Use membership provider for WCF Security

Preface:In the previous two articles, we wrote the authentication method for using username/password and X509 certificates in WCF.

Http://www.cnblogs.com/liujiang/archive/2008/11/24/1338952.html X509

Http://www.cnblogs.com/liujiang/archive/2008/11/21/1338384.html username/password.

1. transfer security
Transfer security mainly includes three aspects: "message integrity", "Message Confidentiality", and "mutual authentication )".
Message integrity must ensure that the message is not tampered with during transmission, and the received message is complete and correct. Message Confidentiality must ensure that the message is not consulted by any third party, the message content is not disclosed to any non-related personnel. Interactive Authentication means that the client and server must use a certain trust mechanism to establish a correct connection, meanwhile, Interactive Authentication also monitors and prevents DoS attacks ). A typical practice is to digitally sign a message to ensure its integrity. asymmetric encryption algorithms are used to prevent message content leakage, the user name/password, X.509 digital certificate, and other methods can be used to verify the identity of the other party. Here we mainly describe how to use the membership provider authentication method in WCF.

2. Use ASP. NET membership provider

ASP. NET membership provider is a function that allows ASP. NET developers to create websites that allow users to create a combination of unique user names and passwords. With this tool, any user can create an account on the website and log on to the website to exclusively access the website and its services. This is totally different from Windows security that requires users to have accounts in Windows domains. All users who provide creden (User Name/password combination) can use the website and its services. Before doing this demo, we need to create the local aspnetdb data and run the command: aspnet_regsql in the tool of vs2008. This command will create a local data named aspnetdb for us. At the same time, we use ASP. net Configuration tool to create a role: role name: Super User. create a user; user1. the role of user1 is super user. specific knowledge about membership provider can be found in msdn. Here we will not talk about it much. In fact, ASP is used in WCF. net membership provider is the same mechanism as username/password. We also need to install X509 certificates on the server. Used to encrypt the user name and password during transmission.

Create a certificate: makecert-r-pe-n "cn = myserver"-SS my-sky exchange.

3. The solution structure is as follows:

Solution: wcfmembershipclient WCF client console application. 

Wcfmembershipservices WCF Application

Windows Communication Foundation (WCF) developers can exploit these features for security purposes. When integrated into a WCF application, you must provide a user name/password combination to the WCF client application. To transmit data to the WCF Service, bind username/password creden, such as wshttpbinding, and set the client credential typeUsername. In terms of service, WCF Security authenticates the user based on the user name and password, and assigns a role specified by the ASP. NET role.

Configure the membership provider and add it to the server configuration file

<Connectionstrings>
<Add name = "sqlconn" connectionstring = "Data Source = localhost; Integrated Security = true; database = aspnetdb;"/>
</Connectionstrings>
<System. Web>
<! -- Configure the SQL membership provider -->
<Membership defaultprovider = "sqlmembershipprovider" userisonlinetimewindow = "15">
<Providers>
<Clear/>
<Add name = "sqlmembershipprovider" type = "system. web. security. sqlmembershipprovider "connectionstringname =" sqlconn "applicationname =" canonical "Success =" false "enablepasswordreset =" false "Success =" false "requiresuniqueemail =" true "passwordformat =" hashed "/>
</Providers>
</Membership>
<! -- Configure the SQL role provider -->
<Rolemanager enabled = "true" defaultprovider = "sqlroleprovider">
<Providers>
<Add name = "sqlroleprovider" type = "system. Web. Security. sqlroleprovider" connectionstringname = "sqlconn" applicationname = "wcfmembership"/>
</Providers>
</Rolemanager>
<Compilation DEBUG = "true"/>
</System. Web>

Create a service

[Servicecontract]
Public interface iservice1
{

[Operationcontract]
Bool test ();
}

 

Public class service1: iservice1 // implement the service
{
Public service1 ()
{

}
# Region iservice1 members

[Principalpermission (securityaction. Demand, role = "Super User")]
Public bool test ()
{
Return true;
}
# Endregion
}

The server configuration file is as follows:

<System. servicemodel>
<Services>
<Service name = "wcfmembershipservices. service1" behaviorconfiguration = "membershipbehavior">
<! -- Use base address provided by host -->
<Endpoint address = "" binding = "wshttpbinding" bindingconfiguration = "binding1" Contract = "wcfmembershipservices. iservice1"/>
<Endpoint address = "mex" binding = "mexhttpbinding" Contract = "imetadataexchange"/>
</Service>
</Services>
<Bindings>
<Wshttpbinding>
<! -- Set up a binding that uses username as the client credential type -->
<Binding name = "binding1">
<Security mode = "message">
<Message clientcredentialtype = "username"/>
</Security>
</Binding>
</Wshttpbinding>
</Bindings>
<Behaviors>
<Servicebehaviors>
<Behavior name = "membershipbehavior">
<! -- Configure role based authorization to use the role provider -->
<Serviceauthorization principalpermissionmode = "NONE" roleprovidername = "sqlroleprovider"/>
<Servicecredentials>
<! -- Configure user name authentication to use the membership provider -->

// SetMembershipprovidernameSet the property to the provider nameMembershipprovidernameSet property to provider name
<Usernameauthentication usernamepasswordvalidationmode = "membershipprovider" membershipprovidername = "sqlmembershipprovider"/>
<! -- Configure the service certificate -->
<Servicecertificate storelocation = "currentuser" storename = "my" x509findtype = "findbysubjectname" findvalue = "myserver"/>
</Servicecredentials>
<! -- For debugging purposes set the includeexceptiondetailinfaults attribute to true -->
<Servicedebug includeexceptiondetailinfaults = "false"/>
<Servicemetadata httpgetenabled = "true"/>
</Behavior>
</Servicebehaviors>
</Behaviors>
</System. servicemodel>

4. Create a client

<System. servicemodel>
<Client>
<Endpoint name = ""
Address = "http: // localhost: 51991/service1.svc"
Behaviorconfiguration = "clientbehavior"
Binding = "wshttpbinding"
Bindingconfiguration = "binding1"
Contract = "iservice1">
<Identity>
<Certificate encodedvalue = "awaaaaeaaaauaaaaqxw7daba6mcitj/tkiafzfz" </identity>
</Endpoint>
</Client>
<Behaviors>
<Endpointbehaviors>
<Behavior name = "clientbehavior">
<Clientcredentials>
<Servicecertificate>
<Authentication certificatevalidationmode = "NONE"/>
</Servicecertificate>
</Clientcredentials>
</Behavior>
</Endpointbehaviors>
</Behaviors>
<Bindings>
<Wshttpbinding>
<! -- Set up a binding that uses username as the client credential type -->
<Binding name = "binding1">
<Security mode = "message">
<Message clientcredentialtype = "username"/>
</Security>
</Binding>
</Wshttpbinding>
</Bindings>
</System. servicemodel>

The client proxy is generated by the svcutil tool and will not be pasted here. In tool command of vs2008, svcutil + 'metadata address' can be generated for you.

Service1client client = new service1client ();
Client. clientcredentials. username. Username = "user1 ";
Client. clientcredentials. username. Password = "@ ABC123 ";
Client. Test ();

In this way, you can call it successfully: If the function has been verified