Remoting在FX2.0中的新特性

昨天才把VS2005CTP MAY装上。大概看了一下各种新特性。由于我现在使用的分布式技术是Remoting,所以特别关心Remoting现有的不足在FX2.0是否有所改进。
正如我说期望的,在FX2.0中增加了Remoting在TCPCHANNEL上的安全特性:Authentication with the TCP Channel  Encryption

对于Authentication with the TCP Channel
在服务器端提供了一个authenticationMode 的配置参数,AuthenticationMode Enumeration 的描述如下:
Member name Description
IdentifyCallers Require that the client identify itself to the server.
ImpersonateCallers Require that the client identify itself to the server and that the server impersonate the client's identity.
None Do not require that the client identify itself to the server.
被验证的客户identity是保存在CallContext中的__remotePrincipal 中的。

在客户端设置impersonationLevel 配置参数,ClientImpersonationLevel Enumeration 的说明如下:
Member name Description
Delegate Allow the server to identify and impersonate the client and to delegate the client's identity.
Identify Allow the server to identify the client.
Impersonate Allow the server to identify and impersonate the client.
None Do not allow the server to identify the client.

对于客户端配置的具体说明如下:
If impersonationLevel is set to None, all calls to remote servers are made anonymously. If impersonationLevel is set to Identify, the client identifies the caller to the remote server. If impersonationLevel is set to Impersonate, the client allows the remote call to execute under the supplied identity. If impersonationLevel is set to Delegate, the server may pass on the client identity in turn. If a remote server requires a higher impersonationLevel than a client allows (for example, authenticationMode is set to IdentifyCallers and impersonationLevel is set to None, or authenticationMode is set to ImpersonateCallers and impersonationLevel is set to Identify), an exception occurs.

如果impersonationLevel 设置为None,则通过匿名访问远程服务器。如果impersonationLevel 设置为Identify ,客户以自己的标识来访问远程服务器。如果impersonationLevel 设置为Impersonate, 客户以模拟方式运行于一个被事先提供的标识下来访问远程服务器。If impersonationLevel 设置为Delegate, 服务器可以依次转交客户标识。如果远程服务器要求比客户端更高的impersonationLevel 则会出现异常。

By default, a TCP client channel authenticates itself with the user identity under which the client process is running. You can specify an alternative identity by setting the useDefaultCredentials configuration property to false and setting the domain, username, and password configuration properties to specify an alternative identity.

默认情况下,一个TCP客户通道以当前运行的客户进程之下的用户标识来验证。也可以通过把useDefaultCredentials 配置属性设为false 并且设置domain, username, and password configuration 配置属性来设置特定的自定义标识。

A TCP client channel can be configured to decide whether to authenticate based on complex, programmatic logic. If you set the authenticationPolicy configuration property to an object that implements the IAuthenticationPolicy interface, the ValidateSecurityPackage method of the object is called to determine whether authentication proceeds.

一个TCP客户通道能被配置成以复杂可编程的逻辑来验证。如果你设置authenticationPolicy 配置属性为一个实现IAuthenticationPolicy 接口的对象,这个对象中的ValidateSecurityPackage 方法被调用来进行验证的处理。

对于Encryption 加密特性,只需要简单的在服务器和客户端都设置secure 配置属性为真就行了。另外可以通过设置certificateFile 配置属性来确定X509证书的路径。

对于HTTP通道的验证和加密在FX1.1的文档中都有说明,就是简单的利用IIS的集成验证和SSL来进行传输加密。
在FX1.1里,MS以Sample的方式提供了TCP通道验证的解决方案。不过我个人感觉用起来不是很方便。在FX2.0中,我估计也是把这个Sample的思想和代码融进去的。

.NET Remoting Authentication and Authorization Sample - Part I
.NET Remoting Authentication and Authorization Sample – Part II

这个解决方案现在已经升级到2.0了,January 2004新发布的。

posted @ 2004-06-08 10:03  朱永光  阅读(1603)  评论(0编辑  收藏  举报