将 PrincipalPermissionAttribute 与自定义角色提供程序一起使用

【问题标题】:Using PrincipalPermissionAttribute with Custom role provider将 PrincipalPermissionAttribute 与自定义角色提供程序一起使用
【发布时间】:2011-08-05 20:16:02
【问题描述】:

我正在为我的组织开发新的安全基础设施。由于我们为内部组织使用开发系统,因此我想使用 Windows 身份验证,但为了授权,我们管理一个单独的 Oracle 数据库(出于历史原因)。我的想法是使用PrincipalPermissionAttribute 定义

AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal);

在 Global::Application_Start 和

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <authorization>
      <deny users="?"/>
    </authorization>
    <roleManager **defaultProvider="MyRoleProvider"**
      enabled="true"
      cacheRolesInCookie="true"
      cookieName=".ASPROLES"
      cookieTimeout="30"
      cookiePath="/"
      cookieRequireSSL="false"
      cookieSlidingExpiration="true"
      cookieProtection="All" >
      <providers>
        <clear />
        <add
          name="MyRoleProvider"
          type="WcfServiceLibrary1.MyRoleProvider"
          connectionStringName="Service1"
          applicationName="InfraTest"
          writeExceptionsToEventLog="true" />
      </providers>
    </roleManager>
  </system.web>
  <system.serviceModel>
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpEndpointBinding">
          <security mode="TransportCredentialOnly">
            <transport **clientCredentialType="Windows"** />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfService1.Service1">
        <endpoint address="WcfAuthenticationTest" binding="basicHttpBinding"
          bindingConfiguration="BasicHttpEndpointBinding" name="BasicHttpEndpoint"
          contract="WcfService1.IService1">
          <identity>
            <dns value="localhost"/>
          </identity>
        </endpoint>
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost/WcfAuthentication"/>
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior>
          <serviceAuthorization **principalPermissionMode="UseAspNetRoles"**/>
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" aspNetCompatibilityEnabled="true"/>
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>

在我的 Web.config 中使用我的 自定义角色提供程序,它应该访问 Oracle DB 以检查角色。但我不能让它工作。有没有办法让PrincipalPermissionAttribute 以这种方式工作,或者可能是整个概念是错误的?我想过实现我的自定义CodeAccessSecurityAttribute,但这并不是那么简单,所以我不想这样做 有人知道这个问题吗?我很高兴得到一些答案

【问题讨论】:

    标签: wcf-security roleprovider


    【解决方案1】:

    我最近学到了两件事。首先,如果我的所有概念都是正确的,我可以将 PrinciplePermissionAttribute 与 cotom 角色提供程序一起使用,其次是我对 web.config 标签完全感到困惑。标签用于 asp .net 设置,而用于 WCF 设置。所以一个小比特配置解决了整个问题。这是正确的配置

    <?xml version="1.0"?>
<configuration>

  <system.web>
    <compilation debug="true" defaultLanguage="c#" targetFramework="4.0" />

    <roleManager enabled="true" cacheRolesInCookie="true" cookieName=".ASPROLES"
      defaultProvider="MyRoleProvider">
      <providers>
        <clear />
        <add connectionStringName="Service1" applicationName="InfraTest"
          writeExceptionsToEventLog="false" name="MyRoleProvider" type="SecLib.MyRoleProvider" />
      </providers>
    </roleManager>

  </system.web>
  <system.serviceModel>
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
    <bindings>
      <basicHttpBinding>
        <binding name="BasicHttpBindingConfiguration" closeTimeout="00:01:00"
          sendTimeout="00:10:00" maxBufferSize="524288" maxReceivedMessageSize="524288">
          <security mode="TransportCredentialOnly">
            <transport clientCredentialType="Windows" />
          </security>
        </binding>
      </basicHttpBinding>
    </bindings>
    <services>
      <service name="WcfRoleProviderTestService.Service1"
               behaviorConfiguration="BasicHttpServiceBehavior" >
        <endpoint name="BasicHttpEndpoint"
                  contract="WcfRoleProviderTestService.IService1"
                  address="WcfAuthenticationTest"
                  binding="basicHttpBinding"
                  bindingConfiguration="BasicHttpBindingConfiguration" />
        <host>
          <baseAddresses>
            <add baseAddress="http://localhost/WcfRoleProviderTestService/" />
          </baseAddresses>
        </host>
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="BasicHttpServiceBehavior">
          <serviceAuthorization principalPermissionMode="UseAspNetRoles"
            roleProviderName="MyRoleProvider" impersonateCallerForAllOperations="true" />
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
        <behavior name="">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="true" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>
 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
  </system.webServer>
</configuration>

    【讨论】:

      【解决方案2】:

      除非您需要模拟,否则您无需包含impersonateCallerForAllOperations="true"

      【讨论】:

      • 问题是我确实需要模拟才能检查客户端权限
      猜你喜欢
      • 1970-01-01
      • 1970-01-01
      • 2014-10-15
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2011-05-23
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode