WCF REST - 如何最好地为多个用户构建架构,同时限制访问
我是 WCF 和 REST 的新手,因此请原谅任何明显的问题。
我正在尝试创建一个供客户端使用的 RESTful API。该 API 需要仅对经过身份验证的用户可用,因此我认为执行此操作的最佳方法(根据我过去几天阅读的内容)是使用基于 SSL 的基本身份验证,这很好。
我在 VS2010 中有一个面向 .NET 3.5 的基本 WCF REST 服务应用程序。 - 其基本内容直接取自 http://www.codeproject.com/ KB/WCF/BasicAuthWCFRest.aspx
我正在努力理解和区分的是如何对用户进行身份验证,同时还限制客户可以根据他们的身份进行的调用。
因此,客户需要拨打的电话会将一些基本信息从他们的系统传递到我们的系统,每个客户都能够拨打相同的电话,但是我不希望客户 A 能够将信息发布到我们网站上客户 B 的区域中。侧,反之亦然。
我计划让两个客户发布类似以下网址的内容:-
api.mydomain.com/sale/
但是,我想知道这样做是否更有意义:-
api.mydomain.com/clientA/销售/ api.mydomain.com/clientB/sale/
...如您所见,我完全迷失了!
另外,我的示例代码使用自定义 MembershipProvider - 我了解会员资格的基础知识,但同样,不知道我是否应该以某种方式使用它来限制客户端将数据发布到彼此的区域?
抱歉胡言乱语 - 太多问题了:(
I'm new to WCF and REST so please excuse any obvious questions.
I'm trying to create a RESTful API that will be used by clients. The API needs to be available only to authenticated users so I believe the best way to do this (from what I've read over the last couple of days) is using Basic Auth over SSL which is fine.
I have a basic WCF REST Service Application in VS2010 targeting .NET 3.5. - the bare bones of this have been directly taken from http://www.codeproject.com/KB/WCF/BasicAuthWCFRest.aspx
What I'm struggling to understand and to differentiate on is how to authenticate suers while also restricting the calls that clients can make based on who they are.
So the call that the clients will need to make will pass some basic information from their system to ours, each client will be able to make the same call however I don't want client A being able to post info into client B's area on our side and vice versa.
I was planning on having both clients POSTing something like the following url:-
api.mydomain.com/sale/
however, I wonder if it would make more sense to make it clearer to do this:-
api.mydomain.com/clientA/sale/
api.mydomain.com/clientB/sale/
...as you can see, I'm quite lost!
Also, the example code I have is using a custom MembershipProvider - I understand the basics of Membership but again, don't know if I should be using this in some way to restrict the clients posting data to eachothers areas?
Sorry for the waffling - sooo many questions :(
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
关于授权(授予对特定资源的经过身份验证的使用访问权限),有几种方法。
您可以通过 web.config 中的
或者,在幕后,您可以使用基于 API 的方法,其本质上是做同样的事情。有许多库可以提供帮助,包括 AzMan;与角色成员资格提供者属于同一“家族”的授权库;企业库中也有一个。
本文可能会有所帮助(请参阅:“步骤 2 :根据当前登录用户的角色限制功能”)。
Regarding authorization (granting an authenticated use access to specific resources) there's a couple of ways.
You can restrict access to certain areas (directories / URL paths) via the
<location>element in the web.config, and then using the<authorization>element only allow certain users or roles (groups) to access those locations. This is OK if the number of locations / users / roles is manageable and doesn't change too much. For example:Alternatively, under the covers you can use an API based approach that essentially does the same thing. There are a number of libraries out there that can help, including AzMan; an authorization library that's in the same 'family' as the role membership provider; there is also one in the Enterprise Libraries.
This article might be of some help (see: "Step 2: Limiting Functionality Based On the Currently Logged In User’s Roles").
我是这样做的。我使用标准成员资格提供程序(但您也可以使用自定义成员资格提供程序执行相同操作)来对用户进行身份验证,但我不让 IIS 执行此操作。我自己对用户进行身份验证(作为 REST API 的一部分),并为该用户生成一个令牌,将其存储在成员资格数据库中并发回客户端。
对于客户端发出的每个请求,它还需要发送有效的令牌。由于令牌与用户 ID 存储在一起,因此我可以确定令牌是否有效以及哪个用户正在发出请求。因此,我可以根据我自己的安全规则确定是否允许该请求。
如果只允许用户对其自己的数据执行特定请求,那么您不需要发送除令牌之外的任何标识信息。
HTH。
Here is how I did this. I used a standard membership provider (but you can also do the same with a custom membership provider) to authenticate the user, but I do not let IIS do this. I authenticate the user myself (as part of the REST API) and generate a token for that user, which I store in the membership database and send back to the client.
For each request the client makes it needs to send a valid token as well. As the token is stored together with a user id, I can then determine if the token is valid and what user is making the request. Because of this I can then determine if the request is allowed based on my own security rules.
If a user is only allowed to do a certain request on it's own data, then you don't need to send any identifying information except for the token.
HTH.