IIS 托管 WCF Https 使用标记位置来控制对不同端点的访问
IIS hosted WCF Https using tag Location to control Access to different Endpoint
我的任务是在 IIS 中设置 WCF,并且需要控制对不同用户组的不同端点的访问。我能够设置https。当我尝试在 IIS 中使用标记 <location> 设置权限时,它似乎不起作用。
我有两个用户名,一个是xxx.luo,另一个是xxx.luo2。我喜欢 Service1.csv 只有 xxx.luo 和 Service2.svc 才能访问 xxx.luo2。但是在下面的配置中,我只能让 xxx.luo 访问两个端点。
对于 xxx.luo2,我总是收到以下错误消息:
"The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. The remote server returned an error: (401) Unauthorized."
您有什么建议吗?可以这样控制权限吗?
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
<service name="WcfService1.Service2">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService2" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true"/>
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="xxx.luo"/>
</authorization>
</security>
</system.webServer>
<location path="Default Web Site/Service2.svc" allowOverride="false" inheritInChildApplications="false">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true"/>
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="xxx.luo2"/>
</authorization>
</security>
</system.webServer>
</location>
</configuration>
在已经有很多 Whosebug 声誉的同事的帮助下,我(他)找到了解决方案。
- 我需要设置我的用户名 xxx.luo 和 xxx.luo2 可以访问标签
<system.webServer> 中的两个页面
- 在页面 Service1.svc 的标签
<location> 中,我删除了 xxx.luo2 的访问权限
- 在页面 Service2.svc 的标记
<location> 中,我删除了 xxx.luo 的访问权限
web.config如下:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
<service name="WcfService1.Service2">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService2" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true"/>
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="xxx.luo"/>
<add accessType="Allow" users="xxx.luo2"/>
</authorization>
</security>
</system.webServer>
<location path="Service1.svc" >
<system.web>
<authorization>
<deny users="companydomain\xxx.luo" />
</authorization>
</system.web>
</location>
<location path="Service2.svc" >
<system.web>
<authorization>
<deny users="companydomain\xxx.luo2" />
</authorization>
</system.web>
</location>
</configuration>
我的任务是在 IIS 中设置 WCF,并且需要控制对不同用户组的不同端点的访问。我能够设置https。当我尝试在 IIS 中使用标记 <location> 设置权限时,它似乎不起作用。
我有两个用户名,一个是xxx.luo,另一个是xxx.luo2。我喜欢 Service1.csv 只有 xxx.luo 和 Service2.svc 才能访问 xxx.luo2。但是在下面的配置中,我只能让 xxx.luo 访问两个端点。
对于 xxx.luo2,我总是收到以下错误消息:
"The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate,NTLM'. The remote server returned an error: (401) Unauthorized."
您有什么建议吗?可以这样控制权限吗?
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
<service name="WcfService1.Service2">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService2" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true"/>
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="xxx.luo"/>
</authorization>
</security>
</system.webServer>
<location path="Default Web Site/Service2.svc" allowOverride="false" inheritInChildApplications="false">
<system.webServer>
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true"/>
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" roles="xxx.luo2"/>
</authorization>
</security>
</system.webServer>
</location>
</configuration>
在已经有很多 Whosebug 声誉的同事的帮助下,我(他)找到了解决方案。
- 我需要设置我的用户名 xxx.luo 和 xxx.luo2 可以访问标签
<system.webServer> 中的两个页面
- 在页面 Service1.svc 的标签
<location>中,我删除了 xxx.luo2 的访问权限
- 在页面 Service2.svc 的标记
<location>中,我删除了 xxx.luo 的访问权限
web.config如下:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<appSettings>
<add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.6.1" />
</system.web>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="secureHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<services>
<service name="WcfService1.Service1">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService1" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
<service name="WcfService1.Service2">
<endpoint address="" binding="basicHttpBinding" bindingConfiguration="secureHttpBinding" contract="WcfService1.IService2" />
<endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpsGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
</behavior>
</serviceBehaviors>
</behaviors>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<security>
<authentication>
<anonymousAuthentication enabled="false" />
<windowsAuthentication enabled="true"/>
</authentication>
<authorization>
<remove users="*" roles="" verbs="" />
<add accessType="Allow" users="xxx.luo"/>
<add accessType="Allow" users="xxx.luo2"/>
</authorization>
</security>
</system.webServer>
<location path="Service1.svc" >
<system.web>
<authorization>
<deny users="companydomain\xxx.luo" />
</authorization>
</system.web>
</location>
<location path="Service2.svc" >
<system.web>
<authorization>
<deny users="companydomain\xxx.luo2" />
</authorization>
</system.web>
</location>
</configuration>