正如我说期望的,在FX2.0中增加了Remoting在TCPCHANNEL上的安全特性:Authentication with the TCP Channel Encryption。
对于Authentication with the TCP Channel ,
在服务器端提供了一个authenticationMode 的配置参数,AuthenticationMode Enumeration 的描述如下:
| Member name | Description |
|---|---|
| IdentifyCallers | Require that the client identify itself to the server. |
| ImpersonateCallers | Require that the client identify itself to the server and that the server impersonate the client's identity. |
| None | Do not require that the client identify itself to the server. |
在客户端设置impersonationLevel 配置参数,ClientImpersonationLevel Enumeration 的说明如下:
| Member name | Description |
|---|---|
| Delegate | Allow the server to identify and impersonate the client and to delegate the client's identity. |
| Identify | Allow the server to identify the client. |
| Impersonate | Allow the server to identify and impersonate the client. |
| None | Do not allow the server to identify the client. |
对于客户端配置的具体说明如下:
If impersonationLevel is set to None, all calls to remote servers are made anonymously. If impersonationLevel is set to Identify, the client identifies the caller to the remote server. If impersonationLevel is set to Impersonate, the client allows the remote call to execute under the supplied identity. If impersonationLevel is set to Delegate, the server may pass on the client identity in turn. If a remote server requires a higher impersonationLevel than a client allows (for example, authenticationMode is set to IdentifyCallers and impersonationLevel is set to None, or authenticationMode is set to ImpersonateCallers and impersonationLevel is set to Identify), an exception occurs.
如果impersonationLevel 设置为None,则通过匿名访问远程服务器。如果impersonationLevel 设置为Identify ,客户以自己的标识来访问远程服务器。如果impersonationLevel 设置为Impersonate, 客户以模拟方式运行于一个被事先提供的标识下来访问远程服务器。If impersonationLevel 设置为Delegate, 服务器可以依次转交客户标识。如果远程服务器要求比客户端更高的impersonationLevel 则会出现异常。
By default, a TCP client channel authenticates itself with the user identity under which the client process is running. You can specify an alternative identity by setting the useDefaultCredentials configuration property to false and setting the domain, username, and password configuration properties to specify an alternative identity.
默认情况下,一个TCP客户通道以当前运行的客户进程之下的用户标识来验证。也可以通过把useDefaultCredentials 配置属性设为false 并且设置domain, username, and password configuration 配置属性来设置特定的自定义标识。
A TCP client channel can be configured to decide whether to authenticate based on complex, programmatic logic. If you set the authenticationPolicy configuration property to an object that implements the
一个TCP客户通道能被配置成以复杂可编程的逻辑来验证。如果你设置authenticationPolicy 配置属性为一个实现IAuthenticationPolicy 接口的对象,这个对象中的ValidateSecurityPackage 方法被调用来进行验证的处理。
对于Encryption 加密特性,只需要简单的在服务器和客户端都设置secure 配置属性为真就行了。另外可以通过设置certificateFile 配置属性来确定X509证书的路径。
对于HTTP通道的验证和加密在FX1.1的文档中都有说明,就是简单的利用IIS的集成验证和SSL来进行传输加密。
在FX1.1里,MS以Sample的方式提供了TCP通道验证的解决方案。不过我个人感觉用起来不是很方便。在FX2.0中,我估计也是把这个Sample的思想和代码融进去的。
.NET Remoting Authentication and Authorization Sample - Part I
.NET Remoting Authentication and Authorization Sample – Part II
这个解决方案现在已经升级到2.0了,January 2004新发布的。