oData 只是一种通过开放 API 公开结构化数据的方式。它不要求任何特定形式的安全;可以拥有完全开放的数据集(如 wiki 数据库)或世界可读但私有可写的数据集(如国会议员投票的数据库,因此任何人都可以阅读它,但只有您可以更新它)。它还支持更复杂的安全结构(例如允许客户仅查询自己的历史记录的视频租赁商店)。
关于您的具体问题:
IQueryable,它正确地转义了所有值。Right now (to my knowledge), ADO.NET Data Services is the only oData provider available, and it's secure by default. I suppose that someone else could write an oData provider that wasn't secure by default or allowed SQL injection, but that would be foolish.
Also, remember that oData is completely divorced from the concept of authentication. It's up to you to use whatever authentication makes sense for your API. There's a great recent series of blog posts from the WCF team that address how oData works with various forms of authentication.
What's your business case for using OData? OData primarily exists to expose your data in a platform agnostic manner... so that .NET, Java, Php, Python, REST, etc clients can all access your data. Is that your use-case?
Or are you trying to expose your data via a service layer (kind of an SOA approach) so that your clients (which you control) are better decoupled from your data sources. In that case, OData may not be the right solution. I looked at OData as part of a data service layer and decided it is too slow. I'm now looking at Devforce which implements service-based access for Entity Framework models (via their BOS service)... full CRUD operations including LINQ to service-hosted model.
Security is to you desired level is possible either view OData or via DevForce. Pick the correct data-remoting solution, then research the correct security implementation.
当然,您可以在政府解决方案中使用它。OData 只是一种访问数据的方式,它与确保信息安全无关。您必须在传输级别 (SSL) 而不是在应用程序级别(为应用程序提供登录名和密码)实现安全性。
有很多方法可以解决这个问题。一个例子是,如果您使用 SSL,您可以强制您的客户端提供客户端证书并让其进行身份验证。一旦此人获得身份验证,您就可以使用您的应用程序来限制他们可以看到的内容(也许他们只能看到他们的客户信息,因此所有查询都会自动限制该人看到该信息。)