如何验证在Web App中调用Web服务的Windows Mobile客户端
[英]How to authenticate a Windows Mobile client calling web services in a Web App
问题描述
I have a fairly complex business application written in ASP.NET that is deployed on a hosted server. 
我有一个用ASP.NET编写的相当复杂的业务应用程序,它部署在托管服务器上。 The site uses Forms Authentication, and there are about a dozen different roles defined. 该站点使用表单身份验证,并定义了大约十几个不同的角色。 Employees and customers are both users of the application. 员工和客户都是该应用程序的用户。
Now I have the requirement to develop a Windows Mobile client for the application that allows a very specialized set of tasks to be performed from a device, as opposed to a browser on a laptop. 现在我需要为应用程序开发Windows Mobile客户端,允许从设备执行非常专业的任务集,而不是笔记本电脑上的浏览器。 The client wants to increase productivity with this measure. 客户希望通过这一措施提高生产力。 Only employees will use this application. 只有员工才会使用此应用程序。
I feel that it would make sense to re-use the security infrastructure that is already in place. 我觉得重新使用已经存在的安全基础设施是有意义的。 The client does not need offline capability. 客户端不需要脱机功能。
My thought is to deploy a set of web services to a folder of the existing site that only the new role "web service" has access to, and to use Forms Authentication (from a Windows Mobile 5/.Net 3.5 client). 我的想法是将一组Web服务部署到只有新角色“Web服务”可以访问的现有站点的文件夹,并使用Forms Authentication(来自Windows Mobile 5 / .Net 3.5客户端)。
I did see this question and I am aware of the limitations that Forms Authentication poses. 我确实看到了这个问题 ,我知道表单身份验证带来的限制。 Since security is not my primary motivator (I use SSL and can restrict access by IP address), but rather using existing user accounts and roles, my decision tree is somewhat different as well. 由于安全性不是我的主要动力(我使用SSL并且可以通过IP地址限制访问),而是使用现有的用户帐户和角色,我的决策树也有所不同。
Can I do this, is it a good idea, and are there any code examples/references that you can point me to? 我可以这样做,这是一个好主意,是否有任何代码示例/参考可以指向我?
1 个解决方案
解决方案1
1 已采纳 2010-05-19 20:33:22
I ended up with a combination of things. 我最终得到了一些东西。 First, forms authentication does not really work in this scenario, because of the redirects that you get when a users is not logged in or the credentials are incorrect. 首先,表单身份验证在这种情况下并不真正起作用,因为当用户未登录或凭据不正确时,您会获得重定向。
Because I want to use the user accounts from the web app, I worked around this by just calling Membership.ValidateUser prior to processing each service call on the server. 因为我想使用来自Web应用程序的用户帐户,所以我在处理服务器上的每个服务调用之前只调用Membership.ValidateUser来解决这个问题。
A user is prompted for an id and password when logging on to the client. 登录到客户端时,系统会提示用户输入ID和密码。 I store both values encrypted in the proxy class and pass them transparently with each call using a host header, so that the application does not have to bother with this once the user is logged in, ie the credentials were validated once by calling the Login() service method (which only calls Membership.ValidateUser). 我将两个加密的值存储在代理类中,并使用主机头进行每次调用时透明地传递它们,这样一旦用户登录,应用程序就不必为此烦恼了,即通过调用Login验证了一次凭证( )服务方法(仅调用Membership.ValidateUser)。
I use the CryptoApi on both the server and the client side. 我在服务器端和客户端都使用CryptoApi。 I understand that host headers are somewhat outdated for security applications, but since I use strong encryption AND SSL, it is perfectly adequate. 我知道主机标头对于安全应用程序来说已经过时,但由于我使用强加密和SSL,因此它非常适合。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.