wcf wsHttpBinding and disabling anonymous access

后端 未结 2 504
-上瘾入骨i
-上瘾入骨i 2021-02-06 12:53

http://blogs.msdn.com/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

Can someone clarify whether it is possible to use wsHttpBinding in WCF and disable anon

相关标签:
2条回答
  • 2021-02-06 13:15

    we want to use windows integrated security. If you disable anonymous access in IIS and allow just windows, you cannot seem to use wsHttpBinding with WCF without using some security mode (e.g. transprot security which requires ssl).

    We only want to use windows authentication we don't necessarily want to use ssl for transport security.

    I was a little amazed this wasn't possible out of the box (as seemed to be confirmed by my link) as it would seem quite a common scenario for intern applications.

    We don't want to downgrade to basicHttpBinding which would support windows authentication only.

    0 讨论(0)
  • 2021-02-06 13:30

    you are right, afaik in the scenario you describe wsHttpBinding requires us to use the internal WCF security stack. So what you would typically do is

    • leave anonymous access enabled
    • create a serviceBehavior with <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
    • annotate every concrete implementation of a service method using the PrincipalPermissionAttribute, which is a quite powerful tool with many different options to control access

    Would that be an acceptable solution for you or are there any other things to consider?

    Basic Example:

    public class TestService : ITestService
    {
      [PrincipalPermission(SecurityAction.Demand, Name = "testdomain\\administrator")]
      public string DoWork()
      {   
        return "Hello World " + Thread.CurrentPrincipal.Identity.Name;
      }
    }
    
      <system.serviceModel>
        <behaviors>
          <serviceBehaviors>
            <behavior name="WcfSecurity.Www.TestServiceBehavior">
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="false" />
              <serviceAuthorization principalPermissionMode="UseWindowsGroups" />
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <services>
          <service behaviorConfiguration="WcfSecurity.Www.TestServiceBehavior" name="WcfSecurity.Www.TestService">
            <endpoint address="" binding="wsHttpBinding" contract="WcfSecurity.Www.ITestService" />
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
          </service>
        </services>    
      </system.serviceModel>
    
    0 讨论(0)
提交回复
热议问题