基于Geneva框架的STS实现--RP端

1. WSFederationHttpBinding
      支持 WS-Federation 协议的绑定。

      WS-Federation 规范定义了一个模型和消息集合，用于在不同信任领域间代理信任并联合身份和身份验证信息。协议被BEA、IBM、Microsoft、RSA Security 和 VeriSign厂商支持。

      WS-Federation 依赖另外一组协议：WS-Trust, WS-Policy,WS-Authorization。 

 

2. WCF契约

namespace RP.Contracts
{
    [ServiceContract]
    public interface ITest
    {
        [OperationContract]
        string Say(string message);
    }
}
 

   

3. Client端

      WCF服务发布成Federation绑定，客户端就要以Federation绑定去访问。这与访问其他形式绑定的行为有所区别，因为在调用时需要向服务提供安全令牌。

      这里再次利用Geneva框架，写一个WCF调用类。

using Microsoft.IdentityModel.Protocols.WSTrust;
 using RP.Contracts;
 namespace STS.Client
{
    public class TestClient : ITest
    {
        private SecurityToken Token;

        public TestClient(SecurityToken token)
        {
            Token = token;
        }

        public string Say(string message)
        {
            string result = "";
            using (ChannelFactory<ITest> channelFactory = new ChannelFactory<ITest>(STSConfiguration.ServiceName))
            {
                //配置文件里的终结点信息还是会被框架忽略，所以要显示指定。如果RP服务端证书与域名不一致，需要根据RP证书改写终结点标识。
                //channelFactory.Endpoint.Address = new EndpointAddress(new Uri(ServiceUrl), EndpointIdentity.CreateX509CertificateIdentity(Configuration.RPCertificate));
                channelFactory.Endpoint.Address = new EndpointAddress(new Uri(STSConfiguration.ServiceUrl));
                ChannelFactoryOperations.ConfigureChannelFactory(channelFactory);
                ITest testClient = channelFactory.CreateChannelWithIssuedToken(Token);
                using (testClient as IDisposable)
                {
                    try
                    {
                        result = testClient.Say("hello");
                    }
                    catch (CommunicationException)
                    {
                        (testClient as ICommunicationObject).Abort();
                        throw;
                    }
                    catch (TimeoutException)
                    {
                        (testClient as ICommunicationObject).Abort();
                        throw;
                    }
                }
            }
            return result;
        }
    }
}
 

      客户端可以调用这个类去访问服务了。

namespace STS.Client
{
    class Program
    {
        static void Main(string[] args)
        {
            string username = Console.ReadLine();
            string password = Console.ReadLine();

            SecurityToken token = TokenHelper.Issue(username, password);
            Console.WriteLine(token.ToString());

            TestClient client = new TestClient(token);
            string result = client.Say("hello");
            Console.WriteLine(result);

            Console.ReadLine();
        }
    }
}

      客户端配置文件。需要注意的是，WCF服务地址还是要另外配置，因为Geneva框架会忽略终结点的地址信息：

  <system.serviceModel>
    <client>
      <endpoint name="TestService"
        address=""
        binding="ws2007FederationHttpBinding" bindingConfiguration="wsFederation"
        contract="RP.Contracts.ITest"
        behaviorConfiguration="RPCertificateBehavior">
      </endpoint>
    </client>
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="wsFederation">
          <security mode="Message">
            <message>
                        <!—需要指定一个颁发者，这个节点不能为空-->
              <issuer address="http://sts-server/" binding="ws2007HttpBinding">
              </issuer>
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
    <behaviors>
      <endpointBehaviors>
        <behavior name="RPCertificateBehavior">
          <clientCredentials>
            <serviceCertificate>
              <!--指定服务默认证书，以及正式验证模式和吊销模式-->
              <defaultCertificate findValue="CN=rp-server" storeLocation="LocalMachine" storeName="TrustedPeople"/>
              <authentication certificateValidationMode="PeerOrChainTrust" revocationMode="NoCheck" />
            </serviceCertificate>
          </clientCredentials>
        </behavior>
      </endpointBehaviors>
    </behaviors>
  </system.serviceModel>
 

4. RP端(WCF) 

      使用Federation绑定的WCF可以自动解密客户端传递的安全令牌，为请求线程创建安全主体IPrincipal，并将所有相关声明附加到AuthorizationContext的声明集合ClaimSet中。所以我们只需要遍历 AuthorizationContext中的实例集合ClaimSet，以获得基于声明的安全性。

      先来看简单的页面文件和服务类：

<%@ServiceHost language="c#" Debug="true" Service="RP.WCF.TestService" %>

namespace RP.WCF
{
    public class TestService : FederatedBase, ITest
    {
        public string Say(string message)
        {
            return string.Format("Say {0}, {1} {2}", message, (this.FederatedUser.IsAdmin ? "(Admin)" : ""), this.FederatedUser.LoginName);
  8         }
       }
}

      服务的基类FederatedBase则用来保存从声明集合解析出来的信息：

namespace RP.WCF
{
    public class FederatedBase
    {
        FederatedContextUser _FederatedUser;
        /// <summary>
        /// 当前用户信息
        /// </summary>
         public FederatedContextUser FederatedUser
        {
            get
            {
                if (_FederatedUser == null)
                    _FederatedUser = FederatedContextUser.Current;
                return _FederatedUser;
            }
        }
      }

    /// <summary>
    /// 当前WCF上下文的用户信息
    /// </summary>
    public class FederatedContextUser
    {
        /// <summary>
        /// 当前WCF上下文的用户信息
        /// </summary>
        public static FederatedContextUser Current
        {
            get
            {
                return new FederatedContextUser();
            }
        }
        private FederatedContextUser()
        {
            if (ServiceSecurityContext.Current != null && ServiceSecurityContext.Current.AuthorizationContext != null &&
                ServiceSecurityContext.Current.AuthorizationContext.ClaimSets != null)
            {
                foreach (ClaimSet claimset in ServiceSecurityContext.Current.AuthorizationContext.ClaimSets)
                {
                    foreach (Claim claim in claimset)
                    {
                        if (claim.ClaimType.Equals(System.IdentityModel.Claims.ClaimTypes.Name))
                            LoginName = claim.Resource.ToString();


                        if (claim.ClaimType.Equals("http://sts-server/claims/isadmin"))
                            IsAdmin = bool.Parse(claim.Resource.ToString());

                        //其他声明也可以转换成类的属性便于访问

                    }
                }
            }
            else
            {
                throw new FaultException("没有有效的用户信息");
            }
        }

        /// <summary>
        /// 用户名
        /// </summary>
        public string LoginName { get; private set; }
        /// <summary>
        /// 是否管理员
        /// </summary>
        public bool IsAdmin { get; private set; }

       //其他声明
   }
}

      服务配置文件：

  <system.serviceModel>
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="federationBinding">
          <security mode="Message">
            <message/>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
    <behaviors>
      <serviceBehaviors>
        <behavior name="federationBehavior">
          <!—指定服务器证书-->
          <serviceCredentials>
            <serviceCertificate storeLocation="LocalMachine" storeName="My" findValue="CN=rp-server"/>
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <services>
      <service name="RP.WCF.TestService" behaviorConfiguration="federationBehavior">
        <endpoint address="federation" binding="ws2007FederationHttpBinding" contract=" RP.Contracts.ITest"
            bindingConfiguration="federationBinding">
        </endpoint>
      </service>
    </services>
  </system.serviceModel>
 

5. 最终结果

      将IP-STS端和RP端的WCF服务布置好，运行Client端，就可以看到结果。