我重构一个使用ASP.NET Web服务工作的ASP.NET Web应用程序公开的Web服务接口。据 Web服务的身份验证 - 最佳实践的，基本验证了HTTPS是要走的路。让我们假设它是，而不是做的WS-Security，X509等。

I am refactoring a working ASP.NET Web Application to expose Web Services interface using ASP.NET Web Service. According to Web Services authentication - best practices, Basic Auth over https is the way to go. Let's assume it is, as opposed to doing WS-Security, X509, etc..

在.NET 3.5 / VS 2008，什么是实现自定义HTTP基本身份验证（非Windows帐户），例如，只接受，如果用户名是富，密码为栏的最简单的方法。最后，我想 Thread.CurrentPrincipal中设置。

On .NET 3.5/VS 2008, what's the simplest way of implementing custom http Basic Authentication (non-Windows account), for example, accepting only if user name is "foo" and password is "bar". Ultimately, I'd like Thread.CurrentPrincipal set.

难道我写我自己的 HTTP模块，也可以这样做简单？

Do I write my own HttpModule or can this be done simpler?

推荐答案

有可能使用自定义基本身份验证的IIS ，写多米尼克·拜尔是要走的路。 正如他所指出 WCF 3.5的用户名在传输安全，不能使用在IIS托管服务，但我的问题是关于ASP.NET Web服务不是WCF。

Likely using Custom Basic Authentication for IIS, written by Dominick Baier is the way to go. As he points out WCF 3.5's usernames over transport security cannot be used on IIS-hosted service, although my question was regarding ASP.NET Web Services not WCF.

还有一个实施的HTTP模块在ASP.NET称为基本身份验证对自定义数据源通过桑托斯Sahoo 的。

There's another implementation of HTTP Module called Basic authentication in ASP.NET against custom datasource by Santosh Sahoo.

尽管这不是我想要的东西，我发现快速入门教程的SOAP头样本是信息解决方法。在纯文本中通过HTTP发送密码显然不安全，但是本实施例可以被扩展以添加更多的安全性，例如在运行的https或发送密码+一次性GUID +时间戳的哈希

Although it's not what I wanted, I found QuickStart Tutorial's SOAP Headers sample to be informative workaround. Sending password in plain text over http is clearly insecure, but this example could be extended to add more security, for instance running on https or sending hash of "password + one-time GUID + timestamp".