WCF 安全

服務器端與客戶端都安裝證書，雙方經過證書加密通信。

配置wsHttpBinding，使用基於消息的用戶名驗證。首先配置爲Windows帳戶庫驗證。

服務器端配置：

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
  </startup>
  <system.serviceModel>
    <services>
      <service name="Server.EchoClaims" behaviorConfiguration="echoClaimsBehavior">
        <endpoint address="EchoClaims"
                  binding="wsHttpBinding" bindingConfiguration="echoClaimsBinding"
                  contract="Server.IEchoClaims"></endpoint>
      </service>
    </services>
    <bindings>
      <wsHttpBinding>
        <binding name="echoClaimsBinding">
          <security mode="Message">
            <message clientCredentialType="UserName"
                     negotiateServiceCredential="true"/>
          </security>
        </binding>
      </wsHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="echoClaimsBehavior">
          <serviceCredentials>
            <serviceCertificate
              findValue="CN=WCFServer"
              storeLocation="LocalMachine"
              storeName="My"
              x509FindType="FindBySubjectDistinguishedName"/>

            <userNameAuthentication userNamePasswordValidationMode="Windows"/>

          </serviceCredentials>
          <serviceMetadata httpGetEnabled="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>
  </system.serviceModel>

</configuration>

服務器端WCF配置文件

客戶端配置：

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <startup> 
        <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />
    </startup>
    <system.serviceModel>
        <bindings>
            <wsHttpBinding>
                <binding name="WSHttpBinding_IEchoClaims">
                    <security mode="Message">
                        <message clientCredentialType="UserName" negotiateServiceCredential="true" />
                    </security>
                </binding>
            </wsHttpBinding>
        </bindings>
      <behaviors>
        <endpointBehaviors>
          <behavior name="echoClaimsBehavior">
            <clientCredentials>
              <serviceCertificate>
                <authentication certificateValidationMode="None" revocationMode="NoCheck"/>
              </serviceCertificate>
            </clientCredentials>
          </behavior>
        </endpointBehaviors>
      </behaviors>
        <client>
            <endpoint address="http://localhost:8000/EchoClaims" binding="wsHttpBinding"
                bindingConfiguration="WSHttpBinding_IEchoClaims" contract="EchoService.IEchoClaims"
                name="WSHttpBinding_IEchoClaims"
                      behaviorConfiguration="echoClaimsBehavior">
                <identity>
                    <certificate encodedValue="AwAAAAEAAAAUAAAAfrv857e8xZLzhuCQyO7qa/0wCkIgAAAAAQAAAPcCAAAwggLzMIIB36ADAgECAhAaodle1qkYlUXIdQ/PwC7IMAkGBSsOAwIdBQAwEjEQMA4GA1UEAxMHV0NGUm9vdDAeFw0xNDA0MDkwMjQ0MTlaFw0zOTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMTCVdDRlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyruHtFKP3kZCLphXZo3/an9RcWAZ/bDi0pNBL1wQOAXQqz+IWNYIAcL3Yu6+gTouOhEufhoeLSi6dqflxmGZ932hofR7riukGyJbOsHKCRcXuJTPXw0NvMTrJfCB6kD2nkOVgATrJfBazGQIb1OTj7kFYq2IJDIw5+M3toooaNWvF6z/ggL6DyxYuZ0rUf+bQpAhiKjBS49Ci7/LrVtnY9NxCoUTfgGbcg6A5PKf8eC0Cm2yLxnAt0yuCalWm2RlZQuMwfx1QIWV9IVla+aI5FiM2CoiVzumYp9nivZ2isy3Na2zqa0jp0Ik8Pg7c4kh1oSKLezbKYSo8ogvg2wzMCAwEAAaNLMEkwRwYDVR0BBEAwPoAQ7yxNpv71Jf0+UvKX5DgORaEYMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5ghA1FBocsiV2iUdFzYL/JyWnMAkGBSsOAwIdBQADggEBAIIXE9oU7K/6qPD1kKNXwruT5YYmHu/ogCpo5JD3keODMjakDBn7gr5wuqZsqoyvmKH8eNrTjP80crbUrdmh10Tr1V7JpbELTDFWLCyj4A/aS8a2DhpB0rksKd/sxtFu0nVJWKb/16+NZsBH6mjPYRui8id1QMDEPG29oPr0gJRuvPYtCJajgmMFGPlCanNN5diteiKf+OCWBu5D4y7Gypo2KgHXVgMz8+DkJU3e1AdGyeY3jrGzge42eM0xq2itbVL/t9FdnIeYDcUBIRiQlbDgWQIkpq6aH3G/WGFEVhbg6I0I9N4hANLTehsSe0YMfrN+8EB42BhwnYlMjFuh11k=" />
                  <dns value="WCFServer"/>
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>
</configuration>

客戶端引用服務後修改配置文件

 

2， 自定義的成員提供程序最爲身份庫：
任何成員提供程序都必須派生自System.Web.MembershipProvider 基類，而且須要實現它的幾個方法，以驗證和管理應用程序中的用戶。在WCF中只須要ValidateUser方法，用它來驗證證書。

 1 namespace Server
 2 {
 3     public class MyMembershipProvider : UserNamePasswordValidator
 4     {
 5         public override void Validate(string userName, string password)
 6         {
 7             //throw new NotImplementedException();
 8             if (userName != "joe" || password != "bar")
 9             {
10                 throw new SecurityTokenValidationException("The user could not be authenticated.");
11             }
12         }
13     }
14 }

自定義用戶驗證

 1 <?xml version="1.0" encoding="utf-8"?>
 2 <configuration>
 3   <startup>
 4     <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
 5   </startup>
 6   <system.serviceModel>
 7     <services>
 8       <service name="Server.EchoClaims" behaviorConfiguration="echoClaimsBehavior">
 9         <endpoint address="EchoClaims" binding="wsHttpBinding" bindingConfiguration="echoClaimsBinding" contract="Server.IEchoClaims"></endpoint>
10       </service>
11     </services>
12     <bindings>
13       <wsHttpBinding>
14         <binding name="echoClaimsBinding">
15           <security mode="Message">
16             <message clientCredentialType="UserName" negotiateServiceCredential="true"/>
17           </security>
18         </binding>
19       </wsHttpBinding>
20     </bindings>
21     <behaviors>
22       <serviceBehaviors>
23         <behavior name="echoClaimsBehavior">
24           <serviceCredentials>
25             <serviceCertificate findValue="CN=WCFServer" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName"/>
26 
27             <userNameAuthentication userNamePasswordValidationMode="Custom"
28                                     customUserNamePasswordValidatorType="Server.MyMembershipProvider, Server"/>
29 
30           </serviceCredentials>
31           <serviceMetadata httpGetEnabled="true"/>
32         </behavior>
33       </serviceBehaviors>
34     </behaviors>
35   </system.serviceModel>
36 
37 </configuration>

相應配置文件app.config

 

8.3.2 創建在傳輸層安全至上的用戶名驗證