WCF服务-如何保护以便只有我的客户才能使用它?
[英]WCF Service - how to protect so only my clients can use it?
问题描述
I am building a client program that interacts with a WCF Service via Internet. 
我正在构建一个客户端程序,该程序通过Internet与WCF服务进行交互。 Everything works as intended but I am wondering how I can protect my services so that only my client program can make use of it? 一切都按预期工作,但我想知道如何保护我的服务,以便只有我的客户端程序才能使用它?
Right now everyone with the correct URL to my services can use it with WCFTestClient (eg). 现在,每个拥有正确服务URL的人都可以将其与WCFTestClient一起使用(例如)。
What is the best way to make it private so only my clients can make use of the service? 使其私有化以便只有我的客户可以使用该服务的最佳方法是什么? Rotating token strings? 旋转令牌字符串? Certificate? 证书? Password? 密码?
I have no idea and haven't found anything useful on the Internet. 我不知道,也没有发现互联网上有用的东西。
Best regards 最好的祝福
UPDATE: The client program is intended to be downloaded for the public (everyone). 更新:该客户端程序旨在为公众(每个人)下载。 So it is not for internal use, it will be a service we are gonna provide, ones in official production. 因此,它不是供内部使用,而是我们将提供的正式生产中的服务。
My own thinking was like: Bind a certificate in my client programs (if thats possible even?). 我自己的想法是:将证书绑定到我的客户端程序中(如果可以的话)。 On the IIS where the WCF service is running, check for valid certificate. 在运行WCF服务的IIS上,检查有效的证书。 Is that possible? 那可能吗? Or better solutions out there? 还是有更好的解决方案?
2 个解决方案
解决方案1
1 2013-06-21 07:16:09
If you are using Form Authentication then you can leverage the ASP.NET to check for FormAuthentication Cookie by enabling AspNetCompatibilityRequirementsMode to Required 如果使用的是表单身份验证,则可以通过将AspNetCompatibilityRequirementsMode设置为Required来利用ASP.NET来检查FormAuthentication Cookie。
Or if your service is stand alone ie is consumed by everyone then you can use oauth authentication you can read more about it Oauth Authentication 或者,如果你的服务是独立即是大家所消耗那么你可以使用OAuth认证,你可以阅读更多关于它OAuth认证
What you could do is there would be a consumer secret key which would be shared to all authenticated clients. 您所能做的就是将有一个消费者秘密密钥,该密钥将与所有经过身份验证的客户端共享。 The caller would sign some info using this key and server would also sign it using the same key and then compare it. 调用者将使用此密钥对某些信息进行签名,服务器还将使用相同的密钥对信息进行签名,然后进行比较。
Hope it helps 希望能帮助到你
解决方案2
1 已采纳 2013-06-21 07:28:35
Protect .net Web Service URL 保护.net Web服务URL
Along with the other answers, that can't be bad too, and if you want to be super careful you can implement a token system, where the clients get the first token from you, each request returns a new token, and you always check a client vs it's current token (but that's being over careful in my opinion) 连同其他答案一样,这也不错,如果您要非常小心,可以实施令牌系统,其中客户端从您那里获得第一个令牌,每个请求都返回一个新令牌,并且您始终检查客户与当前令牌(但我认为这过于谨慎)
Update - because it's for the public, the client can have a way of generating a valid token to check on the server, you can have a token be valid for an interval of seconds, so even if people caught the request and found the token, it will not be valid after ..15 seconds or 30,etc 更新-由于这是公开的,因此客户端可以使用一种方法来生成有效令牌以在服务器上进行检查,您可以使令牌在几秒钟的时间内有效,因此即使人们抓住了请求并找到了令牌, ..15秒或30等后无效
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.