CustomAuthorizationPolicy.Evaluate()方法永远不会在wcf webhttpbinding中触发
我可以看到我创建了一个wcf服务:
[OperationContract] [PrincipalPermission(SecurityAction.Demand, Role = "Admin")] [WebInvoke(Method = "GET", UriTemplate = "/Data/{data}")] string GetData(string data); 所以我创建了一个自定义授权,你可以看到:
public class AuthorizationPolicy : IAuthorizationPolicy { string id = Guid.NewGuid().ToString(); public string Id { get { return this.id; } } public System.IdentityModel.Claims.ClaimSet Issuer { get { return System.IdentityModel.Claims.ClaimSet.System; } } // this method gets called after the authentication stage public bool Evaluate(EvaluationContext evaluationContext, ref object state) { // get the authenticated client identity IIdentity client = HttpContext.Current.User.Identity; // set the custom principal evaluationContext.Properties["Principal"] = new CustomPrincipal(client); return true; } } public class CustomPrincipal : IPrincipal { private IIdentity _identity; public IIdentity Identity { get { return _identity; } } public CustomPrincipal(IIdentity identity) { _identity = identity; } public bool IsInRole(string role) { //my code return true; // return Roles.IsUserInRole(role); } }
和身份validation:
public class RestAuthorizationManager: ServiceAuthorizationManager { protected override bool CheckAccessCore(OperationContext operationContext) { //Extract the Authorization header, and parse out the credentials converting the Base64 string: var authHeader = WebOperationContext.Current.IncomingRequest.Headers["Authorization"]; if ((authHeader != null) && (authHeader != string.Empty)) { var svcCredentials = System.Text.ASCIIEncoding.ASCII .GetString(Convert.FromBase64String(authHeader.Substring(6))) .Split(':'); var user = new { Name = svcCredentials[0], Password = svcCredentials[1] }; if ((user.Name == "1" && user.Password == "1")) { //here i get the role of my user from the database // return Admin role //User is authrized and originating call will proceed return true; } else { //not authorized return false; } } else { //No authorization header was provided, so challenge the client to provide before proceeding: WebOperationContext.Current.OutgoingResponse.Headers.Add("WWW-Authenticate: Basic realm=\"MyWCFService\""); //Throw an exception with the associated HTTP status code equivalent to HTTP status 401 throw new WebFaultException(HttpStatusCode.Unauthorized); } } }
所以我在我的IIS中创建和https托管,我上传服务,我的身份validation类正在运行,但我的授权没有。为什么?我在我的网络配置中定义我的身份validation,你可以看到。但我不知道怎么能我在我的网络配置中定义了我的授权。
我的意思是当我在客户端调用我的服务时。该服务不检查授权function。我应该在webconfig中定义我的自定义授权类但我不知道如何?
public bool IsInRole(string role) { //my code return true; // return Roles.IsUserInRole(role); }
您可能需要在web config文件中设置serviceCredentials :
以下是有关serviceCredentials更多信息的链接: https : //docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/wcf/servicecredentials
您可以在
在WCF文档中,为WCF服务实现自定义授权策略有一个很好的示例。
但是,在覆盖抽象AuthorizationManager基类的CheckAccess方法时要小心。 基类的方法在内部调用GetAuthorizationPolicies方法以检索所有IAuthorizationPolicy对象的集合(另请参阅此博客文章 )。
如果重写CheckAcces并且不调用父类的方法,则不会调用IAuthorizationPolicy对象的任何Evaluate方法。