保护Web服务的方法有效吗?
[英]Securing Web Services approach valid?
问题描述
Currently I am looking at securing our web services. 
目前,我正在考虑保护我们的Web服务。 At the moment we are not using WCF so this is not an option. 目前,我们不使用WCF,因此这不是一个选择。 One approach I have seen and implemented locally fairly easily was the approach described in article: 我在本地很容易看到并实现的一种方法是本文中描述的方法:
http://www.codeproject.com/KB/aspnet/wsFormsAuthentication.aspx http://www.codeproject.com/KB/aspnet/wsFormsAuthentication.aspx
Which describes adding a HttpModule which prompts for user credentials if the user browses to any pages (web services) which are contained in a services folder. 它描述了添加一个HttpModule,如果用户浏览到服务文件夹中包含的任何页面(Web服务),则提示用户输入凭据。 Does anyone see any way that this security could fall down and could be bypassed etc. I'm really just trying to decide whether this is a valid approach to take or not? 有没有人看到这种安全性可能会下降并可以被绕开的任何方式。我真的只是在尝试确定这是否是一种有效的方法?
thanks 谢谢
1 个解决方案
解决方案1
1 已采纳 2010-05-19 14:23:51
Seems a bit clumsy to have a person browse to a page in order to use a web service, which is typically done programmatically. 让人们浏览页面以使用Web服务似乎有点笨拙,这通常是通过编程完成的。
You can simply hide your web services behind formsauthentication, and have an authentication endpoint that sets the forms ticket. 您可以简单地将您的Web服务隐藏在formauthentication后面,并具有一个设置表单票证的身份验证端点。
The service client would then just hang on to the CookieContainer and use it for subsequent requests. 然后,服务客户端将仅挂在CookieContainer上,并将其用于后续请求。
Whatever you do, you must ensure that any pipe that has credentials going through it is secured via SSL. 无论您做什么,都必须确保通过SSL进行身份验证的任何管道都受到安全保护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.