不使用SSL的WCF中的安全性
[英]Security in WCF without using SSL
问题描述
I have developed a MVC web application using WCF services . 
我已经开发了使用WCF服务的MVC Web应用程序。
For eg I have a service url as http://localhost/abcservice/method1 . 例如,我的服务网址为http://localhost/abcservice/method1 。 I am using basichttpbinding service. 我正在使用basichttpbinding服务。
In my controller I am adding the service reference and calling it: 在我的控制器中,我要添加服务引用并调用它:
serviceclient a = new serviceclient();
a.method1();
I am calling this service without using any authentication. 我在不使用任何身份验证的情况下致电此服务。
Out of curiosity, I have this question: 出于好奇,我有一个问题:
Is it possible to secure the WCF services hosted in IIS without buying SSL certificates ? 是否可以在不购买SSL证书的情况下保护IIS中托管的WCF服务的安全?
Is it possible to implement the authentication functionality by sending the username and password from the client and authenticating it? 是否可以通过从客户端发送用户名和密码并进行身份验证来实现身份验证功能?
If yes ,how? 如果是,如何? Any help would be greatly appreciated as most of the links will redirect using certificates for security. 我们将不胜感激,因为大多数链接将使用证书重定向以确保安全,因此将不胜感激。
2 个解决方案
解决方案1
2 已采纳 2014-01-01 08:17:37
以下是一些接近您要求的链接: http : //www.antaressolutions.com.au/blog/Lists/Posts/Post.aspx?ID =12 http://bartwullems.blogspot.in/2010/ 01 / username-authentication-in-wcf.html 来自共享同一个成员资格提供程序的MVC App的WCF服务身份验证
解决方案2
2 2014-01-02 01:52:29
Since WCF is stateless you are going to need a reasonably sophisticated (read non-trivial) solution. 由于WCF是无状态的,因此您将需要一个相当复杂的(读非平凡的)解决方案。 Without providing code here is what I do: 在不提供代码的情况下,我要做的是:
Have a DB table which contains the list of current valid connections.
有一个数据库表,其中包含当前有效连接的列表。 You want to store user name, valid from/to date/time and a GUID token. 您要存储用户名,有效期自/至日期/时间和GUID令牌。 Provide an authentication WCF call that somehow authenticates the user.
提供身份验证WCF调用,以某种方式对用户进行身份验证。 The somehow is probably what you are most interested in. You can authenticate against a list of valid users (again from a DB table) or against LDAP AD records. 某种程度上,这可能是您最感兴趣的内容。您可以针对有效用户列表(再次来自DB表)或针对LDAP AD记录进行身份验证。 Or you could validate against Microsoft Passport/ Google Account, even Facebook. 或者您可以使用Microsoft Passport / Google帐户,甚至Facebook进行验证。 This is something you really need to consider, WHAT are you going to authenticate against. 这是您真正需要考虑的事项,您将要进行验证的内容。 Once you decide that, then you can code for it. 一旦决定,就可以为其编写代码。 The simplest is to authenticate against a DB table - but its not very portable and requires maintenance of that table etc. 最简单的方法是针对数据库表进行身份验证-但它不是非常可移植的,并且需要维护该表等。 If the user was authenticated in step 2, create or update a valid connection record for the user assigning them a new GUID token and set valid from and to date/times (ie provide a lifetime for the token).
如果在步骤2中对用户进行了身份验证,则为用户创建或更新有效的连接记录,为他们分配新的GUID令牌,并设置日期和时间之间的有效时间(即,为令牌提供生存期)。 Return the new token in step 2. 在步骤2中返回新令牌。 All subsequent WCF calls require the token to be passed in (along with the user name also if required).
所有后续的WCF调用都要求传递令牌(如果需要,还传递用户名)。 You check that the token is valid and if so, process the WCF call. 您检查令牌是否有效,如果有效,则处理WCF调用。 If not, then ignore the call or do something meaningful. 如果不是,则忽略该呼叫或执行有意义的操作。
As stated in other answers this has nothing to do with SSL. 如其他答案所述,这与SSL无关。 User authentication is major programming topic. 用户身份验证是主要的编程主题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.