如何在使用 AJAX 调用 WCF 服务时对用户进行身份验证?
我有一个 WCF 服务,需要从客户端调用(ajax 调用)。 我想在 ASPX 页面上使用 ScriptManager 将 ServiceReference 添加到 WCF 服务(或)对 WCF 服务的 JQuery ajax 调用。我想拒绝匿名用户访问 WCF 服务。在从 JavaScript 调用服务方法之前有什么方法可以进行用户身份验证吗?如何保护客户端 WCF 服务调用的安全?
I have a WCF service which needs to be called from client side(ajax call).
I want to use ScriptManager on ASPX page to add a ServiceReference to the WCF service (or) JQuery ajax call to the WCF service. I want to deny anonymous users accessing the WCF service. Is there any way to do user authentication before calling a service method from JavaScript? how to secure my WCF service calls from client side?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以采取多种措施来保护 WCF 服务的安全。如果您的服务已经是现有整个 ASP.NET 应用程序的一部分,最简单的方法可能是为您的服务启用 ASP.NET 兼容模式。如果您的 ASP.NET 应用程序使用身份验证来验证用户(例如表单身份验证)并且您通过会话 cookie 启用该功能,则 ASP.NET 兼容模式会为您完成大部分工作。
默认情况下,此功能处于禁用状态,但您可以通过添加 web.config 来启用它:
这将为应用程序中的所有服务启用兼容模式。您还可以通过设置 web.config 值并在服务类(而不是接口)上使用 AspNetCompatibilityRequirements 属性,逐个服务地启用此设置:
启用此设置后,您可以访问 HttpContext.Current(如 ASP) .NET 页面),并且它还将强制用户在访问 .svc 文件之前必须经过身份验证(就像在访问任何 .aspx 文件之前必须经过身份验证一样)。如果您尝试在未经身份验证的情况下访问 .svc 文件,并且您正在使用表单身份验证,则调用者将被重定向到默认登录页面,并且在身份验证成功后,将被重定向到 .svc 文件。
此建议做了一些假设:
这个建议虽然可能不是最安全或最可靠的,但可能是最简单的,至少可以在合理的程度上启动和运行并保护您的网站。
这是一篇关于 ASP.NET 兼容模式的MSDN 库介绍文章。
如果这有效,也许下一步是研究诸如 HMAC 身份验证之类的东西(这涉及更多的工作和密钥的协调 - 但恕我直言,它绝对更安全)。这是实现它的一个很好的演练 - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication -on-a-restful-wcf-service.aspx
我希望这有帮助。祝你好运!!
There are a number of things you can do to secure your WCF services. Probably the easiest way is if your services are already part of the existing overall ASP.NET application is to enable ASP.NET Compatibility Mode for your services. If your ASP.NET app uses authentication to validate users (e.g. forms authentication) and you are enabling that via a session cookie, then ASP.NET Compatibility Mode does most of that work for you.
By default, this is disabled, but you can enable it with an addition to your web.config:
This will enable compatibility mode for all your services in your application. You can also enable this on a service by service basis by setting the web.config value and also using the AspNetCompatibilityRequirements attribute on your service class not the interface):
When you enable this setting, you have access to HttpContext.Current (like an ASP.NET page) and it will also enforce that a user must be authenticated before accessing the .svc file (just like you have to be authenticated before accessing any .aspx file). If you try to access a .svc file without being authenticated, and you're using forms authentication, the caller will be redirected to the default login page and, after successful authentication, will be redirected to the .svc file.
This suggestion makes a few assumptions:
This suggestion, while maybe not the most secure or robust, is probably the simplest to at least get up and running and secure your site to a reasonable degree.
Here's a good MSDN library intro article on ASP.NET compatibility mode.
If this works, perhaps the next step is to look into something like HMAC authentication (which involves a bit more work and the coordination of secret keys - but it's definitely more secure IMHO). Here's a nice walk-through of implementing it - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful-wcf-service.aspx
I hope this helps. Good luck!!
我不确定这是否有帮助,但我在 WCF 和 web 应用程序之间放置了一层。我会对本地 asmx 进行 AJAX 服务引用调用。这受到表单身份验证票证的保护。然后,asmx 将执行任何进一步的安全检查(如果允许进行调用的特定用户请求该数据或根据用户调整数据),然后将调用转发到我的 WCF 服务。
这样,我的服务层不需要了解每个访问它的应用程序的用户,而只关心所请求数据的传递。
asmx Web 服务承担了安全责任。
然后,我使用 WAS 将 WCF 托管在 IIS 中,并且只允许以运行 Web 应用程序池的身份进行 Windows 身份验证访问。
所以:
ASPX -> ASMX Web 服务 -> WCF
我认为这会给你所要求的控制/分离和安全?
I'm not sure if this will help but I placed a layer between my WCF and webapp. I'd make an AJAX servicereference call to a local asmx. This came under the protection of the forms authentication ticket. The asmx would then do any further security checks (if that specific user making the call was allowed to request that data or shape the data based on the user) and then forward the call on to my WCF service.
This way my service layer did not need to know about the users for each app accessing it and only had a concern for delivery of requested data.
The asmx webservice took the responsibility of security.
Then I made the WCF hosted in IIS using WAS and only allowed Windows Auth access for the identity that the webapp app pool was running as.
So:
ASPX -> ASMX WebService -> WCF
I think that would give you the control/separation and security you are asking for?
对于 WCF Web http 服务 保护 Web 终结点的唯一方法是使用传输安全性通过 HTTPS 公开它。使用基于消息的安全性时,安全信息通常放置在 SOAP 标头中,并且由于发送到非 SOAP 端点的消息不包含 SOAP 信封,因此无处放置安全信息,必须依赖传输安全性。
for WCF web http service The only way to secure a Web endpoint is to expose it through HTTPS, using transport security. When using message-based security, security information is usually placed in SOAP headers and because the messages sent to non-SOAP endpoints contain no SOAP envelope, there is nowhere to place the security information and you must rely on transport security.