要为跨平台WCF服务选择哪种身份验证？

What type of authentication would you suggest for the service that is:

您建议对以下服务进行何种类型的身份验证:

implemented as WCF and exposed via varios enpoints (including XML-RPC)

实现为WCF并通过varios enpoints(包括XML-RPC)公开

has to be consumed easily by various cross-platform clients

必须由各种跨平台客户轻松消费

Why?

Options that I'm aware of are:

我知道的选项是:

Forms-based authentication for IIS-hosted WCF (easy to implement, but has horrible cross-platform support, plus it is not REST)

IIS托管的WCF基于表单的身份验证(易于实现,但具有可怕的跨平台支持,而且不是REST)

Sending plain-text username/pwd with every call (easy to use on any platform, but totally unsecure)

每次调用都发送纯文本用户名/密码(易于在任何平台上使用,但完全不安全)

Using ticket-based authentication, when username&pwd are used to create a ticket that is valid for some time and is passed with every request (can be consumed by any client easily, but the API model is bound to this type of security)

使用基于票证的身份验证时,使用username&pwd创建有效一段时间并且随每个请求一起传递的票证(可以由任何客户端轻松使用,但API模型绑定到此类安全性)

Thanks for your time!

谢谢你的时间!

2 个解决方案

#1

Since you mention REST, i assume over HTTP, you could look at HTTP Digest Authentication.

由于您提到REST,我假设通过HTTP,您可以查看HTTP摘要式身份验证。

However, keep in mind that XML-RPC is not RESTful. If you are going the way of WS/RPC, you might want to look at WS-Security.

但是,请记住,XML-RPC不是RESTful。如果您要使用WS / RPC,可能需要查看WS-Security。

#2

In the end I've picked the simplest approach: Web services are implemented as simple stateless SOAP services, where username and password get passed with every request.

最后,我选择了最简单的方法:Web服务实现为简单的无状态SOAP服务,其中每个请求都传递用户名和密码。

Product page

#1