WF4:如何对工作流服务进行授权访问

ServiceAuthorizationManager 类：提供对服务操作的授权访问检查。

每次尝试访问资源时，CheckAccessCore 方法都会由 Windows Communication Foundation (WCF) 基础结构调用。若允许访问，则该方法返回 true；若拒绝访问，则返回 false。 

1.       开发一个自定义的ServiceAuthorizationManager如下：

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.ServiceModel;

 

namespace CaryWF

{

    public class CaryServiceAuthorizationManager:ServiceAuthorizationManager

    {

          private String[] serviceAllows;

 

          public CaryServiceAuthorizationManager()

        {

            String allowString = System.Configuration.ConfigurationManager.AppSettings["ServiceAllow"];

            serviceAllows = allowString.Split(',');

        }

 

        protected override bool CheckAccessCore(OperationContext operationContext)

        {

            var authCtx = operationContext.ServiceSecurityContext.AuthorizationContext;

            var identities = (List<System.Security.Principal.IIdentity>)(authCtx.Properties["Identities"]);

 

            foreach (var ident in identities)

            {

                var windowsIdent = ident as System.Security.Principal.WindowsIdentity;

                if (windowsIdent != null)

                {

                    var windowsPrincipal = new System.Security.Principal.WindowsPrincipal(windowsIdent);

                    foreach (String allow in serviceAllows)

                    {

                        Boolean fInRole = windowsPrincipal.IsInRole(allow);

                        if (fInRole)

                            return true;

                    }

                }

            }

            return false;

        }

    }

}

2.       新建项目

Web.config中增加允许人员配置，默认是下，工作流服务使用basicHttpBinding，他不支持授权，我们需要改为wsHttpBinding，还要配置serviceAuthorization，web.config如下：

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

         <appSettings>

                   <add key="ServiceAllow" value="shsunplus\cary.sun"/>

         </appSettings>

  <system.web>

    <compilation debug="true" targetFramework="4.0" />

  </system.web>

  <system.serviceModel>

    <behaviors>

      <serviceBehaviors>

        <behavior>

          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->

          <serviceMetadata httpGetEnabled="true"/>

          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->

          <serviceDebug includeExceptionDetailInFaults="false"/>

                            <serviceAuthorization serviceAuthorizationManagerType="CaryWF.CaryServiceAuthorizationManager, CaryWF" />

        </behavior>

                    

      </serviceBehaviors>

    </behaviors>

           <protocolMapping>

                     <add scheme ="http" binding="wsHttpBinding"/>

           </protocolMapping>

  </system.serviceModel>

  <system.webServer>

    <modules runAllManagedModulesForAllRequests="true"/>

  </system.webServer>

</configuration>

 

3.        进行测试如下：使用WCFTestClient，如下：

成功调用的

 

如果不再配置中的人员，会被拒绝，如下：