All geek questions in one place

Where to connect to WCF Pipeline to retrieve credentials for UserNamePasswordValidator from incoming HTTP request headers

Can someone point me to a suitable WCF extension point to connect to the WCF pipeline to extract the credentials for UserNamePasswordValidator from the headers of the incoming HTTP REST request?

Yes, I know about all the funky tricks with Http handlers, etc., you can somehow get Basic / Digest Auth, but since the client I'm working on will be strictly Javascript, I chose a simple model, credentials transmitted using two custom headers over SSL.

+6
source share
1 answer

Update : I was able to improve this using the approach described below. Although this does not solve the problem described in my question, it eliminates the need for authentication in the authorization policy, since authentication is now handled by the custom AuthenticationManager, bypassing UserPasswordValidator alltogether.

I currently solved the problem by combining authentication and authorization in a user authorization policy. I would still rather find a way to connect to the regular UserNamePasswordValidator authentication scheme, since the authorization policy should be authorized by non-authentication.

internal class RESTAuthorizationPolicy : IAuthorizationPolicy { public RESTAuthorizationPolicy() { Id = Guid.NewGuid().ToString(); Issuer = ClaimSet.System; } public bool Evaluate(EvaluationContext evaluationContext, ref object state) { const String HttpRequestKey = "httpRequest"; const String UsernameHeaderKey = "x-ms-credentials-username"; const String PasswordHeaderKey = "x-ms-credentials-password"; const String IdentitiesKey = "Identities"; const String PrincipalKey = "Principal"; // Check if the properties of the context has the identities list if (evaluationContext.Properties.Count > 0 || evaluationContext.Properties.ContainsKey(IdentitiesKey) || !OperationContext.Current.IncomingMessageProperties.ContainsKey(HttpRequestKey)) return false; // get http request var httpRequest = (HttpRequestMessageProperty)OperationContext.Current.IncomingMessageProperties[HttpRequestKey]; // extract credentials var username = httpRequest.Headers[UsernameHeaderKey]; var password = httpRequest.Headers[PasswordHeaderKey]; // verify credentials complete if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password)) return false; // Get or create the identities list if (!evaluationContext.Properties.ContainsKey(IdentitiesKey)) evaluationContext.Properties[IdentitiesKey] = new List<IIdentity>(); var identities = (List<IIdentity>) evaluationContext.Properties[IdentitiesKey]; // lookup user using (var con = ServiceLocator.Current.GetInstance<IDbConnection>()) { using (var userDao = ServiceLocator.Current.GetDao<IUserDao>(con)) { var user = userDao.GetUserByUsernamePassword(username, password); ...
+4
source

Source: https://habr.com/ru/post/894939/

More articles:


All Articles