请求主体权限失败 - 可能是由于 windows 组?
Request for principal permission failed - probably due windows group?
我用谷歌搜索了这个错误,没有找到正确的答案。2 个月前我在做 MVC -> WCF 通信。它起作用了,然后我注释掉了 PrincipalPermission 属性以使其在本地主机(VS IIS Express)上运行。
重新启用后我收到错误消息"Request for principal permission failed."我想我的组有误。
WCF 端:
[ServiceBehavior(InstanceContextMode = InstanceContextMode.Single, ConcurrencyMode = ConcurrencyMode.Multiple)]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
[PrincipalPermission(SecurityAction.Demand, Role = "Test_Group")]
public class TestService : ITestService
{
public int Test()
{
return 0;
}
}
客户端:
public async Task<ActionResult> Test()
{
Services.TestClientService testClient = new Services.TestClientService();
testClient.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
testClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
try
{
int response = await testClient.TestAsync();
}
catch(Exception ex)
{
System.Diagnostics.Debug.WriteLine(ex.Message);
}
return View();
}
WCF 网络配置:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<!-- serviceAuthorizationManagerType="MyProject.Common.RoleAuthorizationManager, MyProject" -->
<serviceAuthorization principalPermissionMode="UseWindowsGroups">
<authorizationPolicies>
<add policyType="MyProject.Common.AuthorizationPolicy, MyProject" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyProject.Common.IdentityValidator, MyProject" />
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="svcBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="MyProject.TestService" behaviorConfiguration="authBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="MyProject.ITestService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<!-- <protocolMapping>
<add binding="wsDualHttpBinding" scheme="https" />
</protocolMapping>-->
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
客户端网络配置:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior>
<customInspector />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" />
</basicHttpBinding>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<extensions>
<behaviorExtensions>
<add name="customInspector" type="MyMVC.Services.WCF.Behavior, MyMVC" />
</behaviorExtensions>
</extensions>
<client>
<endpoint address="http://localhost:9999/TestService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
contract="MyMVC.Services.ITestService" name="wsHttpEndpointBinding_ITestService" />
</client>
我无法访问 WCF AuthorizationPolicy.cs 来检查是否设置了 Thread.CurrentPrincipal。
知道如何调试错误吗?我认为这是 windows 中 Test_Group 的问题。 WCF 和 MVC 在 IIS 中运行。 MVC 在属于 Test_Group.
的 IIS APPPOOL\MVC 下运行
感谢您的帮助。
Test_Group 是本地组还是 Active Directory 中的组?如果是后者,它应该以您的域名为前缀,后跟反斜杠。所以"Domain\Test_Group"
如果没有尝试删除最后一个属性并将以下内容放在函数的开头。
PrincipalPermission pp = new PrincipalPermission(null, @"Test_Group");
pp.Demand();
将 PrincipalPermission 属性从 class 级别移动到方法级别。
文章:https://social.msdn.microsoft.com/Forums/vstudio/en-US/41c5a8c6-8d17-41c7-9714-4e47296ba75d/principalpermission-attribute-on-class-level-in-wcf-service?forum=wcf(最后 post 提到它不能用于 WCF 的 class 级别:/)
我用谷歌搜索了这个错误,没有找到正确的答案。2 个月前我在做 MVC -> WCF 通信。它起作用了,然后我注释掉了 PrincipalPermission 属性以使其在本地主机(VS IIS Express)上运行。
重新启用后我收到错误消息"Request for principal permission failed."我想我的组有误。
WCF 端:
[ServiceBehavior(InstanceContextMode = InstanceContextMode.Single, ConcurrencyMode = ConcurrencyMode.Multiple)]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
[PrincipalPermission(SecurityAction.Demand, Role = "Test_Group")]
public class TestService : ITestService
{
public int Test()
{
return 0;
}
}
客户端:
public async Task<ActionResult> Test()
{
Services.TestClientService testClient = new Services.TestClientService();
testClient.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;
testClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
try
{
int response = await testClient.TestAsync();
}
catch(Exception ex)
{
System.Diagnostics.Debug.WriteLine(ex.Message);
}
return View();
}
WCF 网络配置:
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior name="authBehavior">
<!-- serviceAuthorizationManagerType="MyProject.Common.RoleAuthorizationManager, MyProject" -->
<serviceAuthorization principalPermissionMode="UseWindowsGroups">
<authorizationPolicies>
<add policyType="MyProject.Common.AuthorizationPolicy, MyProject" />
</authorizationPolicies>
</serviceAuthorization>
<serviceCredentials>
<userNameAuthentication userNamePasswordValidationMode="Custom" customUserNamePasswordValidatorType="MyProject.Common.IdentityValidator, MyProject" />
<serviceCertificate findValue="localhost" storeLocation="LocalMachine" x509FindType="FindBySubjectName" storeName="My" />
</serviceCredentials>
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="svcBehavior">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
<behavior name="">
<serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service name="MyProject.TestService" behaviorConfiguration="authBehavior">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding" contract="MyProject.ITestService" />
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<!-- <protocolMapping>
<add binding="wsDualHttpBinding" scheme="https" />
</protocolMapping>-->
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
客户端网络配置:
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior>
<customInspector />
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="BasicHttpBinding" />
</basicHttpBinding>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security mode="Message">
<message clientCredentialType="Windows" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<extensions>
<behaviorExtensions>
<add name="customInspector" type="MyMVC.Services.WCF.Behavior, MyMVC" />
</behaviorExtensions>
</extensions>
<client>
<endpoint address="http://localhost:9999/TestService.svc"
binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
contract="MyMVC.Services.ITestService" name="wsHttpEndpointBinding_ITestService" />
</client>
我无法访问 WCF AuthorizationPolicy.cs 来检查是否设置了 Thread.CurrentPrincipal。
知道如何调试错误吗?我认为这是 windows 中 Test_Group 的问题。 WCF 和 MVC 在 IIS 中运行。 MVC 在属于 Test_Group.
的 IIS APPPOOL\MVC 下运行感谢您的帮助。
Test_Group 是本地组还是 Active Directory 中的组?如果是后者,它应该以您的域名为前缀,后跟反斜杠。所以"Domain\Test_Group"
如果没有尝试删除最后一个属性并将以下内容放在函数的开头。
PrincipalPermission pp = new PrincipalPermission(null, @"Test_Group");
pp.Demand();
将 PrincipalPermission 属性从 class 级别移动到方法级别。
文章:https://social.msdn.microsoft.com/Forums/vstudio/en-US/41c5a8c6-8d17-41c7-9714-4e47296ba75d/principalpermission-attribute-on-class-level-in-wcf-service?forum=wcf(最后 post 提到它不能用于 WCF 的 class 级别:/)