c# - Custom httpHeader or soap header into claims-based authorization by endpoint/contract -

-

i have servicehost implements many contacts on various endpoints , bindings ((http & https) x (rest & soap) anonymous access, windows, or custom authentication, bound depending on contract) & nettcp windows authentication. custom authentication embedded in http or soap headers. each endpoint , contract has purpose. should manageable on single servicehost - don't want split up.

i've gotten point endpoints work , serve content correctly, authentication/authorization isn't integrated wcf stack. have been using messageinspector handle validation of authentication header , allowing if token valid.

now want integrate authentication/authorization wcf stack. want able access identity , check claims in each operation's implementation. , perhaps basic claims can authorized centrally, "are these claims authorizing @ in contract?" (by contract type).

in case of custom authentication, have signed/secure token includes custom implementation of identity , property claims can extract , convert wcf claims upon receipt (even if don't know put them once i've got them). windows authentication, need access default windows identity stuff.

i can set serviceauthenticationmanager , serviceauthorizationmanager each custom values, it's not doing want , i'm getting totally lost.

for example, readonlycollection<iauthorizationpolicy> authpolicy coming authenticate() seems inconsistent - it's empty, has 1 unconditionalpolicy , has 2 or more (4?) of custom iauthorizationpolicy there. meanwhile iauthorizationpolicy.evaluate() gets executed anywhere 0 ~9 times per request. sometimes, within iauthorizationpolicy.evaluate(), operationcontext.current null! , evaluationcontext.claimsets has claimset. yet state null when give value in previous enactment.

rather tackling these problems individually, think it'd better step , ask high-level explanation of should do/expect see.

authentication: when request comes servicehost, needs authenticated. @ point in pipeline, don't need know what can do, are. if client submits both windows credentials and custom authentication ticket contract/binding on require custom authentication ticket, service shouldn't tricked evaluating wrong one. perhaps @ stage in wcf pipeline, contract hasn't been resolved perhaps during stage, found identities/claims/tokens should captured , selected among later. right? how done?

message inspection: have custom messageinspector i'll still need cors support , options request processing on of endpoints. believe happens after authentication , before authorization. in case of options, set ref message null , skip operation entirely, jumping straight beforesendreply. clients don't send auth-token on cors options preflight request , allow these requests unconditionally.

authorization: depending on contract, want require authentication mechanisms , ignore others. believe setup needs prepare thread principal , operation context principal correct value. seems multiple authorization policies can in play @ once. how interact?

operation: want able implement each operation assuming identity of caller authenticated using supported authentication (by contract, i'm ok maintaining hard-coded somewhere once) , validated caller identity , assert simple permissions checks againsts verified claims.

how achieve (code preferred on config xml)?

thanks!


Comments

Post a Comment

Popular posts from this blog

html5 - What is breaking my page when printing? -

-
Image
i have questioner , don't know why when printing it's creating break before first question. live demo (link) i able resolve issue removing fieldset container had wrapped in.. having fieldset element causing of fields grouped together, , since not fit on first page, being pushed second page. removing fieldset element, able firefox print first 2 questions on page 1 identically chrome. it seems not new problem firefox , fieldset not playing nice found old bugzilla ticket 2008 has persisted , still being commented on in 2014 (link) if retaining fieldset important, found solution else came here (link) <script type='text/javascript'> $(window).bind('beforeprint', function(){ $('fieldset').each( function(item) { $(this).replacewith($('<div class="fieldset">' + this.innerhtml + '</div>')); } ) }); $(window).bind(
Read more

c# - must be a non-abstract type with a public parameterless constructor in redis -

-
when save object, got below error must non-abstract type public parameterless constructor in order use parameter 't' in generic type or method 'servicestack.redis.redisclient.store<t>(t) redisclass.getinstnace().store(msg); // error here redisclass.getinstnace().save(); as third party's class, can not edit how save object? could create wrapper around third party object call constructor, store wrapper? e.g. public class mywrapper { public thirdpartyobject thirdpartyinstance { get; set; } public mywrapper() { thirdpartyinstance = new thirdpartyobject("constructors"); } }
Read more

ajax - PHP/JSON Login script (Twitter style) not setting sessions -

-
i'm having trouble getting twitter style login work properly, reason gets stuck at session_register("useremail"); session_register("userpass"); and doesn't redirect after it. if enter wrong account data, works , appropriate error message pops up. this full code: <?php if(empty($_post['email']) || empty($_post['password'])) { die(msg(0,"all fields required")); } if(!(preg_match("/^[\.a-z0-9_\-\+]+[@][a-z0-9_\-]+([.][a-z0-9_\-]+)+[a-z]{1,4}$/", $_post['email']))) die(msg(0,"you haven't provided valid e-mail")); $host="localhost"; $username="root"; $password="x"; $db_name="x"; $tbl_name="x"; mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select db"); $useremail=$_post['email']; $userpass=
Read more