首先,对我的英语感到抱歉,这不是我的母语。我会尽力描述我的问题。
我在互联网上搜索了很长时间,寻找一个解决方案,在该解决方案中,我可以创建一个 wcf 服务,该服务可以使用所需的用户名和密码来响应客户端的请求,但无需创建证书,使用 https 或需要在网络上进行特殊配置的任何其他内容将安装我的 Windows 服务的机器。
我的观点是:我想向很多客户部署应用程序。该应用程序将具有移动设备和服务器,该服务器将在 wcf 的帮助下向移动设备提供一些信息。每个客户都会有一台服务器和许多设备。我不希望网络上的任何人都可以访问这些信息,因此,我必须为每个请求使用用户名和密码实施身份验证程序,但我不想被迫安装证书,激活一些当我出售应用程序的新副本时,每台计算机上的 https 端口。
我已经读到,在 wcf 4.0 中,有一个可以加密数据的内置系统,因此,如果可能的话,我不希望有实现其他任何内容的开销。
我的问题是:考虑到我的要求,是否有可能有一个安全的解决方案,如果是,我该怎么做?
如果我确实必须创建证书并使用 IIS、https 或任何其他安全解决方案,是否可以在一个包中自动执行这些操作,然后通过单击向导将其安装到我客户的每台服务器计算机中?
预先感谢您抽出时间。
First of all sorry for my English, its not my native language. I will try to describe my problem as much as I can.
I searched for a long time on the Internet for a solution where I can create a wcf service that can respond to requests of my clients with username and password required but without creating a certificate, using https or anything else that require a special configuration on the machine where my windows service will be installed.
Here is my point: I want to deploy an application to a lot of my customers. This application will have mobile devices and a server which will give some information to mobile device with the help of wcf. Each customer will have a server and many devices. I don't want that anyone on the web can have access to these information and for this reason, I must implement an authentication procedure with username and password for each request but I don't want to be forced to install a certificate, activate some https port on each machine when I sell a new copy of my application.
I've read that with wcf 4.0, there is a built-in system that can encrypt data and for this reason, I don't want the overhead of implementing anything else if possible.
My question is: Is that possible to have a secure solution considering my requirements and if yes, how can I do that?
If I really must create a certificate and use IIS, https or any other secure solution, it is possible to automate these things in a package that will be installed in a single click wizard into each server machine of my customers?
Thank you in advance for your time.
发布评论
评论(2)
默认情况下,WCF 不允许通过 http 传输用户名凭据,因此必须使用证书来保护传输层。但是,如果您确定可以通过 http 通道发送用户名凭据,那么您可以查看 ClearUsernameBinding 使您可以灵活地通过 http 通道发送用户名凭据(考虑到有人可以拦截您的传输通道以访问凭据)
此外,如果您想要要使用必须安装的证书,您可以用 c# 编写一些代码,并将其包含在包中作为安装的一部分。您还可以通过 msi 配置所有内容,例如创建虚拟目录、部署应用程序等。
By default WCF doesnt allow transport of username credentials over http and hence have to use certificates to secure your transport layer. But if you are sure that you are fine with sending username credentials over the http channel then you can have a look at ClearUsernameBinding which gives you the flexibility of sending username credentials over http channel (consider the fact that someone can intercept your transport channel to get access to the credentials)
Also if you want to use certificates that have to be installed you can achieve that writing some code in c# and include that as part of your installation from your package. You can also configure everything from an msi like creating a virtual directory, deploying the application,etc..
您可能正在寻找具有消息级安全性的 WCF 绑定之一。您可以将用户名和密码放入此消息中,而不必担心它们通过未加密的 http 线路(即自定义身份验证)。 WCF 默认将用户名和密码作为 http 请求的一部分发送到标头中,这就是它需要 https 的原因。
what you are probably looking for is one of the wcf bindings that has message level security. You can put the user name and password into this message and not worry about them going across an http wire unencrypted(ie custom authentication). The defaults for WCF send user name and password as part of the http request in the header this is why it wants https.