时间戳

首页 > 解决方案 > IIS 托管 WCF Https 使用标记位置来控制对不同端点的访问

wcf - IIS 托管 WCF Https 使用标记位置来控制对不同端点的访问

问题描述

我的任务是在 IIS 中设置 WCF,并且需要使用不同的用户集控制对不同端点的访问。我可以设置https。当我尝试<location>在 IIS 中使用标签设置权限时,它似乎不起作用。

我有两个用户名,一个是 xxx.luo,另一个是 xxx.luo2。我喜欢只能由 xxx.luo 访问的 Service1.csv 和 xxx.luo2 的 Service2.svc。但是在下面的配置中,我只能让 xxx.luo 访问两个端点。

对于 xxx.luo2,我总是收到以下错误消息:

“HTTP 请求未经客户端身份验证方案‘协商’未经授权。从服务器收到的身份验证标头为‘协商,NTLM’。远程服务器返回错误:(401) 未授权。”

你会有什么建议吗?是否可以通过这种方式控制权限?

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.6.1" />
    <httpRuntime targetFramework="4.6.1" />
  </system.web>
  <system.serviceModel>
    <bindings>
          <basicHttpBinding>  
        <binding name="secureHttpBinding">  
          <security mode="Transport">  
            <transport clientCredentialType="Windows" />  
          </security>  
        </binding>  
      </basicHttpBinding> 
    </bindings>
    <services>
  
      <service name="WcfService1.Service1">  
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService1" />  
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />  
      </service>  

      <service name="WcfService1.Service2">  
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService2" />  
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />  
      </service>  
      
    </services>
    <behaviors>
      <serviceBehaviors>  
        <behavior>  
          <serviceMetadata httpsGetEnabled="true" />  
          <serviceDebug includeExceptionDetailInFaults="false" />  
        </behavior>  
      </serviceBehaviors>  
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
      <security>
        <authentication>
            <anonymousAuthentication enabled="false" />
            <windowsAuthentication  enabled="true"/>
        </authentication>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" roles="xxx.luo"/>
        </authorization>
    </security>
  </system.webServer>
<location path="Default Web Site/Service2.svc" allowOverride="false" inheritInChildApplications="false">
      <system.webServer>
              <security>
                <authentication>
                    <anonymousAuthentication enabled="false" />
                    <windowsAuthentication  enabled="true"/>
                </authentication>
                <authorization>
                    <remove users="*" roles="" verbs="" />
                    <add accessType="Allow" roles="xxx.luo2"/>
                </authorization>
            </security>
      </system.webServer>
    </location>
</configuration>

标签: wcfiishttpspermissionslocation

解决方案

在一位已经在 stackoverflow 享有盛誉的同事的帮助下,我(他)找到了解决方案。

  1. 我需要设置我的用户名 xxx.luo 和 xxx.luo2 可以访问标签中的两个页面<system.webServer>
  2. 在页面 Service1.svc 的标签<location>中,我删除了 xxx.luo2 的访问权限
  3. <location>页面 Service2.svc 的标签中,我删除了 xxx.luo 的访问权限

web.config 如下:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  </appSettings>
  <system.web>
    <compilation debug="true" targetFramework="4.6.1" />
    <httpRuntime targetFramework="4.6.1" />
  </system.web>
  <system.serviceModel>
    <bindings>
          <basicHttpBinding>  
        <binding name="secureHttpBinding">  
          <security mode="Transport">  
            <transport clientCredentialType="Windows" />  
          </security>  
        </binding>  
      </basicHttpBinding> 
    </bindings>
    <services>
  
      <service name="WcfService1.Service1">  
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService1" />  
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />  
      </service>  

      <service name="WcfService1.Service2">  
        <endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService2" />  
        <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />  
      </service>  
      
    </services>
    <behaviors>
      <serviceBehaviors>  
        <behavior>  
          <serviceMetadata httpsGetEnabled="true" />  
          <serviceDebug includeExceptionDetailInFaults="false" />  
        </behavior>  
      </serviceBehaviors>  
    </behaviors>
    <serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
  </system.serviceModel>
  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true" />
      <security>
        <authentication>
            <anonymousAuthentication enabled="false" />
            <windowsAuthentication  enabled="true"/>
        </authentication>
        <authorization>
            <remove users="*" roles="" verbs="" />
            <add accessType="Allow" users="xxx.luo"/>
            <add accessType="Allow" users="xxx.luo2"/>
        </authorization>
    </security>
  </system.webServer>
  
  <location path="Service1.svc" >
    <system.web>
      <authorization>
        <deny users="companydomain\xxx.luo" />
      </authorization>
    </system.web>
  </location> 

  <location path="Service2.svc" >
    <system.web>
      <authorization>
        <deny users="companydomain\xxx.luo2" />
      </authorization>
    </system.web>
  </location> 
</configuration>

推荐阅读