Code Declaration-based security policy for WCF Security

Overview

Windows Communication Foundation (WCF) is a unified programming model provided by Microsoft to build service-oriented applications (from msdn). Security Issues in distributed environments are particularly important, if you think that using the default security measures of WCF can leave you carefree, you will be able to go home tomorrow. Of course, it is enough for learning ~, However, we are talking about real project applications. The security provision and guarantee of WCF under various protocols are different.

　　Background
In the previous chapter, we talked about setting up custom declarative authorization policies to flexibly restrict access to service operations. This time, I think we should focus on this part, however, we will discuss another policy to restrict service access, that is, how to configure declared security-based service access permissions. In this example, three different operations are created through one service, you can use the classic calculator to perform operations. In addition, we will configure that the service must be a member of the Windows Administrator permission group to call the service operation. In addition, access to Windows guests (guest) will be restricted from the subtraction operation) members of the Group can access it. Multiplication is accessible to anyone. This example runs on a separate computer. Because the security policy we adopt is message, in terms of transmission and message security, windows is enabled, and the application is still very simple. Can't wait? Oh ~, Kickoff ~~

　　Start
First, we will introduce the restrictions on different levels of declared security operations. The data in the following two tables comes from msdn.

1. Declare the security action to be performed (system. Security. permissions. securityaction)

 

Member Name Description

Certificate --------------------------------------------------------------------------------------------------------------------------------------------------

Demand requires that all advanced callers in the call stack have been granted the permissions specified by the current permission object.
Even if the advanced caller in the stack is not granted the permission to access the resource identified by the current permission object, the calling code can still access the resource (see use assert method ).
Deny, even if the caller has been granted the permission to access the resource specified by the current permission object, the caller's ability to access this resource is still denied (see using the deny method ).
Permitonly can only access the resources specified by this permission object even if the code has been granted the permission to access other resources (see using the permitonly method ).
Linkdemand requires that the caller has been granted the specified permission.
Inheritancedemand requires that a derived class that inherits this class or overrides a method has been granted the specified permission. For more information, see inheritance requirements.
The requestminimum request has the minimum permissions required to run the code. This operation can only be used within the scope of the Assembly.
Requestoptional requests the optional additional permissions (not required for running ). This request implicitly rejects all other permissions that are not explicitly requested. This operation can only be used within the scope of the Assembly.
Requestrefuse requests do not grant code calls with potentially misused permissions. This operation can only be used within the scope of the Assembly.

 

 

2. The following table describes the time and target of each security operation.

Declares the target supported by the security operation time

------------------------------------------------------------------------

Linkdemand real-time compilation class, Method
Inheritancedemand loading time class, Method
Demand runtime class, Method
Assert runtime class, Method
Deny runtime class, Method
Permitonly runtime class, Method
Requestminimum grant time assembly
Requestoptional grant time assembly
Requestrefuse grant time assembly

　　Service Code settings

In the service, we first establish three operations: // Users in the Administrator group can access
[Principalpermission (securityaction. Demand, role = "Administrators", unrestricted = false)]
Public double add (double N1, double N2)
{
Return N1 + N2;
}
// Accessible to guest users
[Principalpermission (securityaction. Demand, role = "guest")]
Public double subtract (double N1, double N2)
{
Return N1-N2;
}
// Any user group member can access
Public double multiply (double N1, double N2)
{
Return N1 * N2;
}

1. In the first addition operation, the Service caller must be a member of the Windows Administrator permission group to call the service operation. In the declared security operation, the level is adjusted to securityaction. demand: requires that all advanced callers in the call stack have been granted the permissions specified by the current permission object.
2. Set role as a member of the Administrator group in security operations,
3. You have declared that you have full (unrestricted) permissions on the resources protected by this attribute. The value of unrestricted is set to false, and the default value is false.
4. In the subtraction operation, the setting is the same as addition, except that the member role accessing this operation is changed to the guest user group (guest ).
5. There is no access restriction for the multiplication operation, which can be accessed by any user.

　　Service Configuration File Settings

1. In the service configuration file, we must adjust the binding and configuration as follows:

 

// Service configuration
<Behavior name = "userdatabehavior">
<Servicemetadata httpgetenabled = "false"/>
<Servicedebug includeexceptiondetailinfaults = "true"/>
<Servicecredentials>
<Servicecertificate findvalue = "192168168151 service"
X509findtype = "findbysubjectname"
Storelocation = "localmachine"
Storename = "my"/>
</Servicecredentials>
<Serviceauthorization principalpermissionmode = "usewindowsgroups"/>
</Behavior>

// Bind the configuration
<Binding name = "endpointbinding">
<Security mode = "message">
<Transport clientcredentialtype = "Windows" protectionlevel = "encryptandsign"/>
<Message clientcredentialtype = "Windows"/>
</Security>
</Binding>

2. In Service binding, change the security policy to message mode and enable Windows in transmission and message security.
3. In service configuration (in red), set the declared authorization Check Mode to <serviceauthorization principalpermissionmode = "usewindowsgroups"/> and use the windowsgroups role check.

 

　　Client call

1. Below, we use the administrator user to call the corresponding service operations and print the results to the console. The Code is as follows:

 

Userdataclient client = new userdataclient ();
Console. foregroundcolor = consolecolor. Red;
Console. writeline ("Ga ga, I am a split line -----------------------------------------------------------------");
Client = new userdataclient ();
Console. foregroundcolor = consolecolor. White;
Console. writeline ("access by administrators ");
Double addresult = client. Add (10, 20 );
Console. writeline ("addresult: {0} + {1} = {2}", 10, 20, addresult );
Console. foregroundcolor = consolecolor. Red;
Console. writeline ("Ga ga, I am a split line -----------------------------------------------------------------");
Client = new userdataclient ();
Console. foregroundcolor = consolecolor. White;
Console. writeline ("guest member access ");
Double subtractresult = client. Subtract (30, 20 );
Console. writeline ("subtractresult: {0}-{1 }={ 2}", 30, 20, subtractresult );
Console. foregroundcolor = consolecolor. Red;
Console. writeline ("Ga ga, I am a split line -----------------------------------------------------------------");
Client = new userdataclient ();
Console. foregroundcolor = consolecolor. White;
Console. writeline ("multiplyresult normal access ");
Double multiplyresult = client. Multiply (10, 20 );
Console. writeline ("multiplyresult: {0} * {1} = {2}", 10, 20, multiplyresult );

2. Because users in the Administrator Group call services, an exception is thrown during the call subtraction operation. We also capture the exception here to give you an intuitive impression.

 

 

3. Here, we specifically state that it is not the administrator who has higher permissions than the guest role. This is irrelevant to the permissions assigned when users are created in the operation system. Let's look at the service call results.

 

 

========================================================== ======================

After that:Don't mind.

1. If you set service authentication on the server to <serviceauthorization principalpermissionmode = "usewindowsgroups"/>, this is related to the role and level of access you set for service operations.

2. Add the following code to the method for enabling security check: [principalpermission (securityaction. demand, role = "users")] securityaction: indicates the permission check level role: name of the Windows Group used. Generally, it can be set to administartor or guest (useaspnetroles is not included here)

3. When calling the service, the current system login user is used by default, which has nothing to do with the username and password set by the client, such:

Client. clientcredentials. username. Username = "guest ";

Client. clientcredentials. username. Password = "admin"; is equivalent to invalid code.

4. system. security. the permissions namespace contains classes that control operation and resource access according to policy definitions. These classes allow us to flexibly control access to program code based on business needs.

Certificate ------------------------------------------------------------------------------------------------------------------------------------------------

Welcome to repost, but please indicate the source-lsotcode blog (http://www.cnblogs.com/viter )!

You are welcome to make a brick!