如何:建立自定義用戶端身分識別驗證器
Windows Communication Foundation (WCF) 的 身分識別 功能可讓用戶端事先指定服務的預期身分識別。 每當伺服器向客戶端驗證自己時,便會確認其是否符合預期的身分識別。 (如需身分識別及其運作方式的說明,請參閱 服務身分識別和驗證。
如有需要,可以使用自定義身分識別驗證器進行自定義驗證。 例如,您可以執行其他服務身分識別驗證檢查。 在此範例中,自定義身分識別驗證程式會檢查從伺服器傳回之 X.509 憑證中的其他宣告。 如需範例應用程式,請參閱 服務識別範例。
擴充 EndpointIdentity 類別
定義衍生自 EndpointIdentity 類別的新類別。 這個範例會將延伸名命名為
OrgEndpointIdentity。新增私人成員及屬性,這些將由擴充的 IdentityVerifier 類別用來針對從服務返回的安全性令牌中的宣告進行身分識別檢查。 此範例會定義一個屬性:
OrganizationClaim屬性。public class OrgEndpointIdentity : EndpointIdentity { private string orgClaim; public OrgEndpointIdentity(string orgName) { orgClaim = orgName; } public string OrganizationClaim { get { return orgClaim; } set { orgClaim = value; } } }Public Class OrgEndpointIdentity Inherits EndpointIdentity Private orgClaim As String Public Sub New(ByVal orgName As String) orgClaim = orgName End Sub Public Property OrganizationClaim() As String Get Return orgClaim End Get Set(ByVal value As String) orgClaim = value End Set End Property End Class
擴充 IdentityVerifier 類別
定義衍生自 IdentityVerifier的新類別。 這個範例將該擴充功能命名為
CustomIdentityVerifier。public class CustomIdentityVerifier : IdentityVerifier { // Code to be added. public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { throw new Exception("The method or operation is not implemented."); } public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity) { throw new Exception("The method or operation is not implemented."); } }Public Class CustomIdentityVerifier Inherits IdentityVerifier ' Code to be added. Public Overrides Function CheckAccess(ByVal identity As EndpointIdentity, _ ByVal authContext As AuthorizationContext) As Boolean Throw New Exception("The method or operation is not implemented.") End Function Public Overrides Function TryGetIdentity(ByVal reference As EndpointAddress, _ <System.Runtime.InteropServices.Out()> ByRef identity As EndpointIdentity) As Boolean Throw New Exception("The method or operation is not implemented.") End Function End Class覆寫 CheckAccess 方法。 方法會判斷身分識別檢查是否成功或失敗。
方法
CheckAccess有兩個參數。 第一個是 類別的 EndpointIdentity 實例。 第二個是 類別的 AuthorizationContext 實例。在方法實作中,檢查 AuthorizationContext 類別的 ClaimSets 屬性所傳回的宣告集合,並根據需要進行驗證檢查。 此範例會從尋找類型為 「Distinguished Name」 的任何宣告開始,然後將名稱與 (
OrgEndpointIdentity) 的EndpointIdentity延伸模組進行比較。public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext) { bool returnvalue = false; foreach (ClaimSet claimset in authContext.ClaimSets) { foreach (Claim claim in claimset) { if (claim.ClaimType == "http://schemas.microsoft.com/ws/2005/05/identity/claims/x500distinguishedname") { X500DistinguishedName name = (X500DistinguishedName)claim.Resource; if (name.Name.Contains(((OrgEndpointIdentity)identity).OrganizationClaim)) { Console.WriteLine($"Claim Type: {claim.ClaimType}"); Console.WriteLine($"Right: {claim.Right}"); Console.WriteLine($"Resource: {claim.Resource}"); Console.WriteLine(); returnvalue = true; } } } } return returnvalue; }Public Overrides Function CheckAccess(ByVal identity As EndpointIdentity, _ ByVal authContext As AuthorizationContext) As Boolean Dim returnvalue = False For Each claimset In authContext.ClaimSets For Each claim In claimset If claim.ClaimType = "http://schemas.microsoft.com/ws/2005/05/identity/claims/x500distinguishedname" Then Dim name = CType(claim.Resource, X500DistinguishedName) If name.Name.Contains((CType(identity, OrgEndpointIdentity)).OrganizationClaim) Then Console.WriteLine("Claim Type: {0}", claim.ClaimType) Console.WriteLine("Right: {0}", claim.Right) Console.WriteLine("Resource: {0}", claim.Resource) Console.WriteLine() returnvalue = True End If End If Next claim Next claimset Return returnvalue End Function
實作 TryGetIdentity 方法
實作 TryGetIdentity 方法,這個方法會判斷用戶端是否可以傳回 類別的 EndpointIdentity 實例。 WCF 基礎結構會先呼叫
TryGetIdentity方法的實作,以從訊息中擷取服務的身份。 接下來,基礎結構會使用與傳回的EndpointIdentity和AuthorizationContext呼叫CheckAccess實作。在
TryGetIdentity方法中,放置下列程式碼:public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity) { return IdentityVerifier.CreateDefault().TryGetIdentity(reference, out identity); }Public Overrides Function TryGetIdentity(ByVal reference As EndpointAddress, _ <System.Runtime.InteropServices.Out()> ByRef identity As EndpointIdentity) As Boolean Return IdentityVerifier.CreateDefault().TryGetIdentity(reference, identity) End Function
實作自定義系結並設定自定義身分驗證器
建立傳回 Binding 物件的方法。 這個範例會建立WSHttpBinding類別的實體,並將其安全性模式設定為Message,將ClientCredentialType設定為None。
從集合中取回SecurityBindingElement,並將它轉換為SymmetricSecurityBindingElement型別的變數。
將 IdentityVerifier 類別的 LocalClientSecuritySettings 屬性設定為先前建立之
CustomIdentityVerifier類別的新實例。public static Binding CreateCustomSecurityBinding() { WSHttpBinding binding = new WSHttpBinding(SecurityMode.Message); //Clients are anonymous to the service. binding.Security.Message.ClientCredentialType = MessageCredentialType.None; //Secure conversation is turned off for simplification. If secure conversation is turned on, then //you also need to set the IdentityVerifier on the secureconversation bootstrap binding. binding.Security.Message.EstablishSecurityContext = false; // Get the SecurityBindingElement and cast to a SymmetricSecurityBindingElement to set the IdentityVerifier. BindingElementCollection outputBec = binding.CreateBindingElements(); SymmetricSecurityBindingElement ssbe = (SymmetricSecurityBindingElement)outputBec.Find<SecurityBindingElement>(); //Set the Custom IdentityVerifier. ssbe.LocalClientSettings.IdentityVerifier = new CustomIdentityVerifier(); return new CustomBinding(outputBec); }Public Shared Function CreateCustomSecurityBinding() As Binding Dim binding As New WSHttpBinding(SecurityMode.Message) With binding.Security.Message 'Clients are anonymous to the service. .ClientCredentialType = MessageCredentialType.None 'Secure conversation is turned off for simplification. If secure conversation is turned on, then 'you also need to set the IdentityVerifier on the secureconversation bootstrap binding. .EstablishSecurityContext = False End With ' Get the SecurityBindingElement and cast to a SymmetricSecurityBindingElement to set the IdentityVerifier. Dim outputBec = binding.CreateBindingElements() Dim ssbe = CType(outputBec.Find(Of SecurityBindingElement)(), SymmetricSecurityBindingElement) 'Set the Custom IdentityVerifier. ssbe.LocalClientSettings.IdentityVerifier = New CustomIdentityVerifier() Return New CustomBinding(outputBec) End Function傳回的自定義系結是用來建立客戶端和類別的實例。 然後,用戶端可以執行服務的自定義身分識別驗證檢查,如下列程式代碼所示。
using (CalculatorClient client = new CalculatorClient(customSecurityBinding, serviceAddress)) {Using client As New CalculatorClient(customSecurityBinding, serviceAddress)
範例 1
下列範例展示了IdentityVerifier類別的完整實作。
class CustomIdentityVerifier : IdentityVerifier
{
public override bool CheckAccess(EndpointIdentity identity, AuthorizationContext authContext)
{
bool returnvalue = false;
foreach (ClaimSet claimset in authContext.ClaimSets)
{
foreach (Claim claim in claimset)
{
if (claim.ClaimType == "http://schemas.microsoft.com/ws/2005/05/identity/claims/x500distinguishedname")
{
X500DistinguishedName name = (X500DistinguishedName)claim.Resource;
if (name.Name.Contains(((OrgEndpointIdentity)identity).OrganizationClaim))
{
Console.WriteLine($"Claim Type: {claim.ClaimType}");
Console.WriteLine($"Right: {claim.Right}");
Console.WriteLine($"Resource: {claim.Resource}");
Console.WriteLine();
returnvalue = true;
}
}
}
}
return returnvalue;
}
public override bool TryGetIdentity(EndpointAddress reference, out EndpointIdentity identity)
{
return IdentityVerifier.CreateDefault().TryGetIdentity(reference, out identity);
}
}
Friend Class CustomIdentityVerifier
Inherits IdentityVerifier
Public Overrides Function CheckAccess(ByVal identity As EndpointIdentity, _
ByVal authContext As AuthorizationContext) As Boolean
Dim returnvalue = False
For Each claimset In authContext.ClaimSets
For Each claim In claimset
If claim.ClaimType = "http://schemas.microsoft.com/ws/2005/05/identity/claims/x500distinguishedname" Then
Dim name = CType(claim.Resource, X500DistinguishedName)
If name.Name.Contains((CType(identity, OrgEndpointIdentity)).OrganizationClaim) Then
Console.WriteLine("Claim Type: {0}", claim.ClaimType)
Console.WriteLine("Right: {0}", claim.Right)
Console.WriteLine("Resource: {0}", claim.Resource)
Console.WriteLine()
returnvalue = True
End If
End If
Next claim
Next claimset
Return returnvalue
End Function
Public Overrides Function TryGetIdentity(ByVal reference As EndpointAddress, _
<System.Runtime.InteropServices.Out()> ByRef identity As EndpointIdentity) As Boolean
Return IdentityVerifier.CreateDefault().TryGetIdentity(reference, identity)
End Function
End Class
範例 2
下列範例示範 類別的完整實作 EndpointIdentity 。
public class OrgEndpointIdentity : EndpointIdentity
{
private string orgClaim;
public OrgEndpointIdentity(string orgName)
{
orgClaim = orgName;
}
public string OrganizationClaim
{
get { return orgClaim; }
set { orgClaim = value; }
}
}
Public Class OrgEndpointIdentity
Inherits EndpointIdentity
Private orgClaim As String
Public Sub New(ByVal orgName As String)
orgClaim = orgName
End Sub
Public Property OrganizationClaim() As String
Get
Return orgClaim
End Get
Set(ByVal value As String)
orgClaim = value
End Set
End Property
End Class