問題:
I have a requirement to secure a streamed WCF net.tcp service endpoint using WIF . 我需要使用WIF保護流式WCF net.tcp服務端點 。 It should authenticate incoming calls against our token server. 它應該對我們的令牌服務器驗證傳入呼叫。 The service is streamed because it is designed to transfer large amounts of data n stuff. 該服務是流式傳輸的,因爲它旨在傳輸大量數據。
This appears to be impossible. 這似乎是不可能的。 And if I can't get around the catch, my Christmas will be ruined and I'll drink myself to death in a gutter while merry shoppers step over my slowly cooling body. 如果我無法繞過捕獲物,我的聖誕節將被毀掉,我會在陰溝裏喝水,而快樂的購物者則會越過我緩慢冷卻的身體。 Totes serious, you guys. 手提箱嚴重,你們。
Why is this impossible? 爲什麼這不可能? Here's the Catch-22. 這是Catch-22。
On the client, I need to create a channel with the GenericXmlSecurityToken I get from our token server. 在客戶端上,我需要使用我從令牌服務器獲取的GenericXmlSecurityToken創建一個通道。 No problemo. 沒問題。
// people around here hate the Framework Design Guidelines.
var token = Authentication.Current._Token;
var service = base.ChannelFactory.CreateChannelWithIssuedToken(token);
return service.Derp();
Did I say "no problemo"? 我說“沒問題”了嗎? Problemo. Problemo。 In fact, NullReferenceException style problemo. 實際上, NullReferenceException樣式有問題。
"Bro, " I asked the Framework, "do you even null check?" “兄弟,”我問框架,“你甚至無效檢查嗎?” The Framework was silent, so I disassembled and found that 框架是沉默的,所以我拆開並發現了
((IChannel)(object)tChannel).
GetProperty<ChannelParameterCollection>().
Add(federatedClientCredentialsParameter);
was the source of the exception, and that the GetProperty call was returning null . 是異常的來源,並且GetProperty調用返回null 。 So, WTF? 那麼,WTF? Turns out that if I turn on Message security and set the client credential type to IssuedToken then this property now exists in the ClientFactory (protip: There is no "SetProperty" equivalent in IChannel, the bastard). 事實證明,如果我打開Message安全性並將客戶端憑據類型設置爲IssuedToken則此屬性現在存在於ClientFactory (protip:在IChannel中沒有“SetProperty”等效,即混蛋)。
<binding name="OMGWTFLOL22" transferMode="Streamed" >
<security mode="Message">
<message clientCredentialType="IssuedToken"/>
</security>
</binding>
Sweet. 甜。 No more NREs. 沒有更多的NRE。 However, now my client is faulted at birth (still love him, tho). 然而,現在我的客戶在出生時出現了故障 (仍然愛他,所以)。 Digging through WCF diagnostics (protip: make your worst enemies do this after crushing them and driving them before you but right before enjoying the lamentations of their women and children), I see it's because of a security mismatch between the server and client. 通過WCF診斷進行挖掘(protip:讓你的最壞的敵人在壓碎它們並在你面前駕駛它們之前做到這一點,但在享受他們的女人和孩子的悲傷之前),我看到它是因爲服務器和客戶端之間的安全性不匹配。
The requested upgrade is not supported by 'net.tcp://localhost:49627/MyService'. 'net.tcp:// localhost:49627 / MyService'不支持請求的升級。 This could be due to mismatched bindings (for example security enabled on the client and not on the server). 這可能是由於綁定不匹配(例如在客戶端而不是在服務器上啓用安全性)。
Checking the host's diags (again: crush, drive, read logs, enjoy lamentations), I see this is true 檢查主機的診斷(再次:壓碎,驅動,讀取日誌,享受哀嘆),我看到這是真的
Protocol Type application/ssl-tls was sent to a service that does not support that type of upgrade. 協議類型application / ssl-tls已發送到不支持該類型升級的服務。
"Well, self," I says, "I'll just turn on Message security on the host!" “好吧,自我,”我說,“我只是打開主機上的Message安全性!” And I do. 我做到了。 If you want to know what it looks like, it's an exact copy of the client config. 如果你想知道它的樣子,它就是客戶端配置的精確副本。 Look up. 擡頭。
Result: Kaboom. 結果: Kaboom。
The binding ('NetTcpBinding',' http://tempuri.org/ ') supports streaming which cannot be configured together with message level security. 綁定('NetTcpBinding',' http://tempuri.org/ ')支持不能與消息級安全性一起配置的流。 Consider choosing a different transfer mode or choosing the transport level security. 考慮選擇不同的傳輸模式或選擇傳輸級別安全性。
So, my host cannot be both streamed and secured via tokens . 因此, 我的主機不能通過令牌進行流式傳輸和保護 。 Catch-22. 第二十二條軍規。
tl;dr: How can I secure a streamed net.tcp WCF endpoint using WIF??? tl; dr:如何使用WIF保護流式net.tcp WCF端點???
解決方案:
參考一: https://en.stackoom.com/question/1Oona參考二: https://stackoom.com/question/1Oona