如何在 asp.net/Jquery 中保护 WebMethod
[英]How to Secure a WebMethod in asp.net/Jquery
问题描述
I am using Jquery Ajax to call a WebMethod from aspx page.Here is my code
我正在使用 Jquery Ajax 从 aspx 页面调用 WebMethod。这是我的代码
$(document).ready(function () {
$("#btnshow").click(function () {
$.ajax({
type: "POST",
url: "example.aspx/showData",
data: "{}",
contentType: "application/json; charset=utf-8",
dataType: "json",
success: function (msg) {
$("#Result").text(msg.d);
}
});
});
});
code on aspx.cs page: aspx.cs 页面上的代码:
[System.Web.Services.WebMethod()]
[System.Web.Script.Services.ScriptMethod()]
public static List<LandmarkList> showData()
{
LandmarkList ObjLL = new LandmarkList();
return ObjLL.GetDataList();
}
My question is what is a professional way to secure this web method?what are possible methods of securing webmethods so that a user wont copy that url from client debugging tools and use it.我的问题是什么是保护此 Web 方法的专业方法?保护 Web 方法的可能方法是什么,以便用户不会从客户端调试工具复制该 url 并使用它。
Note:These are open pages,user do nto need to be loged in for these pages.注意:这些是打开的页面,用户不需要登录这些页面。
UPDATE: I want to make it more difficult for someone to continue using my webservice without actually visiting my site.更新:我想让某人在不实际访问我的网站的情况下继续使用我的网络服务变得更加困难。
2 个解决方案
解决方案1
0 2014-04-13 11:17:36
There is no showData() function in your code but yes anyone could simply call the example.aspx/showData url and get a response.您的代码中没有 showData() 函数,但是任何人都可以简单地调用 example.aspx/showData url 并获得响应。
You can do stuff to try and ensure they are calling from your page.你可以做一些事情来尝试确保他们从你的页面调用。 At it's simplest you could simply check they already have loaded the page via checking (in your web service) for a session parameter (which you set when the page loads).最简单的是,您可以通过检查(在您的 Web 服务中)会话参数(您在页面加载时设置)来简单地检查他们是否已经加载了页面。 Or, for example, see http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-%28csrf%29-attacks .或者,例如,请参阅http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-%28csrf%29-attacks 。
However, without any form of authentication before loading the page and allowing the service call there I think that the value of any such security measures are dubious - you are giving yourself the illusion of security without actually having any.但是,在加载页面之前没有任何形式的身份验证并允许在那里调用服务,我认为任何此类安全措施的价值都是可疑的 - 您给自己带来了安全的错觉,而实际上没有任何安全措施。 Anyone who wants to call your service can simply script a load of the page followed by the call and monitor your results.任何想要调用您的服务的人都可以简单地编写页面加载脚本,然后调用并监控您的结果。 The web service is as open as the page calling it - and it's not meaningful to say "I've got this open web page but want to make sure it's only called in a certain way/by certain people". Web 服务与调用它的页面一样开放 - 说“我有这个打开的网页但想确保它只以某种方式/由某些人调用”是没有意义的。
You are safer, in my opinion, to simply treat the web service as open and not reveal anything there that you would not be comfortable putting on an open web page.在我看来,您更安全的做法是简单地将 Web 服务视为开放的,并且不要在其中透露任何您不愿意放在开放网页上的内容。
解决方案2
0 2021-03-08 07:57:13
May not be the best solution in the world, but very easy and quick to implement-可能不是世界上最好的解决方案,但实施起来非常简单快捷——
Use Cloudflare > Firewall > Tools > Rate limiting > create custom rule to block visits more than a given frequency to differentiate between use and abuse使用 Cloudflare > 防火墙 > 工具 > 速率限制 > 创建自定义规则来阻止超过给定频率的访问,以区分使用和滥用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.