一篇讲解如何实现WCF Impersonate的文章,讲的通俗易懂。
原文地址:
原文内容:
====================
When we started WCFing in my current project, the first challenge that we had was to get the WCF Services to impersonate the callers, I had burned a lot of mid night oil trying to figure out the right configuration that would make this happen. Till that time I had not gone through the WCF Security Guidance on CodePlex. The Guidance turned out to be quite helpful and very comprehensive. If you have not gone though that yet, I strongly recommend going to CodePlex and reading it right away.
For those who do not have that much time and do not want to go too much into the theoretical side of side of it, I have put together a small how to on setting up WCF Services to Impersonate Client credentials. Please follow these simple steps and you will be good to go.
WCF Side
1. Configure your service to use Windows Authentication and Message Security.
<wsHttpBinding>
<binding name="WSHttpBinding_IService”>
<security mode="Message">
<transport clientCredentialType="Windows"
proxyCredentialType="None" realm="" />
<message clientCredentialType="Windows"
negotiateServiceCredential="true"
algorithmSuite="Default"
establishSecurityContext="true" />
</security>
</binding>
</wsHttpBinding>
2. Configure the SPN Identity for the WCF Service Endpoint
Configure the service principle name (SPN) identity under which the WCF service will run, this identity is usually the lower-privilege Network Service account. Use of this account will reduce the attack surface when your application is not impersonating.
- Right-click the web.config file and then and select the Edit WCF Configuration option.
- If you do not see the Edit WCF Configuration option, click the Tools menu and select WCF Service Configuration Editor. Close the WCF Service Configuration Editor tool that appears. The option should now appear on the web.config context menu.
- Expand the Services node, expand the Service node, and then expand the Endpoints node.
- Ensure that there is one endpoint that is configured to use wsHttpBinding.
- Select the Identity tab and delete the Dns attribute value, which by default is set to “localhost”.
- Set the ServicePrincipalName attribute to your machine name. This value depends on the identity which is used for running the WCF service. By default, the WCF service runs under the Network Service identity and is identified by the machine account in the network, hence you can use your machine name.
Now the configuration should look like this.
<service behaviorConfiguration="ServiceBehavior" name="ServiceSI">
<endpoint address="" binding="wsHttpBinding" contract="IService">
<identity>
<servicePrincipalName value="A2PD-MANESHK" />
<dns value="" />
</identity>
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
3. Set up impersonation for all operations
Perform the following steps to impersonate all operations:
- Right-click the Web.config file and then select the Edit WCF Configuration option.
- Expand the Advanced node and then expand the Service Behaviors node.
- Select the ServiceBehavior service behavior, and then click the Add button.
- In the Adding Behavior Extension Element Sections dialog box, choose serviceAuthorization and then click Add.
- Select the serviceAuthorization node and then set the ImpersonateCallerForAllOperations attribute to True.
- In the configuration editor dialog box, on the File menu, click Save.
- In Visual Studio, verify your configuration settings in Web.config. The configuration should look as follows:
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceAuthorization impersonateCallerForAllOperations="true" />
</behavior>
4. Implement Impersonation in the WCF Service
Perform the following steps to declaratively impersonate specific operations:
- Open the Service Implementation (SI) cs file, and add a using statement for the System.Security.Principal namespace.
- Set the impersonation required on the operation implementation of the specific operations as follows:
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public ServiceBE CreateService(ServiceBE serviceBE)
{
//Code
}
Note: When impersonating for all operations, the Impersonation property of the OperationBehaviorAttribute applied to each method must also be set to either Allowed or Required.
5. Impersonating the Original Caller Programmatically.
Perform the following step to impersonate the original caller programmatically:
- Use the Impersonate() call to impersonate the original caller, and then use GetCurrent() to revert back to the previous state. Now the stub should look like this
[OperationBehavior(Impersonation = ImpersonationOption.Required)]
public ServiceBE CreateService(ServiceBE serviceBE)
{
if ((ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Impersonation)
|| (ServiceSecurityContext.Current.WindowsIdentity.ImpersonationLevel == TokenImpersonationLevel.Delegation))
{
using (ServiceSecurityContext.Current.WindowsIdentity.Impersonate())
{
//Your code goes in here
}
}
}
Client Side
1. Create the Client Configuration file from the WCF Config
Perform the following steps for creating a client configuration file from the newly created wcf configuration file.
- Open Visual Studio 2008 and navigate to the Tools menu and select WCF Service Configuration Editor.
- Once the WCF Configuration Editor opens up, select File > New Config to start a new configuration file.
- Click on Client, and click on the Create New Client link
- From the next screen select the WCF Configuration created earlier, by clicking on the Browse button.
- Select wsHttpBinding Endpoint from the next screen.
- In the next screen provide a name for your client configuration, go Next, view summary and click on Finish.
- Now click on the newly created wsHttp end point and provide the address of your hosted WCF
- Expand the Advanced node, open Endpoint Behaviors and click on New Endpoint Behavior Configuration.
- Give a name to the configuration, something more meaningful than ‘NewBehavior0’
- Click on Add and from the window that pops up, select clientCredentials
- Once the entry gets cretated, double click on clientCredentials to open detailed configuration
- Now modify the value for AllowedImpersonationLevel to “Impersonation”.
- Now expand Client node and open Endpoints
- Select the wsHttpEndPoint and select the newly added endpoint configuration for BehaviorConfiguration.
- Save the configuration file and let out a sigh of relief.. you are done!