问题
I have a UserAccountService with different methods, some of which require the user to be authenticated (e.g. ChangePassword, ChangeUserData) and some not (RegisterUser).
However it seems I can't seem to get it to work, so that only some methods require authentication.
The methods that require authentication are decorated with
[PrincipalPermission(SecurityAction.Demand, Authenticated = true)]
In my app.config I have a binding specified which uses encryption and requests UserName credentials:
<binding name="authenticatedBinding">
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
</binding>
(I am using basicHttpBinding)
I also have a custom authentication provider configured:
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="..." />
</serviceCredentials>
With this configuration I can't seem to call any methods on the service without being authenticated.
If I leave out the security configuration, then I can call the methods that don't require authentication, but the message credentials are no longer being transported.
How do I have to configure my service, so that it allows all methods to be called and only requires the username/password to be set when the PrincipalPermission demands it?
I am using Silverlight as my client, if that's important...
Thanks!
回答1:
Security settings can be fine grained at end-point level but not within a contract - so you cannot combine secure & unsecure methods in a way that you desired. I will suggest that
- You break up your service contract (interface) in two parts - one for unsecure methods. And second that will inherit from unsecured part and will contains operations that needs to be secured.
- You service implementation need not change (as it should been implementing secured interface) - all you need to do is to expose this implementation as two different contracts (on secured and another unsecured) at two different end-point. You need to lock down the endpoint with secured contract with whatever security configuration that is needed.
- Unfortunately, from client perspective, you have to switch the end-point/URL at the authentication boundary i.e. till user is authenticated, you can use unsecured end-point but once, it authenticated, client may use any end-point.
来源:https://stackoverflow.com/questions/5700495/require-credentials-for-some-methods-only-in-wcf-web-service