.net - Website authenticated by Session Security Token, need to pass it to WCF service -
i have simple .net 4.5 mvc website. upon login, claimsprincipal created test claims:
list<claim> claims = new list<claim>(); claims.add(new claim("test", "test")); claims.add(new claim(claimtypes.nameidentifier, "nameid")); var id = new claimsidentity(claims, "forms"); var cp = new claimsprincipal(id); var token = new sessionsecuritytoken(cp); federatedauthentication.sessionauthenticationmodule.writesessiontokentocookie(token); the web.config working is:
<!-- (have snipped out standard, not interesting web.config) --> <configsections> <section name="system.identitymodel" type="system.identitymodel.configuration.systemidentitymodelsection, system.identitymodel, version=4.0.0.0, culture=neutral, publickeytoken=b77a5c561934e089" /> <section name="system.identitymodel.services" type="system.identitymodel.services.configuration.systemidentitymodelservicessection, system.identitymodel.services, version=4.0.0.0, culture=neutral, publickeytoken=b77a5c561934e089" /> <system.webserver> <modules runallmanagedmodulesforallrequests="true"> <remove name="formsauthenticationmodule" /> <add name="sessionauthenticationmodule" type="system.identitymodel.services.sessionauthenticationmodule, system.identitymodel.services, version=4.0.0.0, culture=neutral, publickeytoken=b77a5c561934e089" precondition="managedhandler" /> <system.identitymodel.services> <federationconfiguration> <cookiehandler requiressl="false" persistentsessionlifetime="2"/> from elsewhere in web application, can @ claims using claimsprincipal.current.
i need send these claims friendly wcf service (intranet only). can see above, token created in web application, not on sts. want able pass token wcf service , have service set claimsprincipal.
the service looks like:
// iclaimscheckservice [servicecontract] public interface iclaimscheckservice { [operationcontract] void checkclaims(); // claimscheckservice.svc public class claimscheckservice : iclaimscheckservice { public void checkclaims() { var claimsprincipal = claimsprincipal.current; } } the server web.config is:
<system.servicemodel> <servicehostingenvironment aspnetcompatibilityenabled="true" multiplesitebindingsenabled="true" /> <behaviors> <servicebehaviors> <behavior> <serviceauthorization principalpermissionmode="always" /> <servicecredentials useidentityconfiguration="true" /> <servicemetadata httpgetenabled="true" httpsgetenabled="true"/> <servicedebug includeexceptiondetailinfaults="false"/> the web.config client - mvc website described above , config rest of config snippet above.
<system.servicemodel> <behaviors> <endpointbehaviors> <behavior> <clientcredentials useidentityconfiguration="true"> <servicecertificate> <authentication certificatevalidationmode="none"/> </servicecertificate> </clientcredentials> </behavior> </endpointbehaviors> </behaviors> <bindings> <basichttpbinding> <binding name="basichttpbinding_iclaimscheckservice" /> </basichttpbinding> </bindings> <client> <endpoint address="http://localhost:59343/claimscheckservice.svc" binding="basichttpbinding" bindingconfiguration="basichttpbinding_iclaimscheckservice" contract="ccs.iclaimscheckservice" name="basichttpbinding_iclaimscheckservice" /> </client> </system.servicemodel> i've read through dominick baier's first-class series on wcf , identity in .net 4.5. i've read through dense msdn article on claims based authorization. unlike other questions, not using sts creating federated token in website.
what expectingwhen service called, expect wcf client send principal in client thread wcf service when perform var claimsprincipal = claimsprincipal.current; on server, same principal.
the claimsprincipal.current empty (new) , not contain info client.
i have feeling creating own token won't work because wcf service has no way of decoding claims. also, fear cannot utilize basichttpbinding no security.
thank in advance!
there couple of weak points in story i'll skip on them. (ex: if create security token are sts.) want there several approaches. standard hard utilize ws2007federationhttpbinding binding on service. requires fullblown sts supporting ws-trust protocol (with securitytokenservice class etc). approach advice if service needs called net , if standards of import (like in mixed java/c# environment).
in intranet approach 1 can fall passing security token part of datacontract. serialize claimsprincipal on client (using securitytokenhandler of choice) , deserialize in service (using same security token handler). depending on security requirements can more or less strict on security otk serialized token. if needs secure can take sign on client , verify signature on service (using either symmetric key or certificate based on preference).
if want claimsprincipal send automatically deserialized , assigned claimsprincipal.current migth consider creating little wcf service behavior sends principal service , unpacks @ service. functionality in behavior same sec approach. bit more work reusable solution. if going far in behavior solution 1 improve approach.
as final remark. if want "check claims" migth want utilize claimsauthorizationmanager instead of service that. in case don't need pass claimsprincipal on wire.
.net wcf wif claims-based-identity
No comments:
Post a Comment