如何验证用户在使用AJAX调用WCF服务?用户、AJAX、WCF
我有需要从客户端(AJAX调用)称为WCF服务。 我想使用的ScriptManager的ASPX页面到服务引用添加到WCF服务(或)JQuery的AJAX调用WCF服务。我想拒绝匿名用户访问WCF服务。有没有办法从JavaScript调用服务方法之前做用户验证?如何从客户端获得我的WCF服务电话?
I have a WCF service which needs to be called from client side(ajax call). I want to use ScriptManager on ASPX page to add a ServiceReference to the WCF service (or) JQuery ajax call to the WCF service. I want to deny anonymous users accessing the WCF service. Is there any way to do user authentication before calling a service method from JavaScript? how to secure my WCF service calls from client side?
推荐答案
有很多事情可以做,以保护您的WCF服务。也许最简单的方法是,如果您的服务已在现有整个ASP.NET应用程序的一部分,是为了让ASP.NET兼容模式为您服务。如果你的ASP.NET应用程序使用身份验证来验证用户(如窗体身份验证),并要启用,它通过一个会话cookie,那么ASP.NET兼容模式做了大部分的工作,为你。
There are a number of things you can do to secure your WCF services. Probably the easiest way is if your services are already part of the existing overall ASP.NET application is to enable ASP.NET Compatibility Mode for your services. If your ASP.NET app uses authentication to validate users (e.g. forms authentication) and you are enabling that via a session cookie, then ASP.NET Compatibility Mode does most of that work for you.
在默认情况下,这是禁用的,但你可以用一个除了你的web.config启用:
By default, this is disabled, but you can enable it with an addition to your web.config:
<system.serviceModel>
...
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
...
</system.serviceModel>
这将启用兼容模式,为您的所有服务在您的应用程序。
This will enable compatibility mode for all your services in your application. You can also enable this on a service by service basis by setting the web.config value and also using the AspNetCompatibilityRequirements attribute on your service class not the interface):
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class FooService: IFooService {
}
当您启用此设置,您可以访问HttpContext.Current(像一个ASP.NET页),它也将强制用户必须进行身份验证访问.svc文件(就像你之前进行身份验证之前,访问任何.aspx文件)。如果您尝试访问.svc文件没有被验证,你使用窗体身份验证,来电将被重定向到默认的登录页面,并成功验证后,将被重定向到.svc文件。
When you enable this setting, you have access to HttpContext.Current (like an ASP.NET page) and it will also enforce that a user must be authenticated before accessing the .svc file (just like you have to be authenticated before accessing any .aspx file). If you try to access a .svc file without being authenticated, and you're using forms authentication, the caller will be redirected to the default login page and, after successful authentication, will be redirected to the .svc file.
这建议作出一些假设:
您的服务在ASP.NET应用程序中; 您正在使用某种类型的ASP.NET的身份验证(如窗体身份验证)来验证用户的凭据,并在cookie中坚持一个确认票据;这个建议,虽然也许不是最安全的还是稳健的,可能是最简单的,至少启动和运行,并确保您的网站到一个合理的程度。
This suggestion, while maybe not the most secure or robust, is probably the simplest to at least get up and running and secure your site to a reasonable degree.
下面是在ASP.NET兼容模式的一个很好的 MSDN库的介绍文章。
Here's a good MSDN library intro article on ASP.NET compatibility mode.
如果这个作品,也许下一步就是寻找到像HMAC认证(这涉及到更多的工作和秘密密钥的协调 - 但它肯定更安全恕我直言)。这里是一个不错的步行通过实现它 - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful-wcf-service.aspx
If this works, perhaps the next step is to look into something like HMAC authentication (which involves a bit more work and the coordination of secret keys - but it's definitely more secure IMHO). Here's a nice walk-through of implementing it - http://blogs.microsoft.co.il/blogs/itai/archive/2009/02/22/how-to-implement-hmac-authentication-on-a-restful-wcf-service.aspx
我希望这有助于。祝你好运!
I hope this helps. Good luck!!
