C# asmx Web 服务:客户端身份验证
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1092404/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
asmx web service: client authentication
提问by zSynopsis
I have a web service with a bunch of methods that I'd like to somewhat secure. The data is not really all that confidential, but I'd still like to restrict access to only those who use a certain user id and password that's stored in the web services web.config file. A C# Windows service client will be calling this web service once a day or week.
我有一个带有一堆方法的网络服务,我希望它们有点安全。数据并不是真正的机密,但我仍然希望只允许那些使用存储在 Web 服务 web.config 文件中的特定用户 ID 和密码的人访问。AC# Windows 服务客户端将每天或每周调用一次此 Web 服务。
Can anyone post a simple example of how I can do this? Thanks in advance.
任何人都可以发布一个简单的例子来说明我如何做到这一点?提前致谢。
回答by Steven Sudit
There are three general approaches to ad hoc SOAP security:
Ad hoc SOAP 安全性的一般方法有以下三种:
- The first is to pass the authentication information with each call.
- The second is to pass it in once to receive a session ID that is then passed in with each call.
- The third is essentially the same as the second, only using cookies.
- 第一种是在每次调用时传递身份验证信息。
- 第二种是传入一次以接收会话 ID,然后在每次调用时传入该 ID。
- 第三个与第二个基本相同,只是使用cookies。
Of the three, I recommend the firstmethod, which does not require the server to maintain state, but can be just as fast due to caching.
在这三种方法中,我推荐第一种方法,它不需要服务器维护状态,但由于缓存可以同样快。
回答by Allen Rice
This is pretty similar to my question: "What should we implement to authorize clients to use our web service?"
这与我的问题非常相似:“我们应该实施什么来授权客户使用我们的网络服务?”
We ended up not publishing the WSDL and only serving up the service via https and requiring basic authentication. DON'T use basic auth if you can't force all clients to use https.
我们最终没有发布 WSDL,仅通过 https 提供服务并需要基本身份验证。如果您不能强制所有客户端使用 https,请不要使用基本身份验证。
If this is a .net web service then here is the config file entry to keep the wsdl from being published.
如果这是一个 .net web 服务,那么这里是配置文件条目,以防止 wsdl 被发布。
<system.web>
<webServices>
<protocols>
<remove name="Documentation" />
</protocols>
</webServices>
</system.web>
When you goto the page, you'll receive an error message similar to the message you'd get if you tried to manually pull down a web.config from a site. As Steven points out, this is security through obscurity and should NOT be used by itselfto secure your web service. However, when used in addition to basic auth + https, its a nice little extra.
当您转到该页面时,您将收到一条错误消息,类似于您尝试从站点手动下拉 web.config 时收到的消息。正如 Steven 指出的那样,这是通过默默无闻来实现的安全性,不应单独使用它来保护您的 Web 服务。然而,当除了基本的 auth + https 之外使用时,它是一个很好的额外功能。
Client Side Code:
客户端代码:
To access this web service from a client, add your web reference the normal way and in the calling code (assuming your web reference is named WebRef).
要从客户端访问此 Web 服务,请以正常方式在调用代码中添加您的 Web 引用(假设您的 Web 引用名为 WebRef)。
WebRef.Url = "url";
WebRef.Credentials = new System.Net.NetworkCredential("userid", "password");
Also, you may want to look into WebRef.PreAuthenticate to save some round trips. Just be warned that you'll have a fun time testing that out if you're behind a corporate proxy. Proxies are used via the WebRef by
此外,您可能需要查看 WebRef.PreAuthenticate 以节省一些往返行程。请注意,如果您支持公司代理,那么您会很高兴测试这一点。代理通过 WebRef 使用
WebRef.Proxy = new WebProxy("url");
WebRef.Proxy.Credentials = new System.Net.NetworkCredential("userid", "password");
![C# 具有语法突出显示的文本框/富文本框?[C#]](/res/img/loading.gif)