如何判断webservice调用是否来自Forms授权页面?
我有一个 ASP.NET Web 应用程序,其中使用多个服务来处理多个 Ajax 请求。问题是如何判断相应的调用是否来自我所服务的页面。 我在页面中使用表单身份验证。有什么方法可以授权用户通过相同的表单身份验证调用 weservice。
I have an asp.net web application in which i use several we services to serve several ajax requests. The problem is how to determine whether the corresponding call comes the page that i have served.
I use forms authentication in my pages. Is there any way in which i can authorise the user calling the weservice through the same forms authentication.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这让我想起了一个我已经回答过的老问题。您的场景有所不同,但根本问题仍然相同:如果您从 Web 表单调用 Web 服务,如何与表单共享身份验证数据?
对此没有简单且近似的解决方案。您可以考虑在 Web 服务中实现 WS-Security,并在检查用户是否获得授权后让 Web 表单针对 Web 服务进行自身验证。
Web 服务不会共享有关用户登录的信息,除非作为参数方法显式传递(即
void PerformAction(string userId, ...)),但请记住,在这种情况下,视角会发生巨大变化。这是我想到的最好的想法,但是请记住,要么深入重新设计 Web 服务,要么无法让用户生成的客户端(即根据 WSDL 编译的桌面应用程序)使用您的服务。
[添加] 现在您已经更详细地解释了您的场景,这里是软件工程中令人兴奋的部分:)
正如我在评论中所说,您有多种选择,例如:
Application集合中的对象),或者,如果 webapp 和 web 服务位于不同的服务器上,则使用 DBMS;然后,对于每个 Web 应用程序的成功身份验证,生成一个唯一的令牌(会话 ID 可以)并将其存储在将传递给 Web 服务的 JS 变量中;最后,当调用 Web 服务时,检查该共享对象的令牌是否有效(即用户已通过身份验证并且仍然登录,有权访问该 Web 服务,因此身份验证和授权都有效) ,否则拒绝This reminds me an old question I already answered to. Your scenario is different, but the root problem remains the same: if you call a web service from a Web Form, how to share authentication data with the form?
There is no simple and close-form solution to that. You can think about implementing WS-Security into the Web Service, and have the Web Form authenticate itself against the Web Service after checking that the user is authorized.
The Web Service won't share information about user login unless explicitly passed as parameter method (ie.
void PerformAction(string userId, ...)), but remember that in this case the perspective changes dramatically.This is the best idea that comes into my mind, however, keep in mind that either you deeply redesign your web service or you are unable to let user-generated clients (ie. desktop applications compiled against your WSDL) to use your service.
[Add] now that you explained your scenario a little bit more detailed, here comes the exciting part of software engineering :)
As I said in my comment, you have multiple options, for example:
Applicationcollection) or, if webapp and web service are on different servers, use a DBMS; then, for each webapp's successful authentication, generate a unique token (session ID can be fine) and store it in a JS variable that will be passed to web service; finally, when web service is invoked, check against that shared object that the token is valid (ie. user is authenticated and still logged in, with permission to access that web service, so both authentication and authorization), otherwise reject由于您正在进行论坛身份验证,因此您可以在 WebMethod 中执行类似的操作。
如果您正在执行 GET,那么抛出异常可能会更好,这样空结果就不会缓存在客户端。
Since you are doing Forums authentication you can do something like this in your WebMethod
It might be better to throw an exception if you are doing an GET though, that way the empty result doesn't get cached on the client side.