I create a wcf service as you can see :
[OperationContract]
[PrincipalPermission(SecurityAction.Demand, Role = "Admin")]
[WebInvoke(Method = "GET", UriTemplate = "/Data/{data}")]
string GetData(string data);
So I create a custom authorize as you can see :
public class AuthorizationPolicy : IAuthorizationPolicy
{
string id = Guid.NewGuid().ToString();
public string Id
{
get { return this.id; }
}
public System.IdentityModel.Claims.ClaimSet Issuer
{
get { return System.IdentityModel.Claims.ClaimSet.System; }
}
// this method gets called after the authentication stage
public bool Evaluate(EvaluationContext evaluationContext, ref object state)
{
// get the authenticated client identity
IIdentity client = HttpContext.Current.User.Identity;
// set the custom principal
evaluationContext.Properties["Principal"] = new CustomPrincipal(client);
return true;
}
}
public class CustomPrincipal : IPrincipal
{
private IIdentity _identity;
public IIdentity Identity
{
get
{
return _identity;
}
}
public CustomPrincipal(IIdentity identity)
{
_identity = identity;
}
public bool IsInRole(string role)
{
//my code
return true;
// return Roles.IsUserInRole(role);
}
}
And authentication:
public class RestAuthorizationManager: ServiceAuthorizationManager
{
protected override bool CheckAccessCore(OperationContext operationContext)
{
//Extract the Authorization header, and parse out the credentials converting the Base64 string:
var authHeader = WebOperationContext.Current.IncomingRequest.Headers["Authorization"];
if ((authHeader != null) && (authHeader != string.Empty))
{
var svcCredentials = System.Text.ASCIIEncoding.ASCII
.GetString(Convert.FromBase64String(authHeader.Substring(6)))
.Split(':');
var user = new
{
Name = svcCredentials[0],
Password = svcCredentials[1]
};
if ((user.Name == "1" && user.Password == "1"))
{
//here i get the role of my user from the database
// return Admin role
//User is authrized and originating call will proceed
return true;
}
else
{
//not authorized
return false;
}
}
else
{
//No authorization header was provided, so challenge the client to provide before proceeding:
WebOperationContext.Current.OutgoingResponse.Headers.Add("WWW-Authenticate: Basic realm=\"MyWCFService\"");
//Throw an exception with the associated HTTP status code equivalent to HTTP status 401
throw new WebFaultException(HttpStatusCode.Unauthorized);
}
}
}
So I create and https hosting in my IIS and I upload the service, my authentication class is working but my authorize doesn't .why?I define my authentication in my web config as you can see.But I don't know how can I define my authorize in my web config.
<?xml version="1.0"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2"/>
</system.web>
<system.serviceModel>
<client />
<bindings>
<webHttpBinding>
<binding>
<security mode="Transport" />
</binding>
</webHttpBinding>
</bindings>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization
serviceAuthorizationManagerType
="wcfrestauth.RestAuthorizationManager, wcfrestauth"/>
</behavior>
</serviceBehaviors>
<endpointBehaviors>
<behavior name="webHttpServiceBehavior">
<!-- Important this is the behavior that makes a normal WCF service to REST based service-->
<webHttp/>
</behavior>
</endpointBehaviors>
</behaviors>
<services>
<service name="wcfrestauth.Service1" behaviorConfiguration="ServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="http://localhost/WCFRestAuthentication/api/" />
</baseAddresses>
</host>
<endpoint binding="webHttpBinding" contract="wcfrestauth.IService1" behaviorConfiguration="webHttpServiceBehavior" />
</service>
</services>
<protocolMapping>
<add binding="webHttpBinding" scheme="https"/>
</protocolMapping>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/>
<directoryBrowse enabled="true"/>
</system.webServer>
</configuration>
I mean when I call my service in client .the service doesn't check the authorize function.i should define my custom authorize class inside the webconfig but i don't know how ?
public bool IsInRole(string role)
{
//my code
return true;
// return Roles.IsUserInRole(role);
}
You might need to set serviceCredentials in your web config file:
<serviceCredentials type="YourString">
<YourTagsHere>
</YourTagsHere>
</serviceCredentials>
Here's a link to more information about serviceCredentials: https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/wcf/servicecredentials
You can specify your custom AuthorizationPolicy within the <serviceAuthorization> tags, e.g.:
<serviceAuthorization serviceAuthorizationManagerType=
"wcfrestauth.RestAuthorizationManager, wcfrestauth">
<authorizationPolicies>
<add policyType="wcfrestauth.AuthorizationPolicy, wcfrestauth"
</authorizationPolicies>
</serviceAuthorization>
In the WCF docs there is a good example for Implementing a Custom Authorization Policy for a WCF service.
Be careful, though, when overriding the CheckAccess method of the abstract AuthorizationManager base class. The method of the base class calls the GetAuthorizationPolicies method internally to retrieve a collection of all IAuthorizationPolicy objects present (see also this blog article).
If you override CheckAcces and do not invoke the method of the parent class, not any Evaluate method of the IAuthorizationPolicy objects will be called.
来源:https://stackoverflow.com/questions/45767892/customauthorizationpolicy-evaluate-method-never-fires-in-wcf-webhttpbinding