Passing Custom User Object to WCF_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-02-19 00:40 出处：网络

I\'ve implem开发者_开发技巧ented a custom ASP.net membership provider to deal with forms authentication. The custom provider uses a custom User object for authentication and authorization. I was wonde

I've implem开发者_开发技巧ented a custom ASP.net membership provider to deal with forms authentication. The custom provider uses a custom User object for authentication and authorization. I was wondering If I can pass this object to each WCF call without adding it to the parameters list?

Since you are already using a MembershipProvider you can utalize that on wcf as well so both are secured by the same mechanism.

See this post on msdn.

Windows Communication Foundation (WCF) developers can take advantage of these features for security purposes. When integrated into an WCF application, users must supply a user name/password combination to the WCF client application. To transfer the data to the WCF service, use a binding that supports user name/password credentials, such as the WSHttpBinding (in configuration, the wsHttpBinding Element) and set the client credential type to UserName. On the service, WCF security authenticates the user based on the user name and password, and also assigns the role specified by the ASP.NET role.

Another option would be to create a custom IAuthorizationPolicy that pulls off your user via

OperationContext.Current.IncomingMessageHeaders.GetHeader<T>

And than setup your principal like the following:

evaluationContext.Properties[Constants.EvaluationContextPrincipal] = principal;

Here is some more information on creating a custom IAuthroizationPolicy. With this method you could achieve what you want without passing your user to the method.

Just be warned if you go this route a crafty person could end up impersonating the user by simply suppling a bogus user in your header.

Using the asp.net membership provider for wcf would most likely get you what you are really after plus adding some security.

You definitely should not add this to the parameters each method.

I do not know about your custom user object but as far as WS* and most security standards concerned, your user object will have username and password.

The answer depends on the binding you use. BasicHttpBinding or BasicHttpContextBinding can use HTTP authentication schemes while WsHttpBinding can use custom Message security which you can provide user name and password.

BasicHttpContextBinding is especially good since it can work with ASP NET session.