All geek questions in one place

Different Endpoint Services

Situation

We perform various types of security for some WCF services. ClientCertificate, UserName and Password and Anonymous.

We have 2 ServiceBehaviorConfigurations, one for httpBinding and one for wsHttpBinding. (We have custom authorization policies for requirements-based protection) As a requirement, we need different endpoints for each service. 3 endpoints with httpBinding and 1 with wsHttpBinding.

Example for one service:

  • basicHttpBinding: Anonymous
  • basicHttpBinding: UserNameAndPassword
  • basicHttpBinding: BasicSsl
  • wsHttpBinding: BasicSsl

Note: we are working on .NET 3.5

Problem

Part 1: we cannot specify the same service twice, once with the http service configuration and once with the wsHttp service configuration.

Part 2: We cannot specify the behavior of the service on the endpoint. (Throws and exception, no endpoint behavior was found ... Service behavior cannot be set to endpoint behavior)

Configuration

For part 1:

<services> <service name="Namespace.MyService" behaviorConfiguration="securityBehavior"> <endpoint address="http://server:94/MyService.svc/Anonymous" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="Anonymous"> </endpoint> <endpoint address="http://server:94/MyService.svc/UserNameAndPassword" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="UserNameAndPassword"> </endpoint> <endpoint address="https://server/MyService.svc/BasicSsl" contract="Namespace.IMyService" binding="basicHttpBinding" bindingConfiguration="BasicSecured"> </endpoint> </service> <service name="Namespace.MyService" behaviorConfiguration="wsHttpCertificateBehavior"> <endpoint address="https://server/MyService.svc/ClientCert" contract="Namespace.IMyService" binding="wsHttpBinding" bindingConfiguration="ClientCert"/> </service> </services>

Service Behavior Configuration:

 <serviceBehaviors> <behavior name="securityBehavior"> <serviceAuthorization serviceAuthorizationManagerType="Namespace.AdamAuthorizationManager,Assembly"> <authorizationPolicies> <add policyType="Namespace.AdamAuthorizationManager,Assembly" /> </authorizationPolicies> </serviceAuthorization> </behavior> <behavior name="wsHttpCertificateBehavior"> <serviceMetadata httpGetEnabled="false" httpsGetEnabled="true"/> <serviceAuthorization serviceAuthorizationManagerType="Namespace.AdamAuthorizationManager,Assembly"> <authorizationPolicies> <add policyType="Namespace.AdamAuthorizationManager,Assembly" /> </authorizationPolicies> </serviceAuthorization> <serviceCredentials> <clientCertificate> <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck"/> </clientCertificate> <serviceCertificate findValue="CN=CertSubject"/> </serviceCredentials> </behavior>

How can we specify other service behavior on the WsHttpBinding endpoint? Or how can we apply our authorization policy differently for wsHttpBinding, then basicHttpBinding. We will use endpoint behavior, but we cannot point our authorization policy to endpoint behavior

+6
source share
1 answer

Authorization is the responsibility of the service level. You cannot change it by endpoint.

At a high level you should:

  • Define endpoint bindings to use the various security configurations you need (what you did)
  • Create a custom ClaimsAuthenticationManager to assign claims based on different identifiers that will be represented by different relationships.

Conceptually, the ClaimsAuthenticationManager acts as "in STS", adding claims based on different credentials. From there you provide authorization on your service.

I am not aware of any custom authorization managers that you want, you want to write your own (if you prove that I'm wrong, write what you find).

ClaimsAuthenticationManager requires the Windows Identity Framework to implement. The following is a summary of the .NET 4.0 implementation that I used (this might be easier in 4.5). I apologize that the code does not compile and is not complete, but I do not need time to hide everything for a public message. This should point you in the right direction.

Inherit from Microsoft.IdentityModel.Claims.ClaimsAuthenticationManager and implement Authenticate (). It should look something like this:

 namespace MyWCF.ClaimsInjection { public class ClaimsAuthenticationManager : Microsoft.IdentityModel.Claims.ClaimsAuthenticationManager { public override IClaimsPrincipal Authenticate(string resourceName, IClaimsPrincipal incomingPrincipal) { if (incomingPrincipal == null) { throw new ArgumentNullException("incomingPrincipal", "ClaimInjectionClaimsAuthenticationManager requires a principal."); } IClaimsPrincipal resultPrincipal = base.Authenticate(resourceName, incomingPrincipal); foreach (IIdentity identity in resultPrincipal.Identities) { if (identity is ClaimsIdentity) { // Add claims based on client cert here… Claim identityClaim = ((ClaimsIdentity)identity).Claims.First(c => c.ClaimType == ClaimTypes.Thumbprint); ((ClaimsIdentity)identity).Claims.Add(new Claim("MyType", "Myvalue")); } else if (identity is WindowsClaimsIdentity) { // Add claims based on window group or account here… } // continue checking different identity types... } return resultPrincipal; } } }

Now just install the user manager (including only the interesting parts):

 <configuration> <configSections> <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </configSections> <system.serviceModel> <behaviors> <serviceBehaviors> <behavior name="serviceBehavior"> <federatedServiceHostConfiguration /> </behavior> </serviceBehaviors> </behaviors> <extensions> <behaviorExtensions> <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> </behaviorExtensions> </extensions> </system.serviceModel> <microsoft.identityModel> <service> <claimsAuthenticationManager type="MyWCF.ClaimsAuthenticationManager, MyWCF"/> </service> </microsoft.identityModel> </configuration>
+1
source

Source: https://habr.com/ru/post/924704/

More articles:


All Articles