限制 WCF 服务的方法免受未经授权(不需要的)用户的访问
我想知道如何限制某些方法未经授权的用户访问。假设我有一个具有以下合同的 WCF 服务:
int Login(string username, string password);
Invoice[] GetCustomersInvoices(int customerId);
用户应按以下方式操作:
- 登录以验证服务并获取他的 custumerId 通过
- 使用他的 customerId 调用相应的方法来获取他的发票
好吧,这可能是一个愚蠢的问题,但是如果 customerA 的 id 是 23,但不知何故 customerA 知道 customerB 的 id,即 42,该怎么办。现在 customerA 可以读取 customerB 的秘密发票数据... 我最好做什么来避免这种情况?
I'm wondering how I can restrict some methods from unauthorized user access. Let's assume I have a WCF service with the following contract:
int Login(string username, string password);
Invoice[] GetCustomersInvoices(int customerId);
A user should act in the following way:
- Login to verify against the service and get his custumerId
- fetch his invoices by invoking the corresponding method with his customerId
Well, that's maybe a stupid question, but what if customerA's id is 23, but somehow customerA knows customerB's id, which is 42. Now customerA could read customerB's secret invoice data...
What could I best do to avoid this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您不应该使用单个 ID 来识别某人。在 WCF 中启用 authn/authz 的方法有很多,我喜欢 http: //msdn.microsoft.com/en-us/magazine/cc948343.aspx 有关一些方法的详细介绍。
You shouldn't use a single id for identifying someone. There are many ways of enabling authn/authz in WCF, I like the article at http://msdn.microsoft.com/en-us/magazine/cc948343.aspx for a good introduction on some ways of doing it.
仅当您能够使用 SSL 或任何其他此类模式在客户端和服务器之间实现安全(持久)通道(典型场景是烘焙支付逍遥游)时,您当前的调用方法才有效,
因此 IMO 您需要在内部实现用户身份验证方法(没有单独的调用)。即,您必须将用户 ID 和密码以及发票 ID 传递给 GetCustomersInvoices() 方法,并且在该方法中您需要对用户进行身份验证并检索数据。
以下是这种情况的解决方案,
实现您自己的用户名密码验证(自定义用户名认证),它将首先对用户进行身份验证,然后调用给定的方法。由于这将在一个请求中发生,因此它将解决您的问题。
典型的服务方法调用如下:
您可以使用 Message 标头 和 Body 来传递您的自定义值,Web 服务支持这样的场景,您可以在 SOAP 标头中传递加密数据。
或者,您也可以使用证书,但这些不是免费的。
一般来说,您可以通过以下链接获取有关各种安全 WCF 支持的更多信息,
http://msdn.microsoft.com/en-us/library/ms731925.aspx
Your current approach of calling methods will only work if you are able to implement secure(persistent) channel between client and server using SSL or any other such mode (typical scenario would be Baking Payments Getaways)
So IMO you need to implement your user authentication inside the method (no separate calls). i.e. you have to pass userid and password along with invoiceid to GetCustomersInvoices() method and inside it you need to authenticate the user and retrieve the data.
Following would be solution for such scenario,
Implement your own User Name Password Validations (custom usernameathentication), which will first authenticate the user and than it will call the method given. Since this will happen in one request so it will solve your problem.
Typical service method call would be like,
You can get the use of Message Headers and Body to pass your custom values, Webservices support such scenario where you can pass encrypted data in SOAP headers.
Alternatively you can use Certificates also, but these are not free.
In general you can go through following links to get more info in various kinds of security WCF supports,
http://msdn.microsoft.com/en-us/library/ms731925.aspx