我应该如何保护我的WCF Rest / JSON服务以用于iOS / Android应用程序?
[英]How should I secure my WCF Rest/JSON Services for use with an iOS/Android Application?
问题描述
We're in the process of building a new web application stack. 
我们正在构建一个新的Web应用程序堆栈。 The back-end functionality will be heavily service based but as some of these services will need to be exposed to the public internet, I'll need to secure them. 后端功能将基于服务,但由于其中一些服务需要暴露给公共互联网,我需要保护它们。 I've partially succeeded by locking down the service urls using standard membership/role provider model. 我使用标准成员资格/角色提供程序模型锁定服务URL部分成功。 The part I'm having trouble with at the minute is if we were to ever build an iOS (or Android) application on top of our Service Stack, how would we go about handling security? 我在那一刻遇到麻烦的部分是,如果我们要在我们的服务堆栈上构建一个iOS(或Android)应用程序,我们将如何处理安全性?
I'm completely open to suggestions. 我完全乐于接受建议。 I've included some information below on the setup so far. 到目前为止,我已在下面的设置中包含了一些信息。
ASP.NET Website using SQL Membership/Role Provider / Forms Authentication running on a HTTPS connection.
ASP.NET网站使用在HTTPS连接上运行的SQL成员资格/角色提供程序/表单身份验证。 Only the Default/Login/FAQ Pages are publically accessible. 只有Default / Login / FAQ页面可以公开访问。 All other pages live in a folder called "/Secure" which requires you to be authenticated. 所有其他页面都位于名为“/ Secure”的文件夹中,需要您进行身份验证。 WCF WebService.
WCF WebService。 All backed functionality is provided through this service. 所有支持的功能都通过此服务提供。 Endpoints are only available on the local intranet. 端点仅在本地Intranet上可用。 the ASP.NET Website Code Behind talks to the service using a standard Service Reference. ASP.NET网站代码背后使用标准服务参考与服务进行对话。 WCF REST/JSON Services.
WCF REST / JSON服务。 Some of the above functionality is re-wrapped in a WCF REST/JSON service. 上述某些功能在WCF REST / JSON服务中重新包装。 This was setup using the " WCF REST Template 40 ". 这是使用“ WCF REST模板40 ”设置的。 The service are then routed using System.Web.Routing to "/Secure/jsonsvc/*". 然后使用System.Web.Routing将服务路由到“/ Secure / jsonsvc / *”。 Because this is beneath the /Secure folder, it inherits the membership/roleprovider security for any request. 因为它位于/ Secure文件夹下,所以它继承了任何请求的membership / roleprovider安全性。 eg xmlhttp calls to this service from a client side JQuery widget, would only work for users who had already logged into our site. 例如,xmlhttp从客户端JQuery小部件调用此服务,仅适用于已登录我们网站的用户。 In the future, these same WCF Rest/JSON services may need to be consumed by an external application (eg an IPad App).
将来,外部应用程序(例如IPad应用程序)可能需要使用这些相同的WCF Rest / JSON服务。 What would the best way to approach this be, given the lack of a HTTP Site/Session/Login context. 鉴于缺少HTTP站点/会话/登录上下文,最好的方法是什么?
1 个解决方案
解决方案1
11 已采纳 2011-09-07 21:53:55
As you know, the ASP.NET forms authentication uses a cookie to maintain your authenticated session. 如您所知,ASP.NET表单身份验证使用cookie来维护经过身份验证的会话。 Leaving aside any arguments as to whether this is the best way to handle things under a REST methodology, I see no technical reason why you would not be able to use the same cookie in your iOS app. 暂且不论是否这是在REST方法下处理事物的最佳方式,我认为没有技术原因可以解释为什么你不能在你的iOS应用程序中使用相同的cookie。
You would obviously need either a simple login web page (displayed in your app via a UIWebView) or a login REST method to return the cookie to you in the first place, and then on subsequent requests you would simply return the cookie with the request (here is a little bit of information on handling cookies in iOS using the ASIHTTP library ). 您显然需要一个简单的登录网页(通过UIWebView在您的应用程序中显示)或登录REST方法,首先将cookie返回给您,然后在后续请求中,您只需返回带有请求的cookie(这里有一些关于使用ASIHTTP库在iOS中处理cookie的信息 。
A couple of important things to keep in mind are that you do not have any control over the wireless network that the device is on so you should definitely be using SSL and also that you should take into account failures/retries/etc for a login REST method just as you would for a login page (if not more so). 需要记住的一些重要事项是,您无法控制设备所在的无线网络,因此您绝对应该使用SSL,并且还应考虑登录REST的故障/重试/等等方法就像登录页面一样(如果不是这样的话)。
Hope that helps! 希望有所帮助!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.