问题
Following these two links, I was able to implement a simple web service with x509 certification, and an authenticated test client to consume the service.
Right now, it looks something like this:
--------------
| ServiceA.svc | ------------> Test Client 1
| -GetData() |
--------------
How can I extend what I have to accomplish something like this:
--------------
| ServiceA.svc | ------------> Test Client 1
| -GetData() | ------------> Test Client 2
| -SaveData() |
--------------
| ServiceB.svc |-------------> Test Client 1
| -GetData() |
--------------
| ServiceC.svc |-------------> Test Client 2
| -SaveData() |
--------------
I already have services set up, and Test Client 2 ready to go.
So here are some of my questions:
- Do I need to create a separate certificate for Test Client 2?
- How will the config files/end points/behaviors look like? I think Service B and C would be easy to setup as it is basically the same as what I have right now, but now that ServiceA will be consumed by both clients, I am a bit lost.
- If ServiceA is called how do I know which client is calling it? I potentially want to limit the methods they can call (ie. TC1 can only use GetData(), TC2 can only use SaveData()), and be able to log who is accessing the methods.
I can post what I have on the config files if needed, but it looks basically what the two aforementioned links have.
回答1:
yes, each client needs a separate certificate. Then from within the operation you can get its distinguished identity:
ServiceSecurityContext.Current.PrimaryIdentity.Name
The best practice is to separate the authorization process like described here: http://msdn.microsoft.com/en-us/magazine/cc948343.aspx
来源:https://stackoverflow.com/questions/10143921/setting-up-web-services-with-x509-and-multiple-clients-and-how-to-distinguish-cl