我有一个 N 层应用程序,其构建如下:
IIS7 的服务器端有一个 ASP.Net 应用程序,它公开 WCF 服务上的方法。这些方法使用 EF4 与数据库通信。用 Silverlight 4.0 编写的客户端正在调用 WCF 服务上的方法。
WCF 服务公开了此方法:
[OperationContract]
void DeleteItem(int i_ItemId);
我是确保 WCF 服务的新手,但我认为接下来的观察是正确的(如果我错了,请纠正我):
1)如果我按原样保留此方法/服务,任何知道我的服务的人坐在 http://www.mysite.com/myservice.svc 可以打开 VisualStudio ,打开“添加服务引用”并开始调用DeleteItem()。
2)如果我尝试通过删除 MEX 端点来解决上述问题,仍然可以使用一些手动编码来调用服务。
因此,为了解决这两个问题,我开始学习 WCF 中的一些内置安全功能。快速浏览后,我想我可以使用以下绑定配置,以便调用服务时需要用户名和密码:
<wsHttpBinding>
<binding name="RequestUserName" >
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
尝试采用此解决方案时,我想到的第一件事是:当用户登录时客户端,客户端使用用户名和密码作为 WCF 调用的凭据。在服务器端,这些凭据根据数据库进行验证。
现在的问题是,这些凭据(用户名和密码)当然是用户已知的,因此他可以使用它们以我已经提到的方式调用DeleteItem()。
从这里我想出了两个解决方案:
1)我将在客户端中使用硬编码密钥,而不是使用用户名和密码作为凭据。扰乱 XAP 内的 Dll 可能会阻止其他人获取此密钥。
2)当用户登录客户端时,服务器会发送某种临时令牌(GUID或其他东西),客户端可以使用该令牌在本次通信会话期间验证其调用(比方说,直到用户关闭客户端) 。
我的问题是:
第一个解决方案提供的安全级别是多少?您需要付出多大的努力才能破解它?
如果第一个解决方案非常容易破解,WCF 中是否有内置方法来管理我在第二个解决方案中提到的令牌系统?
欢迎其他能够满足范围的解决方案。
I have an N-Tier app which built as follows:
On the server side in IIS7 is sitting an ASP.Net Application that exposes methods on a WCF Service. Those methods talk to the DB using EF4. Clients written in Silverlight 4.0 are calling the methods on the WCF service.
The WCF Service exposes this method :
[OperationContract]
void DeleteItem(int i_ItemId);
I am new to seuring WCF services, but I think these next observations are true (correct me if I am wrong):
1) If I leave this method/service as is, anyone that knows that my service is sitting at http://www.mysite.com/myservice.svc could just open up VisualStudio, open "Add Service Reference" and start making calls to DeleteItem().
2) If I try to solve the above by remove the MEX endpoint, Calls to the service can still be made using some manual coding.
So trying to solve those two problems I started learning about some built-in security features in WCF. After a quick look I figured i can use the following binding Configuration so that a username and password are needed for making calls to the service :
<wsHttpBinding>
<binding name="RequestUserName" >
<security mode="Message">
<message clientCredentialType="UserName"/>
</security>
</binding>
Trying to adopt this solution, the first thing that came to my mind was: When a user logs in the client, the client uses the user's name and password as the credentials for the WCF call. At the server-side, those credentials are validated against the DB.
The problem now, is that those credentials (userName and password) are , of course, known to the user, so he can just use them to call DeleteItem() in the ways I already mentioned.
From here I came up with two solutions :
1) Instead using userName and password as credentials, I will use a hard-coded key in the client. Scrambling the Dll's inside the XAP could prevent someone from obtaining this key.
2)When a user logs in the client, the server sends some kind of a temporary token (GUID or something), which the client can use to authenticate it's calls during this session of communication (Let's say, until the user closes the client).
My question are :
What the security level that the first solution provides and how hard you need to work in order to crack it?
If the first solution is very trivial to crack, Is there a built-in way in WCF to manage the tokens system I mention in the second solution ?
Other solutions that can feet the scope are welcomed.
发布评论
评论(1)
我不确定您所询问的安全级别,但我对将用户名和密码存储在 XAP 文件中(无论是否混淆)没有信心。
我可以描述我在生产中实施的解决方案。
基本上,我使用标准表单身份验证来保护应用程序,但我不像通常使用 ASP.NET 那样使用重定向,而是使用 ASP.NET 表单身份验证附带的身份验证 Web 服务。这样我的登录就可以通过 Silverlight 控件进行。我的应用程序有一个用户存储,我可以根据该用户存储对身份验证服务进行身份验证。
为了挂钩身份验证服务,我在 Global.asax 中执行此操作:
您可以像通常使用带有
此MSDN 帖子讨论了解决方案更详细地说。
I'm not sure about security level you are asking about, but I wouldn't feel confident storing username and password in XAP file, obfuscated or not.
I can describe a solution that I've implemented in production.
Basically, I secure the application with standard Forms Authentication, but I don't use the redirects like you normally would with ASP.NET, I use Authentication Web Service that ships with ASP.NET Forms Authentication. That way my login goes through Silverlight controls. My app has a user store that I authenticate the Authentication Service against.
To hook to the Authentication Service, I do this in Global.asax:
You would secure the parts of the website like you would normally with forms using
<authorization>element with<deny users="?">. The browser will handle all of the cookies for you. If you wanted to secure services, under Service/ folder you would deny not authenticated users to it.This MSDN Post talks about the solution in more detail.