I have a WCF service which needs to be called from client side(ajax call). I want to use ScriptManager on ASPX page to add a ServiceReference to the WCF service (or) JQuery ajax call to the WCF service. I want to deny anonymous users accessing the WCF service. Is there any way to do user authentication before calling a service method from JavaScript? how to secure my WCF service calls from client side?
我有一个需要从客户端调用的WCF服务(ajax调用)。我想在ASPX页面上使用ScriptManager将ServiceReference添加到WCF服务(或)对WCF服务的JQuery ajax调用。我想拒绝匿名用户访问WCF服务。在从JavaScript调用服务方法之前,有没有办法进行用户身份验证?如何从客户端保护我的WCF服务调用?
3 个解决方案
#1
5
There are a number of things you can do to secure your WCF services. Probably the easiest way is if your services are already part of the existing overall ASP.NET application is to enable ASP.NET Compatibility Mode for your services. If your ASP.NET app uses authentication to validate users (e.g. forms authentication) and you are enabling that via a session cookie, then ASP.NET Compatibility Mode does most of that work for you.
您可以采取许多措施来保护您的WCF服务。可能最简单的方法是,如果您的服务已经是现有整体ASP.NET应用程序的一部分,那么为您的服务启用ASP.NET兼容模式。如果您的ASP.NET应用程序使用身份验证来验证用户(例如表单身份验证),并且您通过会话cookie启用它,那么ASP.NET兼容模式可以帮助您完成大部分工作。
By default, this is disabled, but you can enable it with an addition to your web.config:
默认情况下,这是禁用的,但您可以通过添加web.config来启用它:
<system.serviceModel>
...
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
...
</system.serviceModel>
This will enable compatibility mode for all your services in your application. You can also enable this on a service by service basis by setting the web.config value and also using the AspNetCompatibilityRequirements attribute on your service class not the interface):
这将为您的应用程序中的所有服务启用兼容模式。您还可以通过设置web.config值并使用服务类上的AspNetCompatibilityRequirements属性而不是接口来逐个服务地启用此服务:
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class FooService: IFooService {
}
When you enable this setting, you have access to HttpContext.Current (like an ASP.NET page) and it will also enforce that a user must be authenticated before accessing the .svc file (just like you have to be authenticated before accessing any .aspx file). If you try to access a .svc file without being authenticated, and you're using forms authentication, the caller will be redirected to the default login page and, after successful authentication, will be redirected to the .svc file.
启用此设置后,您可以访问HttpContext.Current(如ASP.NET页面),并且还将强制在访问.svc文件之前必须对用户进行身份验证(就像您在访问任何文件之前必须进行身份验证一样)。 aspx文件)。如果您尝试在未经过身份验证的情况下访问.svc文件,并且您正在使用表单身份验证,则调用方将被重定向到默认登录页面,并且在成功进行身份验证后,将重定向到.svc文件。
This suggestion makes a few assumptions:
这个建议做了一些假设:
- your services are in an ASP.NET application;
- 您的服务是在ASP.NET应用程序中;
- you're using some type of ASP.NET authentication (like forms authentication) to validate users' credentials and persist a validation ticket in a cookie;
- 您正在使用某种类型的ASP.NET身份验证(如表单身份验证)来验证用户的凭据并在cookie中保留验证票证;
This suggestion, while maybe not the most secure or robust, is probably the simplest to at least get up and running and secure your site to a reasonable degree.
这个建议虽然可能不是最安全或最强大的,但最简单的方法是至少可以起到并运行并在合理的程度上保护您的网站。
Here's a good MSDN library intro article on ASP.NET compatibility mode.
这是关于ASP.NET兼容模式的一篇很好的MSDN库介绍文章。
If this works, perhaps the next step is to look into something like HMAC authentication (which involves a bit more work and the coordination of secret keys - but it's definitely more secure IMHO). Here's a nice walk-through of implementing it - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful-wcf-service.aspx
如果这样可行,也许下一步是研究HMAC认证(这涉及更多的工作和秘密密钥的协调 - 但它肯定更安全恕我直言)。这是实施它的一个很好的步骤 - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful- WCF的service.aspx
I hope this helps. Good luck!!
我希望这有帮助。祝你好运!!
#2
2
I'm not sure if this will help but I placed a layer between my WCF and webapp. I'd make an AJAX servicereference call to a local asmx. This came under the protection of the forms authentication ticket. The asmx would then do any further security checks (if that specific user making the call was allowed to request that data or shape the data based on the user) and then forward the call on to my WCF service.
我不确定这是否会有所帮助,但我在我的WCF和webapp之间放了一层。我将对本地asmx进行AJAX服务引用调用。这受到表单身份验证票证的保护。然后,asmx将进行任何进一步的安全检查(如果允许进行调用的特定用户根据用户请求数据或形成数据),然后将调用转发到我的WCF服务。
This way my service layer did not need to know about the users for each app accessing it and only had a concern for delivery of requested data.
这样,我的服务层就不需要知道每个访问它的应用程序的用户,只关心交付请求的数据。
The asmx webservice took the responsibility of security.
asmx webservice承担了安全责任。
Then I made the WCF hosted in IIS using WAS and only allowed Windows Auth access for the identity that the webapp app pool was running as.
然后,我使用WAS在IIS中托管了WCF,并且只允许Windows身份验证访问以获取运行webapp应用程序池的身份。
So:
所以:
ASPX -> ASMX WebService -> WCF
ASPX - > ASMX WebService - > WCF
I think that would give you the control/separation and security you are asking for?
我认为这会给你控制/分离和你要求的安全吗?
#3
0
for WCF web http service The only way to secure a Web endpoint is to expose it through HTTPS, using transport security. When using message-based security, security information is usually placed in SOAP headers and because the messages sent to non-SOAP endpoints contain no SOAP envelope, there is nowhere to place the security information and you must rely on transport security.
对于WCF Web http服务保护Web端点的唯一方法是使用传输安全性通过HTTPS公开它。使用基于消息的安全性时,安全信息通常放在SOAP标头中,因为发送到非SOAP端点的消息不包含SOAP信封,所以无处放置安全信息,您必须依赖传输安全性。
#1
5
There are a number of things you can do to secure your WCF services. Probably the easiest way is if your services are already part of the existing overall ASP.NET application is to enable ASP.NET Compatibility Mode for your services. If your ASP.NET app uses authentication to validate users (e.g. forms authentication) and you are enabling that via a session cookie, then ASP.NET Compatibility Mode does most of that work for you.
您可以采取许多措施来保护您的WCF服务。可能最简单的方法是,如果您的服务已经是现有整体ASP.NET应用程序的一部分,那么为您的服务启用ASP.NET兼容模式。如果您的ASP.NET应用程序使用身份验证来验证用户(例如表单身份验证),并且您通过会话cookie启用它,那么ASP.NET兼容模式可以帮助您完成大部分工作。
By default, this is disabled, but you can enable it with an addition to your web.config:
默认情况下,这是禁用的,但您可以通过添加web.config来启用它:
<system.serviceModel>
...
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
...
</system.serviceModel>
This will enable compatibility mode for all your services in your application. You can also enable this on a service by service basis by setting the web.config value and also using the AspNetCompatibilityRequirements attribute on your service class not the interface):
这将为您的应用程序中的所有服务启用兼容模式。您还可以通过设置web.config值并使用服务类上的AspNetCompatibilityRequirements属性而不是接口来逐个服务地启用此服务:
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class FooService: IFooService {
}
When you enable this setting, you have access to HttpContext.Current (like an ASP.NET page) and it will also enforce that a user must be authenticated before accessing the .svc file (just like you have to be authenticated before accessing any .aspx file). If you try to access a .svc file without being authenticated, and you're using forms authentication, the caller will be redirected to the default login page and, after successful authentication, will be redirected to the .svc file.
启用此设置后,您可以访问HttpContext.Current(如ASP.NET页面),并且还将强制在访问.svc文件之前必须对用户进行身份验证(就像您在访问任何文件之前必须进行身份验证一样)。 aspx文件)。如果您尝试在未经过身份验证的情况下访问.svc文件,并且您正在使用表单身份验证,则调用方将被重定向到默认登录页面,并且在成功进行身份验证后,将重定向到.svc文件。
This suggestion makes a few assumptions:
这个建议做了一些假设:
- your services are in an ASP.NET application;
- 您的服务是在ASP.NET应用程序中;
- you're using some type of ASP.NET authentication (like forms authentication) to validate users' credentials and persist a validation ticket in a cookie;
- 您正在使用某种类型的ASP.NET身份验证(如表单身份验证)来验证用户的凭据并在cookie中保留验证票证;
This suggestion, while maybe not the most secure or robust, is probably the simplest to at least get up and running and secure your site to a reasonable degree.
这个建议虽然可能不是最安全或最强大的,但最简单的方法是至少可以起到并运行并在合理的程度上保护您的网站。
Here's a good MSDN library intro article on ASP.NET compatibility mode.
这是关于ASP.NET兼容模式的一篇很好的MSDN库介绍文章。
If this works, perhaps the next step is to look into something like HMAC authentication (which involves a bit more work and the coordination of secret keys - but it's definitely more secure IMHO). Here's a nice walk-through of implementing it - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful-wcf-service.aspx
如果这样可行,也许下一步是研究HMAC认证(这涉及更多的工作和秘密密钥的协调 - 但它肯定更安全恕我直言)。这是实施它的一个很好的步骤 - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful- WCF的service.aspx
I hope this helps. Good luck!!
我希望这有帮助。祝你好运!!
#2
2
I'm not sure if this will help but I placed a layer between my WCF and webapp. I'd make an AJAX servicereference call to a local asmx. This came under the protection of the forms authentication ticket. The asmx would then do any further security checks (if that specific user making the call was allowed to request that data or shape the data based on the user) and then forward the call on to my WCF service.
我不确定这是否会有所帮助,但我在我的WCF和webapp之间放了一层。我将对本地asmx进行AJAX服务引用调用。这受到表单身份验证票证的保护。然后,asmx将进行任何进一步的安全检查(如果允许进行调用的特定用户根据用户请求数据或形成数据),然后将调用转发到我的WCF服务。
This way my service layer did not need to know about the users for each app accessing it and only had a concern for delivery of requested data.
这样,我的服务层就不需要知道每个访问它的应用程序的用户,只关心交付请求的数据。
The asmx webservice took the responsibility of security.
asmx webservice承担了安全责任。
Then I made the WCF hosted in IIS using WAS and only allowed Windows Auth access for the identity that the webapp app pool was running as.
然后,我使用WAS在IIS中托管了WCF,并且只允许Windows身份验证访问以获取运行webapp应用程序池的身份。
So:
所以:
ASPX -> ASMX WebService -> WCF
ASPX - > ASMX WebService - > WCF
I think that would give you the control/separation and security you are asking for?
我认为这会给你控制/分离和你要求的安全吗?
#3
0
for WCF web http service The only way to secure a Web endpoint is to expose it through HTTPS, using transport security. When using message-based security, security information is usually placed in SOAP headers and because the messages sent to non-SOAP endpoints contain no SOAP envelope, there is nowhere to place the security information and you must rely on transport security.
对于WCF Web http服务保护Web端点的唯一方法是使用传输安全性通过HTTPS公开它。使用基于消息的安全性时,安全信息通常放在SOAP标头中,因为发送到非SOAP端点的消息不包含SOAP信封,所以无处放置安全信息,您必须依赖传输安全性。