Windows認証とカスタムServiceAuthorizationManagerを使用するWCFWebサービスがあります。すべて正常に動作しますが、オーバーライドされたCheckAccessCoreがfalseを返すと、予想どおり401ではなくエラー500が発生します。サービスは、サービスレベルのエラー処理を実装していません。500ヘッダーの代わりに401を送信するにはどうすればよいですか?
サービス構成:
<!-- App configuration-->
<system.web>
<compilation debug="true" targetFramework="4.0" />
<customErrors mode="Off" />
</system.web>
<appSettings>
<!-- Allowed users divided by comma -->
<add key="allowedUsers" value="DOMAIN\User1, DOMAIN\User2" />
</appSettings>
<!--Webservice-->
<system.serviceModel>
<services>
<service name="WebService.ApiService">
<endpoint binding="basicHttpBinding" bindingConfiguration="AuthenticatedBinding" bindingNamespace="http://namespace.com/customapi" contract="WebService.IApiService" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior>
<serviceMetadata httpGetEnabled="true"/>
<serviceDebug includeExceptionDetailInFaults="true"/>
<serviceAuthorization serviceAuthorizationManagerType="WebService.Model.Services.AuthorizationService, WebService" />
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<basicHttpBinding>
<binding name="AuthenticatedBinding">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" />
</security>
</binding>
</basicHttpBinding>
</bindings>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
</system.serviceModel>
</configuration>
カスタム認証マネージャー:
class AuthorizationService : ServiceAuthorizationManager
{
private List<string> allowedUsers = new List<string>();
public AuthorizationService() : base()
{
Configure();
}
protected override bool CheckAccessCore(OperationContext operationContext)
{
base.CheckAccessCore(operationContext);
return allowedUsers.Contains(operationContext.ServiceSecurityContext.WindowsIdentity.Name);
}
private void Configure()
{
var configRow = ConfigurationManager.AppSettings["allowedUsers"];
var parts = configRow.Split(',');
if (parts.Length > 0)
{
foreach (var part in parts)
allowedUsers.Add(part.Trim());
}
}
}
結果画像:
