植起来就很容易了。
#2
1
While I hate to give an answer I'm not 100% certain of, the lack of responses so far makes me think a potentially correct answer might be okay in this case.
虽然我不愿意给出答案,但我不是100%肯定的,到目前为止缺乏回应让我认为在这种情况下可能是正确的答案。
As far as I'm aware there isn't the kind of session token mechanism you're looking for out-of-the-box with WCF which means you're going to have to do some heavy lifting to get things working in the way you want. I should make it clear there is a session mechanism in WCF but it's focused on guaranteeing message orders and is not the ideal tool for creating an authentication session.
据我所知,没有那种会话令牌机制,你正在寻找与WCF开箱即用的方式,这意味着你将不得不做一些繁重的工作来让事情在你想要的方式。我应该明确说明WCF中有一个会话机制,但它专注于保证消息顺序,并不是创建认证会话的理想工具。
I just finished working on a project where we implemented our own session mechanism to handle all manner of legacy SOAP stacks, but I believe the recommended way to implement authenticated sessions is to use a Secure Token Service (STS) like Pablo Cibraro's.
我刚刚完成了一个项目,我们实现了自己的会话机制来处理各种遗留SOAP堆栈,但我相信实现经过身份验证的会话的推荐方法是使用像Pablo Cibraro这样的安全令牌服务(STS)。
If you want more details please shout, but I suspect Pablo's blog will have more than enough info for you to steam ahead.
如果你想要更多的细节请大声喊叫,但我怀疑Pablo的博客将有足够的信息让你继续前进。