为什么WCF不允许没有一个HTTP模块,用户名/密码,通过交通运输的安全认证模式不允许、安全认证、模块、交通运输
我想使用传输安全模式,用户名/口令认证和SSL,它工作正常使用Windows身份验证:
I want to use transport security mode with username/password authentication and ssl, it works fine with windows authentication:
<transport clientCredentialType="Windows"/>
我发现在MSDN上的一篇文章,解释如何做传输安全模式下的用户名/密码认证,但自定义HTTP模块是必需的。我很感兴趣,为什么没有默认的安全模式,如:
I found an article on msdn that explain how to do username/password authentication with transport security mode, but custom http module is required. I am interested why there is no default security mode like:
<transport clientCredentialType="Username"/>
我很好的信息安全模式如果我需要的用户名/密码认证,但如果所有的网站使用HTTPS / SSL认证不应该有一个问题,在WCF这样做。 先谢谢了。
I am fine with message security mode if i need username/password authentication, but if all sites uses https/ssl for authentication there shouldn't be a problem doing so in wcf. Thanks in advance.
推荐答案
现在的问题是错误地问。 WCF允许使用传输的安全性与自定义的用户名/密码验证。传输安全模式使用标准化的认证方式,给定的传输协议和HTTP没有任何规范的用户名身份验证模式。它相当于模式称为基本身份验证:
The question is wrongly asked. WCF allows using transport security with custom user name / password validation. Transport security modes use standardized authentication modes for given transport protocol and HTTP doesn't have any standardized "UserName" authentication mode. It has equivalent mode called Basic authentication:
<security mode="Transport">
<transport clientCredentialType="Basic" />
</security>
在默认情况下基本认证期望Windows帐户,但你可以切换使用验证的自定义 UserNamePasswordValidator 。的问题是,这仅适用于自托管服务。在IIS托管服务时,它不工作。这就是为什么这个问题被错误地问。这个问题是不是在WCF,但在IIS中。
By default Basic authentication expects Windows account but you can switch validation with custom UserNamePasswordValidator. The problem is that this works only with self hosted services. It doesn't work when hosting services in IIS. This is why the question is wrongly asked. The problem is not in WCF but in IIS.
当你在IIS托管服务,它需要进行身份验证和认证的责任。在IIS中的基本身份验证默认仅支持Windows帐户。这就是为什么你需要自定义模块使用非Windows帐户的原因。
When you host the service in IIS, it takes responsibility for authentication and authentication. Default module for Basic authentication in IIS supports only Windows accounts. That is the reason why you need custom module to use non windows account.
由于@Marc中你也可以使用 TransportWithMessageCredential 安全模式下的评论中提到:
As @Marc mentioned in comment you can also use TransportWithMessageCredential security mode:
<security mode="TransportWithMessageCredential">
<message clientCredentialType="UserName" />
</security>
在这种情况下认证不上传输协议执行的。这是消息的一部分(它使用WS-Security的UserNameToken配置文件标准)。您可以再次使用自定义的 UserNamePasswordValidator 这一次,它同时适用于自托管和IIS托管SOAP服务(SOAP是强制性要求)。
In this scenario authentication is not performed on transport protocol. It is part of message (it uses WS-Security's UserNameToken profile standard). You can again use custom UserNamePasswordValidator and this time it works for both self hosted and IIS hosted SOAP services (SOAP is mandatory requirement).
