如何:创建自定义安全令牌身份验证器

发布网友 发布时间：2022-05-02 01:52

我来回答

共1个回答

热心网友 时间：2022-04-23 01:23

重写CanValidateTokenCore 方法。此方法返回 true 或false，具体取决于自定义身份验证器是否可以验证传入的令牌类型。重写ValidateTokenCore 方法。此方法需要适当地验证令牌内容。如果此令牌通过验证步骤，它将返回 IAuthorizationPolicy 实例的集合。下面的示例使用将在后面的过程中创建的自定义授权策略实现。 Visual Basic FriendClass MySecurityTokenAuthenticator Inherits SecurityTokenAuthenticator ProtectedOverridesFunction CanValidateTokenCore(ByVal token As SecurityToken) AsBoolean ' Check that the incoming token is a username token type that ' can be validated by this implementation. Return (TypeOf token Is UserNameSecurityToken) EndFunctionProtectedOverridesFunction ValidateTokenCore(ByVal token As SecurityToken) As ReadOnlyCollection(Of IAuthorizationPolicy) Dim userNameToken = TryCast(token, UserNameSecurityToken) ' Validate the information contained in the username token. For demonstration ' purposes, this code just checks that the user name matches the password. If userNameToken.UserName userNameToken.Password ThenThrowNew SecurityTokenValidationException("Invalid user name or password") EndIf ' Create just one Claim instance for the username token - the name of the user. Dim userNameClaimSet AsNew DefaultClaimSet(ClaimSet.System, _ New Claim(ClaimTypes.Name, _ userNameToken.UserName, _ Rights.PossessProperty)) Dim policies AsNew List(Of IAuthorizationPolicy)(1) policies.Add(New MyAuthorizationPolicy(userNameClaimSet)) Return policies.AsReadOnly() EndFunctionEndClass C# internal class MySecurityTokenAuthenticator : SecurityTokenAuthenticator { protected override bool CanValidateTokenCore(SecurityToken token) { // Check that the incoming token is a username token type that // can be validated by this implementation.return (token is UserNameSecurityToken); } protected override ReadOnlyCollection ValidateTokenCore(SecurityToken token) { UserNameSecurityToken userNameToken = token as UserNameSecurityToken; // Validate the information contained in the username token. For demonstration // purposes, this code just checks that the user name matches the password.if (userNameToken.UserName != userNameToken.Password) { throw new SecurityTokenValidationException("Invalid user name or password"); } // Create just one Claim instance for the username token - the name of the user. DefaultClaimSet userNameClaimSet = new DefaultClaimSet( ClaimSet.System, new Claim(ClaimTypes.Name, userNameToken.UserName, Rights.PossessProperty)); List policies = new List(1); policies.Add(new MyAuthorizationPolicy(userNameClaimSet)); return policies.AsReadOnly(); } } 前面的代码返回集合中的授权策略的 CanValidateToken(SecurityToken) 方法。WCF 不提供此接口的公共实现。下面的过程演示如何针对您自己的要求实现此目的。创建自定义授权策略定义一个实现 IAuthorizationPolicy 接口的新类。实现Id 只读属性。实现此属性的一个方法是在类构造函数中生成一个全局唯一标识符 (GUID)，并在每次请求此属性的值时返回该标识符。实现Issuer 只读属性。此属性需要返回从令牌获取的声明集的颁发者。此颁发者应该与令牌颁发者负责验证令牌内容的颁发机构相对应。下面的示例使用了颁发者声明，该声明从前面的过程中创建的自定义安全令牌身份验证器传递给此类。自定义安全令牌身份验证器使用系统提供的声明集（由 System 属性返回）来表示用户名令牌的颁发者。实现Evaluate 方法。此方法使用基于传入安全令牌内容的声明来填充 EvaluationContext 类的实例（以参数形式传入）。当此方法完成计算时返回 true。如果该实现依赖于为计算上下文提供附加信息的其他授权策略，则在计算上下文中不存在所要求的信息时，此方法可返回 false。在这种情况下，如果这些授权策略之中至少有一个修改了计算上下文，WCF 在计算为传入消息生成的所有其他授权策略后，将再次调用此方法。 Visual Basic FriendClass MyServiceCredentialsSecurityTokenManager Inherits ServiceCredentialsSecurityTokenManager Private credentials As ServiceCredentials PublicSubNew(ByVal credentials As ServiceCredentials) MyBase.New(credentials) Me.credentials = credentials EndSubPublicOverridesFunction CreateSecurityTokenAuthenticator(ByVal tokenRequirement As SecurityTokenRequirement, _ _ ByRef outOfBandTokenResolver _ As SecurityTokenResolver) As SecurityTokenAuthenticator ' Return your implementation of the SecurityTokenProvider based on the ' tokenRequirement argument. Dim result As SecurityTokenAuthenticator If tokenRequirement.TokenType = SecurityTokenTypes.UserName ThenDim direction = tokenRequirement.GetProperty(Of MessageDirection)(ServiceModelSecurityTokenRequirement.MessageDirectionProperty) If direction = MessageDirection.Input Then outOfBandTokenResolver = Nothing result = New MySecurityTokenAuthenticator() Else result = MyBase.CreateSecurityTokenAuthenticator(tokenRequirement, _ outOfBandTokenResolver) EndIfElse result = MyBase.CreateSecurityTokenAuthenticator(tokenRequirement, _ outOfBandTokenResolver) EndIfReturn result EndFunctionEndClass C# internal class MyServiceCredentialsSecurityTokenManager : ServiceCredentialsSecurityTokenManager { ServiceCredentials credentials; public MyServiceCredentialsSecurityTokenManager(ServiceCredentials credentials) : base(credentials) { this.credentials = credentials; } public override SecurityTokenAuthenticator CreateSecurityTokenAuthenticator (SecurityTokenRequirement tokenRequirement, out SecurityTokenResolver outOfBandTokenResolver) { // Return your implementation of the SecurityTokenProvider based on the // tokenRequirement argument. SecurityTokenAuthenticator result; if (tokenRequirement.TokenType == SecurityTokenTypes.UserName) { MessageDirection direction = tokenRequirement.GetProperty (ServiceModelSecurityTokenRequirement.MessageDirectionProperty); if (direction == MessageDirection.Input) { outOfBandTokenResolver = null; result = new MySecurityTokenAuthenticator(); } else { result = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); } } else { result = base.CreateSecurityTokenAuthenticator(tokenRequirement, out outOfBandTokenResolver); } return result; } } 演练：创建自定义客户端和服务凭据 说明如何创建自定义凭据和自定义安全令牌管理器。若要使用此处创建的自定义安全令牌身份验证器，可以修改安全令牌管理器的实现，以便从 CreateSecurityTokenAuthenticator 方法返回自定义身份验证器。当传入适当的安全令牌要求时，该方法将返回身份验证器。 Visual Basic FriendClass MyAuthorizationPolicy Implements IAuthorizationPolicy Private _id AsStringPrivate _tokenClaims As ClaimSet Private _issuer As ClaimSet PublicSubNew(ByVal tokenClaims As ClaimSet) If _tokenClaims IsNothingThenThrowNew ArgumentNullException("tokenClaims") EndIfMe._issuer = tokenClaims.Issuer Me._tokenClaims = tokenClaims Me._id = Guid.NewGuid().ToString() EndSubPublicReadOnlyProperty Issuer() As ClaimSet Implements IAuthorizationPolicy.Issuer GetReturn _issuer EndGetEndPropertyPublicReadOnlyProperty Id() AsStringImplements System.IdentityModel.Policy.IAuthorizationComponent.Id GetReturn _id EndGetEndPropertyPublicFunction Evaluate(ByVal evaluationContext As EvaluationContext, _ ByRef state AsObject) AsBooleanImplements IAuthorizationPolicy.Evaluate ' Add the token claim setto the evaluation context. evaluationContext.AddClaimSet(Me, _tokenClaims) ' Returntrueif the policy evaluation is finished. ReturnTrueEndFunctionEndClass C# internal class MyAuthorizationPolicy : IAuthorizationPolicy { string id; ClaimSet tokenClaims; ClaimSet issuer; public MyAuthorizationPolicy(ClaimSet tokenClaims) { if (tokenClaims == null) { throw new ArgumentNullException("tokenClaims"); } this.issuer = tokenClaims.Issuer; this.tokenClaims = tokenClaims; this.id = Guid.NewGuid().ToString(); } public ClaimSet Issuer { get { return issuer; } } publicstring Id { get { return id; } } publicbool Evaluate(EvaluationContext evaluationContext, ref object state) { // Add the token claim set to the evaluation context. evaluationContext.AddClaimSet(this, tokenClaims); // Return true if the policy evaluation is finished.returntrue; } }