我已经启动并运行了WCF服务,并且能够使用basicHttpBinding在该服务和.Net 2.0客户端之间进行通信。
I have a WCF service up and running and am able to communicate between the service and a .Net 2.0 Client using basicHttpBinding.
我现在需要锁定WCF服务,以便它只能由经过身份验证的客户端调用。
I now need to lock down the WCF service so that it can only be called by authenticated clients.
我可以控制将调用我的服务的客户端。客户端是产品的一部分,该产品将被狂野安装并打电话回家以推送和提取数据。客户端应用程序是针对.Net 2.0框架编写的,目前无法升级到3.0或3.5。我无法将Windows用户帐户添加到客户端计算机。
I have control over the clients that will be calling my service. The clients are part of a product that will be installed in the wild and "phoning home" to push and pull data. The client app is written for .Net 2.0 framework and cannot be upgraded to 3.0 or 3.5 at this time. I cannot add windows user accounts to the client machines.
我有哪些保护WCF服务并能够从.Net 2.0客户端进行身份验证的选项?另外,数据也需要通过https传递。
What are my options for securing the WCF Service and being able to authenticate from my .Net 2.0 clients? Also, data needs to be passed over https.
我一直在网上搜索,感觉就像是在追赶鹅。
I've been searching the web, and feel like I'm on a wild goose chase.
推荐答案您可以将WCF端点配置为使用 2-way SSL身份验证。这意味着您可以要求客户端在请求服务时出示X.509证书,以确认其身份。 在服务器端,您可以使用一个证书。 WCF中的内置验证方案,或者提供您自己的验证逻辑来检查X.509证书。 如果您将服务托管在IIS中,则配置SSL以要求客户端很简单。 运输级别的证书。但是,您可以在此处找到有关如何在自托管WCF服务中实现此行为的良好指南:
You can configure a WCF endpoint to use 2-way SSL authentication. That means that you can require clients to present an X.509 certificate that confirms their identity whenever they make a request to the service. On the server side of things, you can use one of the built-in validation schemes in WCF or provide your own validation logic to check the X.509 certificate. If you were hosting your service in IIS, it would be trivial to configure SSL to require client certificates at the transport-level. However, you can find a good guide on how to implement this behaviour in a self-hosted WCF service here:
leastprivilege/2007/08/25/certificate-based-authentication-and -wcf-message-security /
我自己没有尝试过此操作,但是由于这在 message-level上创建了安全要求,我认为您将必须在您的WSDL合同中使用 wsHttpBinding 来实施它,因为对访问Web服务的安全要求是WS- *标准的一部分。
I haven't tried this myself but, since this creates a security requirement at the message-level, I think you will have to use wsHttpBinding to enforce it in your WSDL contract, since imposing security requirements to access a web service is part of the WS-* standards.
如果必须使用 basicHttpBinding ,则可以尝试以下解决方案,而不是在传输级别上进行升级:
If you have to use basicHttpBinding, you can try this solution instead that moves things up at the transport-level:
http://最小特权om / 2007/08/26 / certificate-based-authentication-and-wcf-mode-independent /
希望这会有所帮助
更多推荐
从.Net 2.0客户端调用WCF服务时如何配置安全性
发布评论