Pet*_*ron 5 c# authentication wcf windows-services ipc
我的GUI应用程序使用WCF控制其姐妹Windows服务NetNamedPipeBinding.我想阻止其他应用程序模仿我的GUI应用程序和控制我的服务.
是否有必要对Windows服务的GUI应用程序进行身份验证以防止冒充?
我应该怎么做呢?
编辑:远程计算机也应该能够控制服务,因为它们经过身份验证(服务信任),因此我需要添加NetTcpBinding端点.任何包含此内容的答案都会有所帮助.
是的,有必要保护 WCF 通道的安全以防止假冒。WCF 可以在您指示时自动加密您的通信,但您需要自己处理身份验证部分。
WCF 中有两种保护消息的方法(如果算上可以同时使用这两种方法的话,可以使用三种方法)。这里有一个很好的高级解释。您可以使用哪些方法取决于我们正在讨论的绑定(对于不同的绑定您将有不同的选项)。
此外,对于每种保护服务的方法,您都可以在身份验证凭据类型之间进行选择(每个实体向另一个端点证明其身份的实际方式)。这取决于绑定以及安全方法。
要查看每个绑定的选项,您可以检查其Security属性。对于每个绑定,此属性具有不同的类型(例如NetTcpSecurity);您可以查看 MSDN 或 IntelliSense 来找到答案。
从现在开始,我将使用NetTcpBinding传输安全作为示例。
要在服务器和客户端部分设置安全性,您首先必须在创建和打开通道之前配置安全模式和身份验证类型的绑定,例如:
var binding = new NetTcpBinding { /* set props here */ };
// TLS security with X.509 certificates
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Transport.ClientCredentialType = TcpClientCredentialType.Certificate;
然后,在服务器端(此示例特定于上面所做的选择):
// Load and set the server certificate
var serverCertificate = new X509Certificate2(/* parameters here */);
host.Credentials.ServiceCertificate.Certificate = serverCertificate;
// You can leave it at that and let Windows validate the client's certificate using
// the default method (which means that you either need to have added the client's
// certificate to the server machine's certificate store as "trusted", or rely on chain
// trust and have the client's certificate signed by a trusted authority.
// Or, you can use custom validation rules:
var authentication = host.Credentials.ClientCertificate.Authentication;
authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator();
而在客户端(这个例子也是具体的):
var clientCertificate = new X509Certificate2(/* parameters here */);
var factory = new ChannelFactory<IYourServiceInterface>(binding, endpoint);
factory.Credentials.ClientCertificate.Certificate = clientCertificate;
// You can leave it at that and let Windows validate the server's certificate using
// the default method (which means that you either need to have added the server's
// certificate to the client machine's certificate store as "trusted", or rely on chain
// trust and have the server's certificate signed by a trusted authority.
// Or, you can use custom validation rules:
var authentication = factory.Credentials.ServiceCertificate.Authentication;
authentication.CertificateValidationMode = X509CertificateValidationMode.Custom;
authentication.CustomCertificateValidator = new AcceptAnythingCertificateValidator();
var channel = factory.CreateChannel();
// Your channel is now ready for use! You can also cast to to IClientChannel
// to expose some more properties.
| 归档时间: |
|
| 查看次数: |
807 次 |
| 最近记录: |