gpt4 book ai didi

WCF over net.tcp with token authentication,丢失 TokenHandler 和 AuthorisationManager 之间的声明

转载 作者:行者123 更新时间:2023-12-02 04:57:32 24 4
gpt4 key购买 nike

我们在 WCF 中使用自定义绑定(bind)来使用安全 token (SAML) 进行身份验证。我们发现我们正在获取服务器端并看到 TokenHandler(派生自 Saml11SecurityTokenHandler)正确处理和授权 token ,然后返回一个新的 ClaimsIdentity。

但是,当处理随后调用 AuthorisationManager.CheckAccessCore(派生自 IdentityModelServiceAuthorizationManager)时,operationContext.ServiceSecurityContext.PrimaryIdentity 是一个未填充任何内容的 GenericIdentity。

我们有一个 http 下面的绑定(bind)实现,它非常相似,并且工作正常,我们可以看到正在验证的 token 和返回的 ClaimsIdentity,然后我们观察到 AuthorisationManager 处理相同的身份并允许他们通过。

netTcp 绑定(bind)是基于代码的绑定(bind),如下所示:

    /// <summary>
/// NetTcp binding that supports a Saml token being passed
/// </summary>
public class SamlNetTcpBinding : CustomBinding
{
private readonly TcpTransportBindingElement _transportBindingElement;
private readonly BinaryMessageEncodingBindingElement _encodingBindingElement;
// private readonly SecurityBindingElement _securityBindingElement;

/// <summary>
/// Initializes a new instance of the <see cref="SamlNetTcpBinding"/> class.
/// </summary>
public SamlNetTcpBinding()
{
IssuerAddress = "http://www.myIssuerAddress.com/";

_transportBindingElement = new TcpTransportBindingElement()
{
TransferMode = TransferMode.Streamed, PortSharingEnabled = true
};
_encodingBindingElement = new BinaryMessageEncodingBindingElement();
}

/// <summary>
/// Returns a generic collection of the binding elements from the custom binding.
/// </summary>
/// <returns>
/// An <see cref="T:System.Collections.Generic.ICollection`1" /> object of type <see cref="T:System.ServiceModel.Channels.BindingElement" /> that contains the binding elements from the custom binding.
/// </returns>
public override BindingElementCollection CreateBindingElements()
{
return new BindingElementCollection()
{
new TransactionFlowBindingElement(TransactionProtocol.WSAtomicTransactionOctober2004),
CreateSecurityBindingElement(),
new SslStreamSecurityBindingElement(),
_encodingBindingElement,
_transportBindingElement
};
}

/// <summary>
/// Provide definition for the scheme.
/// </summary>
/// <returns>The URI scheme for transport used by the custom binding; or an empty string if there is no transport (<see cref="T:System.ServiceModel.Channels.TransportBindingElement" /> is null).</returns>
public override String Scheme
{
get { return "net.tcp"; }
}

/// <summary>
/// Gets or sets the issuer address.
/// </summary>
/// <value>
/// The issuer address.
/// </value>
public string IssuerAddress { get; set; }

/// <summary>
/// Create client side binding certificate.
/// </summary>
/// <returns>A security Binding element</returns>
private SecurityBindingElement CreateSecurityBindingElement()
{
var protectionParameters = new X509SecurityTokenParameters(
X509KeyIdentifierClauseType.Thumbprint, SecurityTokenInclusionMode.AlwaysToRecipient);

// Configure token issuance parameters.
var parameters = new IssuedSecurityTokenParameters(
SecurityTokenTypes.OasisWssSaml11TokenProfile11,
new EndpointAddress(IssuerAddress),
new BasicHttpBinding())
{
KeyType = System.IdentityModel.Tokens.SecurityKeyType.BearerKey,
InclusionMode = SecurityTokenInclusionMode.AlwaysToRecipient
};

var element = SecurityBindingElement.CreateIssuedTokenOverTransportBindingElement(parameters);
element.MessageSecurityVersion = MessageSecurityVersion.WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10;
element.EndpointSupportingTokenParameters.Endorsing.Add(protectionParameters);

return element;
}
}

非常感谢任何想法或建议。由于 .net 管道处理了大量的编排 - 很难确定身份丢失的位置。我相当有信心 System.ServiceModel 在某个地方丢失了它,不清楚的是为什么 net.tcp 传输会导致这种情况而 http 不会。

谢谢

最佳答案

(为了读者的信息,我知道 Chubby Ass,我们已经在线下讨论了这个问题,包括共享一些额外的代码,但我在这里发布了我可以帮助任何可能遇到同样问题的人)

ServiceSecurityContext.PrimaryIdentity 只会返回 ClaimsIdentity(如果它是范围内的唯一一个)。如果存在超过 1 个身份,则它无法识别哪个是主要身份,因此返回通用身份。

在您的场景中,您在上下文中有 2 个身份:您从 SAML token 声明身份,还有一个代表调用者附加的客户端证书,net.tcp 需要一些东西,但 basicHttp 不需要用于身份验证目的。为了访问 ClaimsIdentity,您需要按如下方式更新您的 ClaimsServiceAuthorisationManager:

        var identity = securityContext.PrimaryIdentity as IClaimsIdentity;
if (identity == null)
{
// If there is more than 1 identity, for example if there is also a certificate then PrimaryIdentity will be null.
if (securityContext.AuthorizationContext.Properties.ContainsKey("Principal"))
{
var principal = securityContext.AuthorizationContext.Properties["Principal"] as IClaimsPrincipal;
if (principal != null)
{
identity = principal.Identity as IClaimsIdentity;
}
}

if (identity == null)
{
throw new InvalidOperationException("PrimaryIdentity identity is not an IClaimsIdentity");
}
}

关于WCF over net.tcp with token authentication,丢失 TokenHandler 和 AuthorisationManager 之间的声明,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17726480/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com