简单的Web服务认证/授权不是那么简单吗?
几年前,我向现有的 Web 应用程序添加了一个 Web 服务接口,该接口允许创建自定义客户端来操作应用程序保存的数据。客户端主要是 .NET,而 Web 应用程序是 Java(托管在 Tomcat 服务器中),而且从那时起,这两个平台之间的互操作性并不是那么好,我使用二进制安全令牌创建了自己的小型本地身份验证方案由双方的处理程序拼接到请求/响应 xml 中。
从那时起,双方的技术都在进步(Java 方面有 Metro 项目,强调与 .NET 世界的互操作性);不幸的是,我一直忙于其他项目,并没有跟上细节。但从我到目前为止所读到的内容来看,难道不应该使用(相对)新的标准(如 WS-Security、WS-Policy 等)正确做类似的事情吗?
从那时起我就有机会更新代码,这次我真的很想“正确”地做到这一点。旧解决方案让我困扰的是,安全令牌的存在没有反映在 wsdl 中(任何实现客户端的人都必须从其他来源了解它,并包括我为处理程序提供的一些类,令牌和一些额外的代码行将它们连接到 Web 服务) - 据我了解 WS-* 规范,应该可以使用 WS-Policy 或 WS-SecurityPolicy 实现吗?
但不知何故,到目前为止,我一直无法在网上找到任何资源(示例、教程等)来解释人们如何开始实施类似的事情。
因此,考虑到最新的技术和标准(例如使用 Metro 框架的服务器和使用 WCF 的 .NET 3 或 4 中的客户端),是否可以创建一个使用基本用户/密码身份验证的 Web 服务“登录”(即创建某种会话或“对话”)到服务,然后允许在会话保持有效的同时对服务执行任何操作,并在用户明确“注销”或超时到期?
Some years ago I added a webservice interface to an existing web application that would allow the creation of custom clients to manipulate the data held by the application. The clients were primarily .NET, whereas the web application was Java (hosted in a Tomcat server), and since back then the interoperability between these two platforms was not so great, I created my own little homegrown auth scheme, using a binary security token spliced into the request/response xml by handlers on both sides.
Since then, technology has progressed on both sides (there's the Metro project on the Java side which emphasizes interoperability with the .NET world); unfortunately I've been busy with other projects and haven't kept up with the details as much. But from what I have read about it so far, shouldn't it be possible to do something similar properly using (relatively) new standards like WS-Security, WS-Policy and the likes?
I've been given the chance to update the code from back then, and I would really like to do it "right" this time. Something that bothered me about the old solution was that the presence of the security token was not reflected in the wsdl (anyone implementing a client would have to know about it from some other source, and include some classes provided by me for the handler, the token and some extra lines of code to hook them up to the web service) - something that, as far as I've understood the WS-* specs, should be possible with WS-Policy or WS-SecurityPolicy?
But somehow I have been unable so far to find any resources (examples, tutorials, etc.) online that would explain how one would even begin to go about implementing something like that.
So, given up-to-date technology and standards (like a server using the Metro framework, and a client in .NET 3 or 4 using WCF), would it be possible to create a web service that uses basic user/password authentication to "Log In" (i.e. create some kind of session, or "conversation") to the service, then allows carrying out any operations on the service while the session remains valid, and invalidates the session once the user either explicitly "Logs Out" or a timeout expires?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我自己没有使用过 Metro,但我只能推荐SWS 或 CXF。 (但是,根据我的经验,WS 身份验证和授权绝非简单)
Haven't used Metro myself, but I can only recommend either SWS or CXF. (However, in my experience WS authentication & authorization is anything but simple)