安全内部网络上的REST或SOAP WCF服务否SSL
[英]REST or SOAP WCF service on secure internal network NO SSL
问题描述
I have a problem with a service I am writing. 
我正在编写的服务有问题。
We currently have a webapp that is hosted on an internal secure network. 当前,我们有一个内部安全网络上托管的Webapp。
There is now a requirement to provide a service which expose our web app business functionality for a client to consume in order to create a native tablet app. 现在需要提供一种服务,以公开我们的Web应用程序业务功能,以供客户使用以创建本机平板电脑应用程序。
The mobile device will use VPN to get onto the network. 移动设备将使用VPN进入网络。 To access our webapp, the user would normally need to use a user name and password. 要访问我们的Web应用程序,用户通常需要使用用户名和密码。 ie. 即。 There is no SSL. 没有SSL。 The username and password is stored in our db in custom set up (no ASP membership, etc). 用户名和密码以自定义设置存储在我们的数据库中(无ASP成员资格等)。
Now, I have raised the lack of SSL as an issue, but this has been shot down, and those in charge of such matters feel that the security needed to get into the internal network is enough. 现在,我提出了缺少SSL的问题,但是这已经被拒绝了,负责这些事务的人感到进入内部网络所需的安全性就足够了。
I realise this means app is open to INTERNAL user malicious behaviour from those inside network but outside of app user group 我意识到这意味着应用程序对网络内部但在应用程序用户组外部的内部用户的恶意行为开放
SO, this now raises an issue when it comes to creating my service in WCF. 因此,现在在WCF中创建我的服务时出现了一个问题。 Authentication without SSL appears to be quite fiddly. 没有SSL的身份验证似乎很麻烦。 I did manage to find: 我确实找到了:
[Yaron Naveh's ClearUsernameBinding][1] http://webservices20.blogspot.co.uk/2008/11/introducing-wcf-clearusernamebinding.html [Yaron Naveh的ClearUsernameBinding] [1] http://webservices20.blogspot.co.uk/2008/11/introducing-wcf-clearusernamebinding.html
I felt that this was about to solve all my problems until I realised that I would have to alter my plans to offer RESTful service with json, and I would now have to use SOAP. 我觉得这将解决我所有的问题,直到我意识到必须改变计划以提供json的RESTful服务,并且现在必须使用SOAP。
Still, I was fine with this until I realised that SOAP had bandwidth issues due to the envelope that comes with the packet. 尽管如此,我还是很满意,直到我意识到SOAP随包附带的包络而出现带宽问题。 This worries me, as it is a service which will be getting consumed by a mobile app over 3g, and there are bandwidth limits. 这让我感到担忧,因为它是一项服务,它将被3g以上的移动应用所消耗,并且存在带宽限制。
So, without SSL being an option (please don't say otherwise), do you think that using SOAP instead of REST here is the better option? 因此,如果没有SSL的选择(请不要另外说),您是否认为使用SOAP而不是REST是更好的选择? Should I be concerned about the bandwidth? 我应该担心带宽吗? (rows counts returned will not be exceeding 200, and most will be MUCH smaller). (返回的行数不会超过200,并且大多数会小得多)。 Roughly how much of an overhead are we talking? 我们大约要花多少开销?
Is there an option with wcf REST config where I can authenticate without a certificate (using some form of custom authentication)? wcf REST config是否有一个选项,我可以在没有证书的情况下进行身份验证(使用某种形式的自定义身份验证)? This would be preferable to me. 这对我来说会更好。
2 个解决方案
解决方案1
1 2014-03-06 13:05:59
The WSDL envelope is not in megabytes range. WSDL信封不在兆字节范围内。 It needs a few kilobytes per request for normal configurations. 正常配置每个请求需要几千字节。 Therefore, the possible bandwidth bottleneck depends heavily on the requests/time ratio . 因此,可能的带宽瓶颈在很大程度上取决于请求/时间比率 。
You could always implement a custom authentication mechanism with tokens. 您始终可以使用令牌来实现自定义身份验证机制。 The basic idea would be this... 基本思路是这样的...
- When the user authenticates, he gets a token which expires after 20 minutes or so, if the user does not act in that time 当用户进行身份验证时,如果用户在该时间段内未采取行动,则他将获得令牌 , 令牌将在20分钟左右后过期
- The token is stored (encrypted) in a client side cookie 令牌存储(加密)在客户端Cookie中
- The cookie is used in each client's http request 该cookie用于每个客户端的http请求
- The REST service examines the user's cookie, extracts the token and concludes if the user is authenticated or not REST服务检查用户的cookie,提取令牌并得出用户是否已通过身份验证的结论
I would strongly suggest to follow the Membership API path. 我强烈建议您遵循Membership API路径。 The logic that I describe is the one used by the Membership API. 我描述的逻辑是Membership API使用的逻辑。 Implementing it on your own, would just be time overhead and a bug generator. 自己实现它只是时间开销和一个错误生成器。 I don't see why you have to reinvent the wheel... 我不明白你为什么要重新发明轮子...
Hope I helped! 希望我能帮上忙!
解决方案2
1 已采纳 2014-03-06 13:08:17
The performance comparison between REST and SOAP web services was discussed in detail in Rest vs. Soap. REST 与Soap中详细讨论了REST和SOAP Web服务之间的性能比较。 Has REST a better performance? REST有更好的性能吗? . 。
You can certainly implement custom authentication in a WCF REST service, without certificates or a secure transport. 您当然可以在WCF REST服务中实现自定义身份验证,而无需证书或安全传输。 One option is to use a binding similar to the following: 一种选择是使用类似于以下内容的绑定:
<bindings>
<webHttpBinding>
<binding name="default">
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows" proxyCredentialType="Windows"/>
</security>
</binding>
</webHttpBinding>
</bindings>
http://msdn.microsoft.com/en-us/library/bb924478(v=vs.110).aspx http://msdn.microsoft.com/en-us/library/bb924478(v=vs.110).aspx
Including the Microsoft caveat: “This mode does not provide message integrity and confidentiality. 包括Microsoft警告:“此模式不提供消息的完整性和机密性。 It provides HTTP-based client authentication. 它提供基于HTTP的客户端身份验证。 This mode should be used with caution. 请谨慎使用此模式。 It should be used in environments where the transport security is being provided by other means (such as IPSec) and only client authentication is provided by the WCF infrastructure.” 它应在通过其他方式(例如IPSec)提供传输安全性且WCF基础结构仅提供客户端身份验证的环境中使用。”
The following link provide comprehensive overview of a custom WCF REST authentication solution: http://www.codeproject.com/Articles/304877/WCF-REST-4-0-Authorization-with-Form-Based-Authent 以下链接提供了自定义WCF REST身份验证解决方案的全面概述: http : //www.codeproject.com/Articles/304877/WCF-REST-4-0-Authorization-with-Form-Based-Authent
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.