ServiceSecurityContext 類別
定義
重要
部分資訊涉及發行前產品,在發行之前可能會有大幅修改。 Microsoft 對此處提供的資訊,不做任何明確或隱含的瑕疵擔保。
表示遠端一方的安全性內容。 在用戶端,表示服務身分識別,而在服務上,則表示用戶端身分識別。
public ref class ServiceSecurityContextpublic class ServiceSecurityContexttype ServiceSecurityContext = classPublic Class ServiceSecurityContext- 繼承
-
ServiceSecurityContext
範例
下列範例使用 ServiceSecurityContext 類別提供有關目前安全性內容的資訊。 程式碼會建立 StreamWriter 類別的執行個體,將資訊寫入檔案中。
// When this method runs, the caller must be an authenticated user
// and the ServiceSecurityContext is not a null instance.
public double Add(double n1, double n2)
{
// Write data from the ServiceSecurityContext to a file using the StreamWriter class.
using (StreamWriter sw = new StreamWriter(@"c:\ServiceSecurityContextInfo.txt"))
{
// Write the primary identity and Windows identity. The primary identity is derived from
// the credentials used to authenticate the user. The Windows identity may be a null string.
sw.WriteLine("PrimaryIdentity: {0}", ServiceSecurityContext.Current.PrimaryIdentity.Name);
sw.WriteLine("WindowsIdentity: {0}", ServiceSecurityContext.Current.WindowsIdentity.Name);
// Write the claimsets in the authorization context. By default, there is only one claimset
// provided by the system.
foreach (ClaimSet claimset in ServiceSecurityContext.Current.AuthorizationContext.ClaimSets)
{
foreach (Claim claim in claimset)
{
// Write out each claim type, claim value, and the right. There are two
// possible values for the right: "identity" and "possessproperty".
sw.WriteLine("Claim Type: {0}, Resource: {1} Right: {2}",
claim.ClaimType,
claim.Resource.ToString(),
claim.Right);
sw.WriteLine();
}
}
}
return n1 + n2;
}
' When this method runs, the caller must be an authenticated user and the ServiceSecurityContext
' is not a null instance.
Public Function Add(ByVal n1 As Double, ByVal n2 As Double) As Double Implements ICalculator.Add
' Write data from the ServiceSecurityContext to a file using the StreamWriter class.
Dim sw As New StreamWriter("c:\ServiceSecurityContextInfo.txt")
Try
' Write the primary identity and Windows identity. The primary identity is derived from
' the credentials used to authenticate the user. The Windows identity may be a null string.
sw.WriteLine("PrimaryIdentity: {0}", ServiceSecurityContext.Current.PrimaryIdentity.Name)
sw.WriteLine("WindowsIdentity: {0}", ServiceSecurityContext.Current.WindowsIdentity.Name)
' Write the claimsets in the authorization context. By default, there is only one claimset
' provided by the system.
Dim claimset As ClaimSet
For Each claimset In ServiceSecurityContext.Current.AuthorizationContext.ClaimSets
Dim claim As Claim
For Each claim In claimset
' Write out each claim type, claim value, and the right. There are two
' possible values for the right: "identity" and "possessproperty".
sw.WriteLine("Claim Type: {0}, Resource: {1} Right: {2}", _
claim.ClaimType, _
claim.Resource.ToString(), _
claim.Right)
sw.WriteLine()
Next claim
Next claimset
Finally
sw.Dispose()
End Try
Return n1 + n2
End Function
下列範例示範使用 CheckAccessCore 來剖析一組宣告的 ServiceSecurityContext 方法的實作。
public class MyServiceAuthorizationManager : ServiceAuthorizationManager
{
protected override bool CheckAccessCore(OperationContext operationContext)
{
// Extract the action URI from the OperationContext. Match this against the claims
// in the AuthorizationContext.
string action = operationContext.RequestContext.RequestMessage.Headers.Action;
Console.WriteLine("action: {0}", action);
// Iterate through the various claimsets in the AuthorizationContext.
foreach(ClaimSet cs in operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets)
{
// Examine only those claim sets issued by System.
if (cs.Issuer == ClaimSet.System)
{
// Iterate through claims of type "http://example.org/claims/allowedoperation".
foreach (Claim c in cs.FindClaims("http://example.org/claims/allowedoperation",
Rights.PossessProperty))
{
// Write the Claim resource to the console.
Console.WriteLine("resource: {0}", c.Resource.ToString());
// If the Claim resource matches the action URI then return true to allow access.
if (action == c.Resource.ToString())
return true;
}
}
}
// If this point is reached, return false to deny access.
return false;
}
}
Public Class MyServiceAuthorizationManager
Inherits ServiceAuthorizationManager
Protected Overrides Function CheckAccessCore(ByVal operationContext As OperationContext) As Boolean
' Extract the action URI from the OperationContext. Match this against the claims
' in the AuthorizationContext.
Dim action As String = operationContext.RequestContext.RequestMessage.Headers.Action
Console.WriteLine("action: {0}", action)
' Iterate through the various claimsets in the authorizationcontext.
Dim cs As ClaimSet
For Each cs In operationContext.ServiceSecurityContext.AuthorizationContext.ClaimSets
' Examine only those claim sets issued by System.
If cs.Issuer Is ClaimSet.System Then
' Iterate through claims of type "http://example.org/claims/allowedoperation".
Dim c As Claim
For Each c In cs.FindClaims("http://example.org/claims/allowedoperation", _
Rights.PossessProperty)
' Write the Claim resource to the console.
Console.WriteLine("resource: {0}", c.Resource.ToString())
' If the Claim resource matches the action URI then return true to allow access.
If action = c.Resource.ToString() Then
Return True
End If
Next c
End If
Next cs
' If we get here, return false, denying access.
Return False
End Function
End Class
備註
資料是訊息的 SecurityMessageProperty 的一部分。
使用此類別在執行時間取得遠端 安全性內容 的相關資訊。 當用戶端成功經過驗證,並獲授權可存取方法時,便會建立安全性內容。 當成功驗證並授權訊息時,便可以從這個類別的執行個體取得來自用戶端以及目前服務執行個體的安全性資訊。
您可以從 ServiceSecurityContext 類別的 Current 屬性擷取 OperationContext 的執行個體,或從服務作業方法中使用它,如下列範例所示。
剖析 ClaimSet
這個類別的常見用法是擷取目前的一組宣告,以便在用戶端存取某個方法時進行識別或授權。 ClaimSet 類別包含 Claim 物件的集合,且每個都可剖析以判斷是否有特定的宣告。 如果已提供指定的宣告,就可以授與授權。 這個功能是藉由覆寫 CheckAccessCore 類別的 ServiceAuthorizationManager 方法來提供的。 如需完整範例,請參閱 授權原則。
Cookie 模式和 IsAuthenticated
請注意,在某些情況下,即使遠端用戶端經過驗證為匿名使用者,IsAuthenticated 介面的 IIdentity 屬性仍會傳回 true (屬性會 PrimaryIdentity 傳回 interface. IIdentity ) 下列情況必須成立,才能發生此情況:
服務使用 Windows 驗證。
服務允許匿名登入。
自訂繫結包含
<security>項目。元素
<security>包含< secureConversationBootstrap >,且requireSecurityContextCancellation屬性設定為false。
建構函式
| ServiceSecurityContext(AuthorizationContext) |
使用指定的授權參數,初始化 ServiceSecurityContext 類別的新執行個體。 |
| ServiceSecurityContext(AuthorizationContext, ReadOnlyCollection<IAuthorizationPolicy>) |
使用指定的授權參數和原則的集合,初始化 ServiceSecurityContext 類別的新執行個體。 |
| ServiceSecurityContext(ReadOnlyCollection<IAuthorizationPolicy>) |
使用原則物件的集合,初始化 ServiceSecurityContext 類別的新執行個體。 |
屬性
| Anonymous |
傳回 ServiceSecurityContext 類別的執行個體,包含通常用於表示匿名一方的宣告、識別和其他內容資料的空集合。 |
| AuthorizationContext |
取得這個類別的執行個體的授權資訊。 AuthorizationContext 包含 ClaimSet 的集合,應用程式可以質詢及擷取群體的資訊。 |
| AuthorizationPolicies |
取得與這個類別的執行個體關聯的原則集合。 |
| Current |
取得目前的 ServiceSecurityContext。 |
| IsAnonymous |
取得值,這個值表示目前的用戶端是否已提供認證給服務。 |
| PrimaryIdentity |
取得與目前設定關聯的主要身分識別。 |
| WindowsIdentity |
取得目前設定的 Windows 身分識別。 |
方法
| Equals(Object) |
判斷指定的物件是否等於目前的物件。 (繼承來源 Object) |
| GetHashCode() |
做為預設雜湊函式。 (繼承來源 Object) |
| GetType() |
取得目前執行個體的 Type。 (繼承來源 Object) |
| MemberwiseClone() |
建立目前 Object 的淺層複製。 (繼承來源 Object) |
| ToString() |
傳回代表目前物件的字串。 (繼承來源 Object) |
適用於
另請參閱
意見反應
即將登場:在 2024 年,我們將逐步淘汰 GitHub 問題作為內容的意見反應機制,並將它取代為新的意見反應系統。 如需詳細資訊,請參閱:https://aka.ms/ContentUserFeedback。
提交並檢視相關的意見反應