简单的Web服务认证/授权不是那么简单吗?
[英]Simple Webservice Authentication/Authorization not so simple?
问题描述
Some years ago I added a webservice interface to an existing web application that would allow the creation of custom clients to manipulate the data held by the application. 
几年前,我在现有的Web应用程序中添加了一个Web服务接口,该接口允许创建自定义客户端来操纵该应用程序所保存的数据。 The clients were primarily .NET, whereas the web application was Java (hosted in a Tomcat server), and since back then the interoperability between these two platforms was not so great, I created my own little homegrown auth scheme, using a binary security token spliced into the request/response xml by handlers on both sides. 客户端主要是.NET,而Web应用程序是Java(托管在Tomcat服务器中),并且从那时起,这两个平台之间的互操作性还不是很好,因此我使用二进制安全令牌创建了自己的小型本地身份验证方案。双方的处理程序都将其拼接到请求/响应xml中。
Since then, technology has progressed on both sides (there's the Metro project on the Java side which emphasizes interoperability with the .NET world); 从那时起,双方的技术都取得了进步(Java方面的Metro项目强调与.NET世界的互操作性)。 unfortunately I've been busy with other projects and haven't kept up with the details as much. 不幸的是,我一直在忙于其他项目,并且没有及时了解细节。 But from what I have read about it so far, shouldn't it be possible to do something similar properly using (relatively) new standards like WS-Security, WS-Policy and the likes? 但是,到目前为止,从我所读到的内容中,难道不可以使用(相对)新的标准(例如WS-Security,WS-Policy等) 正确地执行类似的操作吗?
I've been given the chance to update the code from back then, and I would really like to do it "right" this time. 从那时起,我就有了机会来更新代码,这次我真的很想做对了。 Something that bothered me about the old solution was that the presence of the security token was not reflected in the wsdl (anyone implementing a client would have to know about it from some other source, and include some classes provided by me for the handler, the token and some extra lines of code to hook them up to the web service) - something that, as far as I've understood the WS-* specs, should be possible with WS-Policy or WS-SecurityPolicy? 关于旧解决方案,令我感到困扰的是,安全令牌没有反映在wsdl中(实现客户端的任何人都必须从其他来源了解它,并包括我为处理程序提供的一些类,令牌和一些额外的代码行以将它们连接到Web服务)-就我所了解的WS- *规范而言,WS-Policy或WS-SecurityPolicy应该可以实现吗?
But somehow I have been unable so far to find any resources (examples, tutorials, etc.) online that would explain how one would even begin to go about implementing something like that. 但是到目前为止,我仍然无法以某种方式在网上找到任何资源(示例,教程等)来解释人们甚至将如何着手实现这样的东西。
So, given up-to-date technology and standards (like a server using the Metro framework, and a client in .NET 3 or 4 using WCF), would it be possible to create a web service that uses basic user/password authentication to "Log In" (ie create some kind of session, or "conversation") to the service, then allows carrying out any operations on the service while the session remains valid, and invalidates the session once the user either explicitly "Logs Out" or a timeout expires? 因此,如果使用最新的技术和标准(例如使用Metro框架的服务器以及使用WCF的.NET 3或4中的客户端),则可以创建使用基本用户/密码身份验证的Web服务来“登录”(即创建某种会话或“对话”)到服务,然后允许在会话保持有效的同时对服务执行任何操作,并且一旦用户明确“注销”或使该会话无效超时到期?
1 个解决方案
解决方案1
1 2011-08-02 08:52:45
- Using WS-Security with Spring Web Services 将WS-Security与Spring Web Services结合使用
- Using Apache CXF with WS-Security 将Apache CXF与WS-Security一起使用
- And finally with Metro 最后是地铁
Haven't used Metro myself, but I can only recommend either SWS or CXF. 我自己还没有使用过Metro,但是我只能推荐SWS或CXF。 (However, in my experience WS authentication & authorization is anything but simple) (但是,以我的经验,WS认证和授权绝非易事)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.