1

如何授权客户端(在这种情况下,客户端是应用程序)在 .NET 中使用 Web 服务,

例如:我希望第三方应用程序调用一个方法,但不允许网络内的其他应用程序调用此方法。

我想避免传输层授权并使用基于消息的授权。

4

2 回答 2

1

最简单(也是最“便携”)的事情是使用HTTP Authentication

于 2009-02-10T09:31:50.847 回答
1

您应该查看 WS-Security 和 WS-Policy 标准。最好的方法是让客户端应用程序签署所有请求(使用私钥)并在服务器端检查此签名。

我们使用这样的设置,在 WSDL 中有以下 WS-Policy 定义:

<!--Endpoint Policy-->
<wsp:Policy wsu:Id="Endpoint_policy"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsp:ExactlyOne>
    <wsp:All>

      <sp:AsymmetricBinding
         xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:InitiatorToken>
            <wsp:Policy>
              <sp:X509Token
                 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                <wsp:Policy>
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:InitiatorToken>

          <sp:RecipientToken>
            <wsp:Policy>
              <sp:X509Token
                 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                <wsp:Policy>
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:RecipientToken>

          <sp:AlgorithmSuite>
            <wsp:Policy>
              <!-- sp:Basic256/-->
              <sp:TripleDesRsa15 />
            </wsp:Policy>
          </sp:AlgorithmSuite>

          <sp:Layout>
            <wsp:Policy>
              <sp:Lax />
            </wsp:Policy>
          </sp:Layout>

        </wsp:Policy>
      </sp:AsymmetricBinding>

      <sp:Wss10
         xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:MustSupportRefKeyIdentifier />
          <sp:MustSupportRefIssuerSerial />
        </wsp:Policy>
      </sp:Wss10>

    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>
<!--End of Endpoint Policy-->

<!--Message Policy1-->
<wsp:Policy wsu:Id="Sign_message_policy"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsp:ExactlyOne>
    <wsp:All>

      <sp:SignedParts
         xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <sp:Body />
      </sp:SignedParts>

    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

<!--End of Message Policy1-->

然后在 WSDL 的绑定部分引用这些策略。例子:

  <binding name="ExampleServiceSOAP" type="foobar:ExampleServicePort">
    <!-- WS-Security -->
    <wsp:PolicyReference URI="#Endpoint_policy" />
    <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
    <operation name="getSomething">
      <soap:operation soapAction="getSomething" style="document"/>
      <input>
        <!-- WS-Security -->
        <wsp:PolicyReference URI="#Sign_message_policy" />
        <soap:body use="literal"/>
      </input>
      <output>
        <soap:body use="literal"/>
      </output>
    </operation>
  </binding>
于 2009-02-10T10:23:41.533 回答