授予对服务操作的访问权限Authorizing Access to Service Operations

此示例演示如何使用 <serviceAuthorization> 来允许使用 PrincipalPermissionAttribute 属性来授予对服务操作的访问权限。This sample demonstrates how to use the <serviceAuthorization> to enable use of the PrincipalPermissionAttribute attribute to authorize access to service operations. 此示例基于入门示例。This sample is based on the Getting Started sample. 使用配置服务和客户端 <wsHttpBinding>The service and client are configured using the <wsHttpBinding>. mode的特性已 <security> 设置为 Message ,并且已 clientCredentialType 设置为 WindowsThe mode attribute of the <security> has been set to Message and clientCredentialType has been set to Windows. PrincipalPermissionAttribute 应用到每个服务方法并用于限制对每个操作的访问。The PrincipalPermissionAttribute is applied to each service method and used to restrict access to each operation. 调用方必须是 Windows 管理员才能访问每项操作。The caller must be a Windows administrator to access each operation.

在此示例中,客户端是一个控制台应用程序 (.exe),服务是由 Internet 信息服务 (IIS) 承载的。In this sample, the client is a console application (.exe) and the service is hosted by Internet Information Services (IIS).

备注

本主题的最后介绍了此示例的设置过程和生成说明。The setup procedure and build instructions for this sample are located at the end of this topic.

服务配置文件使用 <serviceAuthorization> 来设置 principalPermissionMode 属性:The service configuration file uses the <serviceAuthorization> to set the principalPermissionMode attribute:

<behaviors>  
  <serviceBehaviors>  
    <behavior>
      <!-- The serviceAuthorization behavior sets the  
           principalPermissionMode to UseWindowsGroups.  
           This puts a WindowsPrincipal on the current thread when a   
           service is invoked. -->  
      <serviceAuthorization principalPermissionMode="UseWindowsGroups" />  
    </behavior>  
  </serviceBehaviors>  
</behaviors>  

principalPermissionMode 设置为 UseWindowsGroups 可使用基于 Windows 组名的 PrincipalPermissionAttributeSetting the principalPermissionMode to UseWindowsGroups enables the use of PrincipalPermissionAttribute based on Windows group names.

PrincipalPermissionAttribute 应用于每个操作以要求调用方是 Windows 管理员组的成员,如下面的示例代码所示。The PrincipalPermissionAttribute is applied to each operation to require the caller to be part of the Windows administrators group, as shown in the following sample code.

[PrincipalPermission(SecurityAction.Demand,
                             Role = "Builtin\\Administrators")]  
public double Add(double n1, double n2)  
{  
    double result = n1 + n2;  
    return result;  
}  

运行示例时,操作请求和响应将显示在客户端控制台窗口中。When you run the sample, the operation requests and responses are displayed in the client console window. 如果客户端在管理员组成员的账户下运行,客户端可与每个操作成功通信;否则访问被拒绝。The client successfully communicates with each operation if it is running under an account that is part of the Administrators group; otherwise, access is denied. 若要体验授权失败,请在不是管理员组成员的账户下运行客户端。To experiment with authorization failure, run the client under an account that is not part of the Administrators group. 在控制台窗口中按 Enter 可以关闭客户端。Press ENTER in the console window to shut down the client.

通过实现 IErrorHandler 可以通知服务授权失败。A service can be notified of authorization failures by implementing an IErrorHandler. 有关实现的信息,请参阅扩展对错误处理和报告的控制 IErrorHandlerSee Extending Control Over Error Handling and Reporting for information about implementing IErrorHandler.

设置、生成和运行示例To set up, build, and run the sample

  1. 确保已对Windows Communication Foundation 示例执行了一次性安装过程Ensure that you have performed the One-Time Setup Procedure for the Windows Communication Foundation Samples.

  2. 若要生成 C# 或 Visual Basic .NET 版本的解决方案,请按照 Building the Windows Communication Foundation Samples中的说明进行操作。To build the C# or Visual Basic .NET edition of the solution, follow the instructions in Building the Windows Communication Foundation Samples.

  3. 若要以单机配置或跨计算机配置来运行示例,请按照运行 Windows Communication Foundation 示例中的说明进行操作。To run the sample in a single- or cross-computer configuration, follow the instructions in Running the Windows Communication Foundation Samples.