In Visual Studio 2013 U4 Ultimate, I have a solution targeting .NET 4.5.3 with:
在Visual Studio 2013 U4 Ultimate中,我有一个针对.NET 4.5.3的解决方案:
- An ASP.NET 5.2 MVC Web Application project based public website
- A WCF SOAP Service with some operations
基于ASP.NET 5.2 MVC Web应用程序项目的公共网站
具有一些操作的WCF SOAP服务
Security is important as the service is dealing with financial transactions.
由于服务处理金融交易,因此安全性很重要。
The WCF Service could either be invoked from JavaScript in the web browser or alternatively the web browser could send a request to the Web Application to invoke the WCF Service on the server side and return the result.
可以在Web浏览器中从JavaScript调用WCF服务,或者Web浏览器可以向Web应用程序发送请求以在服务器端调用WCF服务并返回结果。
What are the factual advantages and disadvantages of invoking the service client side or server side?
调用服务客户端或服务器端的实际优缺点是什么?
How do I choose to invoke from client side or server side based on technological facts?
如何根据技术事实选择从客户端或服务器端调用?
Is there a convention, vendor recommended practice, or known best practice for whether client side or server side invocation should be used?
是否应使用客户端或服务器端调用的约定,供应商推荐的实践或已知的最佳实践?
1 个解决方案
#1
0
This is somewhat subjective - however, the security shouldn't dictate server vs. client - you either have to secure the web site or secure the service.
这有点主观 - 但是,安全性不应该指示服务器与客户端 - 您必须保护网站或保护服务。
If you can't guarantee security on the service itself, or someone understanding exactly how the service is called and used could open the door to possibility of abuse, then don't expose it to the client side. Anything that lives on the client is unsafe and can/will be manipulated at some point.
如果您无法保证服务本身的安全性,或者了解服务如何被调用和使用的人可能会打开滥用可能性的大门,那么请不要将其暴露给客户端。生活在客户端的任何东西都是不安全的,并且可能/将在某些时候被操纵。
Either way, the end-user shouldn't notice a big difference with either approach if implemented properly.
无论哪种方式,如果正确实施,最终用户不应该注意到这两种方法的巨大差异。
#1
0
This is somewhat subjective - however, the security shouldn't dictate server vs. client - you either have to secure the web site or secure the service.
这有点主观 - 但是,安全性不应该指示服务器与客户端 - 您必须保护网站或保护服务。
If you can't guarantee security on the service itself, or someone understanding exactly how the service is called and used could open the door to possibility of abuse, then don't expose it to the client side. Anything that lives on the client is unsafe and can/will be manipulated at some point.
如果您无法保证服务本身的安全性,或者了解服务如何被调用和使用的人可能会打开滥用可能性的大门,那么请不要将其暴露给客户端。生活在客户端的任何东西都是不安全的,并且可能/将在某些时候被操纵。
Either way, the end-user shouldn't notice a big difference with either approach if implemented properly.
无论哪种方式,如果正确实施,最终用户不应该注意到这两种方法的巨大差异。