简体繁体 English

为了保护将要由多个客户端访问的数据库，将Web服务用作代理是否过大？

[英]for securing a database that is meant to be accessed by several clients, is using a web service as a proxy an overkill?

原文 2012-08-15 20:02:22 2 2 c#/ database/ web-services/ security

we're going to have a database, and a client application that is going to be installed on several machines in a local network, and they must be able to access the DB. 我们将拥有一个数据库，以及一个客户端应用程序，该客户端应用程序将被安装在局域网中的多台计算机上，并且它们必须能够访问数据库。

Some of them must be able to edit and modify the DB, and some of them are going to just read them. 它们中的一些必须能够编辑和修改数据库，而另一些将仅读取它们。 each of these two groups are separated to several groups too, based on who must be able to access to which table/field. 根据谁必须能够访问哪个表/字段，这两个组中的每一个也分为几个组。

To create this application, we were gave an advice to deploy a web service to role as a proxy between clients and the DB, in order to secure the DB. 为了创建此应用程序，我们建议您部署一个Web服务以充当客户端和数据库之间的代理，以保护数据库。

But we're not transferring any sensitive data (such as credit card numbers or...) and we're only afraid of not an unauthorized person be able to modify the DB. 但是我们不会传输任何敏感数据（例如信用卡号或...），我们只担心未经授权的人不能修改数据库。

Isn't just using the integrated security option in the app.config sufficient? 仅仅使用app.config中的integrated security选项还不够吗？
Do we really need to hide and secure the connection string? 我们真的需要隐藏并保护连接字符串吗？

2 个解决方案

Sounds way overboard to me. 听起来对我来说太过分了。 If the application is only going to be used internally, and Windows authentication is an option, certainly use it. 如果仅在内部使用该应用程序，并且可以选择Windows身份验证，则一定要使用它。 Building a web service is only going to slow down development and add an unnecessary layer of complexity. 构建Web服务只会减慢开发速度并增加不必要的复杂性。 The read/write users could be members of a Windows group that has read/write access to the database, and the read-only users could be members of a Windows group that only has read access to the database. 读/写用户可以是对数据库具有读/写访问权限的Windows组的成员，而只读用户可以是仅对数据库具有读访问权限的Windows组的成员。 Then, if the user is able to gain direct access to the database (without using your front-end) they would only be able to either read or read/write based on their Windows rights. 然后，如果用户能够直接访问数据库（而无需使用您的前端），则他们只能基于Windows权限进行读取或读取/写入。

It could be overkill, but it might not be. 这可能是矫kill过正，但事实并非如此。 Deciding to go to a Service-Oriented Architecture could be based on several factors, among which: 决定采用面向服务的体系结构可能基于几个因素，其中包括：

How long are you expecting to maintain this application? 您希望维持此应用多长时间？
How many client deployments are you expecting? 您期望多少个客户端部署？
Do you expect your database to change often? 您是否希望数据库经常更改？
What are your SLA requirements? 您的SLA要求是什么？
Do you expect the database to eventually be used for other applications? 您是否希望该数据库最终可用于其他应用程序？
etc... 等等...

The long and short of it is, if you want to be able to change things in the middle tier or database, and you don't want to have to upgrade every client when you do so, adding a Service layer might be the way to go. 总而言之，如果您希望能够更改中间层或数据库中的内容，并且不想在升级时升级每个客户端，则添加服务层可能是实现升级的一种方法。走。 You also have the advantage of providing a rich API for other client developers (internal or external) while controlling business rules and security in one, centralized location. 您还具有为其他客户端开发人员（内部或外部）提供丰富的API的优势，同时可以在一个集中的位置控制业务规则和安全性。

SOA definitely adds to the complexity of the project, but in many cases, it can save you a lot of headaches in the future. SOA无疑增加了项目的复杂性，但是在许多情况下，它可以节省您将来的许多麻烦。

For further reading, look at http://en.wikipedia.org/wiki/Service-oriented_architecture , http://www.soapatterns.org/ , or Google. 如需进一步阅读，看http://en.wikipedia.org/wiki/Service-oriented_architecture ， http://www.soapatterns.org/ ，或谷歌。