0

What is the simplest effective approach for securing a WCF Web Service built to be a combined DAL/BLL consumed ONLY by a single small ASP.NET web app?

Background:

I am relatively a web development noob, especially when it comes to security.

Current DAL exists as a library in both the web app and an asmx web service, completely home-brewed in VS2003. The authentication/token generation method is called via the web service, but everything else is called directly from the web app. Our DBA is concerned that this is insecure and wants all database access to occur in a web service as well (I'm not in much of a position to question whether this concern/solution is valid in the first place, but if anyone can elaborate on why it is or isn't please do).

I am armed with VS2012 and this is my task. My research has steered me to WCF, and I've already created a test web service, and a test web app that successfully consumes it.

4

1 回答 1

0

我建议发现类型共享和 DataContract 共享之间的区别。

但最快的路径是:

将 NetDataContractSerializer 用于“跨网”的 DotNet 对象。这是“类型共享”序列化程序。但它只有在您的客户只是 DotNet 时才有效(这似乎是您的情况)。

我会怎么做?

  1. 创建域库(是DTO 对象)
  2. 让 WCF IService(s) .. 引用该库。所有“合同”都需要接受 DTO 库中的标量或对象。
  3. 有一个实现 IServices 的包装器“服务层”(服务器端)。这里的代码将非常“愚蠢”。只需将请求传递给您真正的业务层。(这种分离的原因是您可以在不通过 WCF 的情况下获得业务层逻辑(想想“单元测试”)。
  4. 与客户端共享您的域库(DTO 对象)dll。(这取决于使用 NetDataContractSerializer,也就是使用类型共享)。

一旦完成......你将有“原始”WCF 工作。然后您可以通过配置应用您的 wcf 安全性。

这是使用基于证书的安全性的好方法。

http://blog.mitchdenny.com/2007/09/06/using-certificate-based-authentication-and-protection-with-windows-communication-foundation-wcf/

于 2013-06-13T17:37:05.643 回答