简体繁体 English

验证连接到Web服务的客户端

[英]Authenticate a Client connecting to a web service

原文 2009-04-22 13:45:17 7 2 wcf/ web-services

I have a WCF web service. 我有一个WCF Web服务。 This web service should only allow certain client applications (built with technologies like Silverlight, Flex, ClickOnce, etc) to execute it's functionality. 该Web服务应仅允许某些客户端应用程序（使用Silverlight，Flex，ClickOnce等技术构建）执行其功能。 In an attempt to accomplish this, I have started each publicly visible method with the following code: 为了实现此目的，我使用以下代码启动了每个公开可见的方法：

if (IsClientValid(...) == false) return; 如果（IsClientValid（...）== false）返回;

My question is, what should I check for? 我的问题是，我应该检查什么？ I have considered passing a unique identifier as a string parameter and then passing that parameter to the IsClientValid method. 我考虑过将唯一标识符作为字符串参数传递，然后将该参数传递给IsClientValid方法。 However, I know that someone could use a tool like Fiddler to sniff out that parameter value and use it in their own applications. 但是，我知道有人可以使用Fiddler之类的工具来嗅出该参数值，并将其用于自己的应用程序中。 How do I uniquely identify my client applications such that only they can utilize my WCF web services? 我如何唯一地标识我的客户端应用程序，以便只有它们可以使用我的WCF Web服务？

Thank you 谢谢

2 个解决方案

Depending on how far you want to go you can do any number of things. 根据您想走多远，您可以做很多事情。 In an app I worked on we did the following: 在我开发的应用程序中，我们执行了以下操作：

Message security - to encrypt your messages, client must provide credentials (userNameAuthentication) with server providing serviceCertificate for message encryption. 消息安全性-要加密您的消息，客户端必须向服务器提供凭据（userNameAuthentication），而服务器必须提供serviceCertificate来进行消息加密。
Custom encrypted Soap Headers were used to provide client details with each message after the initial login. 自定义加密的Soap Header用于在初始登录后为客户端提供每条消息的详细信息。 This header is encrypted using a combination of values taken from the client applciation and values retrieved from the server in the intial call. 该头使用在初始调用中从客户端应用获取的值和从服务器获取的值的组合进行加密。
All client outgoing messages attach the encrypted header, which the server extracts/decrypts upon reciept and the base service verifies that the required values are present. 所有客户端传出消息都附加了加密的标头，服务器在接收到该标头后就提取/解密该标头，并且基本服务会验证是否存在所需的值。
In addition to this, a collection of encrypted headers are stored server side to guard against replay attacks using sniffed headers. 除此之外，服务器端还存储了一组加密的标头，以防止使用嗅探标头进行重放攻击。

I can provide additional resources/links to how to achieve some of this if you think you could use some of it. 如果您认为可以使用其中的一些资源，那么我可以提供其他资源/链接以说明如何实现这些目的。

Edit: Assuming that the client apps are under your control. 编辑：假设客户端应用程序在您的控制之下。

Check out client cert authentication . 查看客户端证书身份验证 。 The basic idea is that the https connection will fail unless the client sends a valid cert, where you get to determine what is valid. 基本思想是，除非客户端发送有效的证书，否则https连接将失败，您可以在该证书中确定有效的证书。