WCF：需要使用HTTP标头或查询的Apikey保护WSDL和SOAP调用

发布于 2025-01-27 06:23:50 字数 508 浏览 3 评论 0原文

我有一个普通的WCF服务，该服务被暴露为肥皂服务，我需要用Apikey保护它，该apikey将在HTTP标头或HTTP查询参数中提供。 WSDL的检索和Web服务的消费均必须受到保护，但此速度都必须进行。最后，如果验证失败，则必须返回带有HTTP状态代码的空文档。

我尝试了使用行为的各种事情，但是最好的努力只能确保消耗部分，而我无法返回一个空文档（始终返回soap FARD XML XML文档，并带有我的例外详细信息）。我无法拦截WSDL生成并返回401/403 HTTP状态代码。

我意识到这是非标准的，但这就是向我提出要求的方式。

我认为这是可能的，但我不知所措。

该项目基本上只有1个.CS文件，其中包含所需的接口及其实现：

[ServiceContract]
public interface IFooService
{
    [OperationContract]
    barOut Lookup(string baz);
}

如果有人这样做，我想获得一些指示。

原文

I have a normal WCF service that is exposed as a SOAP service and I need to secure it with an ApiKey that will be provided in either the HTTP header or as a HTTP query parameter. Both the retrieval of the WSDL and the consuming of the web service must be protected but this ApiKey. Finally, if validation fails, an empty document with an HTTP status code must be returned.

I have tried various stuff using behaviors but the best effort only secured the consuming part and I was unable to return an empty document (always returned a SOAP fault XML document with my exception details). I have not been able to intercept the WSDL generation and return 401/403 HTTP status code.

I realize this is non-standard, but this is how the requirements are presented to me.

I assume this is possible, but I am at a loss.

The project basically only has 1 .cs file containing the required interface and the implementation thereof:

[ServiceContract]
public interface IFooService
{
    [OperationContract]
    barOut Lookup(string baz);
}

If anyone has done this, I'd like to get some pointers.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

感情废物 2025-02-03 06:23:50

解决方案很简单。我可以使用application_beginrequest在global.asax.cs中覆盖，该在每个请求中都调用，它是WSDL检索或消耗SOAP服务：

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        if (!Validate(HttpContext.Current.Request))
        {
            HttpContext.Current.Response.StatusCode = 401;
            var httpApplication = sender as HttpApplication;
            httpApplication.CompleteRequest();
        }
    }

    private bool Validate(HttpRequest request)
    {
        var allowedApiToken = Kernel.Get<IServiceConfiguration>().ApiKey;
        var apiToken = request?.Headers["X-ApiKey"];
        if (apiToken == null)
        {
            apiToken = request?.QueryString["api_key"];
        }
        if (apiToken != allowedApiToken)
        {
            return false;
        }
        return true;
    }

The solution turned out to be quite simple. I could use the Application_BeginRequest override in Global.asax.cs that is being called on each request, it being WSDL retrieval or consuming the SOAP service:

    protected void Application_BeginRequest(object sender, EventArgs e)
    {
        if (!Validate(HttpContext.Current.Request))
        {
            HttpContext.Current.Response.StatusCode = 401;
            var httpApplication = sender as HttpApplication;
            httpApplication.CompleteRequest();
        }
    }

    private bool Validate(HttpRequest request)
    {
        var allowedApiToken = Kernel.Get<IServiceConfiguration>().ApiKey;
        var apiToken = request?.Headers["X-ApiKey"];
        if (apiToken == null)
        {
            apiToken = request?.QueryString["api_key"];
        }
        if (apiToken != allowedApiToken)
        {
            return false;
        }
        return true;
    }

回复收藏 0 原文

~没有更多了~