简体繁体 English

验证网络服务

[英]Authenticate a web service

原文 2012-10-09 05:35:53 8 6 c#/ .net/ web-services/ rest

I have developed some RESTful web services using C#. 我已经使用C＃开发了一些RESTful Web服务。 Can anyone suggest me (with some resources to follow) the best method to authenticate the services since it will be passing through and retrieving some very sensitive data. 任何人都可以建议我（需要一些资源）对服务进行身份验证的最佳方法，因为它将通过并检索一些非常敏感的数据。

6 个解决方案

Are you using WebAPI for your RESTful services? 您是否正在将WebAPI用于RESTful服务？ or have you developed using the deprecated REST starter kit? 还是使用过时的REST入门工具包进行开发？

If you are using WebAPI, you can follow this link: 如果您使用的是WebAPI，则可以点击以下链接：

http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/ http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/

You can use Standard Authorize attribute and you can also extend that class to customize to your needs and use https for secure channel. 您可以使用Standard Authorize属性，也可以扩展该类以根据需要进行自定义，并使用https作为安全通道。

I will recommend using API Key, here is an post to follow. 我将建议使用API密钥，这是后续文章。 http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx http://blogs.msdn.com/b/rjacobs/archive/2010/06/14/how-to-do-api-key-verification-for-rest-services-in-net-4.aspx

This gives you the security you need with simplicity, and it doesnt prevent you to add further security on top such as https or use of client certificates. 这使您可以轻松获得所需的安全性，并且不会阻止您在顶部添加其他安全性，例如https或使用客户端证书。

There's a number of ways to go about this, and your final solution should probably employ a mixture of them. 有很多方法可以解决此问题，您的最终解决方案可能应该混合使用它们。 First of all, only expose HTTPS endpoints (and get a good certificate). 首先，仅公开HTTPS端点（并获得良好的证书）。 If possible, use Windows authentication, and limit access to only certain users. 如果可能，请使用Windows身份验证，并将访问权限限制为仅某些用户。 You might also encrypt certain of the data elements that are coming in (and decrypt them in your C# code). 您也可以加密某些传入的数据元素（并在C＃代码中解密它们）。

In similar situation I am using https and two additional two parameter for each request. 在类似情况下，我为每个请求使用https和两个其他两个参数。 Those are user name and encrypted password. 这些是用户名和加密的密码。

I Knew a simple solution but it's very simple and straight forward, 我知道一个简单的解决方案，但是它非常简单直接
You can authorize the service request by validating some common input parameter, like some valid key as a query parameter for the service and validate it in the service .. If succeed go ahead, fails say UnAuthorized . 您可以通过验证一些公共输入参数（例如将某些有效密钥作为服务的查询参数）并在服务中对其进行验证来授权服务请求。如果成功，则失败，则说UnAuthorized 。 In JVM Servers I can have the actual key and will request the server to authenticate the incoming key. 在JVM服务器中，我可以拥有实际的密钥，并将请求服务器对传入的密钥进行身份验证。 No aware about C#... HTH 不知道C＃... HTH

If you are very concerned about authentication, one of the best methods is to use SSL Client Certificates . 如果您非常担心身份验证，最好的方法之一就是使用SSL客户端证书 。 You create and issue an SSL certificate for each user of your system, and they use that certificate when connecting to your server (obviously, over SSL). 您为系统的每个用户创建并颁发一个SSL证书，并且他们连接到服务器时（显然是通过SSL）使用该证书。 You can verify that they are the authenticated user through APIs specific to your web server. 您可以通过特定于您的Web服务器的API验证他们是经过身份验证的用户。