使用 WCF 通过线路传递查询表达式
我想实现类似 WCF OData 提供程序的东西,但使用 NetTcpBinding 而不是 WebHttpBinding / REST。我希望客户端能够编写 linq 查询,这些查询透明地序列化并发送到服务器(或者可能是多个服务器,以整合分布式数据库实例)。
实现此目的的一种方法是实现自定义 IQueryable 提供程序。您可以(至少)两种方式通过线路传递查询表达式:
1) 将表达式序列化为 xml,发送它,然后在服务器上反序列化
2) 将或多或少原始 SQL 的前身传递给DataContracts 形式的服务器
1 很困难,而且工作量很大,2 显然可能会带来安全风险(sql 注入)。举例来说,“Where”表达式被封装并传递到服务器,如下所示,
[DataContract]
public class WhereFilter
{
[DataMember]
public string Property { get; set; }
[DataMember]
public string Operation { get; set; }
[DataMember]
public string Value { get; set; }
}
其中上面的内容最终表示 SQL 查询中声明“Where [SomeColumn] = 'SomeValue”的部分。
我的问题是,WCF 客户端-服务器连接是否足够安全,足以保证采用这种方法,而不会带来太大的安全风险?或者,如果有任何其他方法可以通过 NetTcpBinding 实现类似 OData 的提供程序,我会很感兴趣。
I want to implement something like a WCF OData provider but using NetTcpBinding instead of WebHttpBinding / REST. I want the client to be able to write linq queries that are transparently serialized and sent to the server (or potentially, multiple servers, to consolidate distributed database instances).
One way to do this is to implement a custom IQueryable provider. You could pass the query expression over the wire in (at least) two ways:
1) Serialize the expression to xml, send it, and deserialize it on the server
2) Pass what is more-or-less the precursor to raw SQL to the server in the form of DataContracts
1 is difficult and simply alot of work, and 2 obviously could pose security risks (sql injection). Say for instance a 'Where' expression was encapsulated and passed to the server like so,
[DataContract]
public class WhereFilter
{
[DataMember]
public string Property { get; set; }
[DataMember]
public string Operation { get; set; }
[DataMember]
public string Value { get; set; }
}
Where the above ultimately represents the part of an SQL query that states 'Where [SomeColumn] = 'SomeValue'.
My question is whether the WCF client-server connection could be made secure enough to warrant such an approach without presenting too much of a security risk? Or alternatively if there are any other ways of implementing an OData-like provider over NetTcpBinding i'd be interested.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我首先尝试表达式树序列化项目。它的目的是允许表达式序列化,但我还没有用它来评论它的工作效果。
如果做不到这一点,那么您可以使用 DataContract 构造查询。虽然存在风险,但您始终可以通过数据库权限排除不需要的操作(例如
UserRole表的UPDATE或DELETE)。您的 WCF 服务应使用专用帐户连接到数据库,并且该帐户应仅具有执行所需操作的权限(没有CREATE或DROP,只有SELECT来自相关表等)。当然,您还可以保护 WCF 连接以阻止不需要的连接(请参阅 WCF 安全概述)。一种选择是要求证书身份验证 - 只有拥有相关证书的用户才能使用该服务。
I'd begin by trying the Expression Tree Serialization project. It aims to allow serialization of expressions, but I haven't used it to comment on how well it works.
Failing that, then you could construct queries using a DataContract. There are risks but you can always exclude unwanted operations (e.g.
UPDATEorDELETEtheUserRoletable) through database permissions. Your WCF service should connect to the database with a dedicated account, and that account should only have permissions to do what it needs (noCREATEorDROP, onlySELECTfrom relevant tables, etc).And of course you can also secure your WCF connection to stop unwanted connections (see WCF Security Overview). One option is to require certificate authentication - only those users with the relevant certificate will be able to use the service.