我正在创建一个主机/客户端样式,它使用WCF及其wsHttpBinding将客户端传送到运行主机的服务器,我想提供某种安全性或验证,所以我有这个,我想知道它有多好或多么安全是
服务库中的每个方法都有一个USERNAME和PASSWORD变量,它们都必须填充一个值,该值由客户端使用SHA512哈希算法进行哈希处理。因此,方法的用户名,密码和任何其他参数将被发送到服务器,服务器将针对散列的用户名和密码数据库检查散列的用户名和密码,以查看是否找到匹配项。如果它匹配则返回客户端请求的数据但如果它不匹配则返回错误或消息并且不发回数据。下面是使用此“安全性”的方法剪切的代码:
// The USERNAME and PASSWORD parameter values have been hashed by the client before
[OperationContract]
string SayHello(string USERNAME, string PASSWORD, string name)
//-------------------------------------------------------------------
public string SayHello(string USERNAME, string PASSWORD, string name)
{
if (USERNAME == "username" & PASSWORD == "password")
{ return string.Format("Hello, {0}!", name); }
else { return "Invalid credentials, method aborted"; }
}
这是验证'来电'的良好安全方法吗?它更多的是检查他们有一个帐户而不是安全,但我认为它可能是相当安全的。您如何看待,它有多安全或多么好,但更重要的是,它如何被黑客或其他方法打破?
答案 0 :(得分:1)
本文应该对您有所帮助:How to: Authenticate with a User Name and Password。
WSHttpBinding userNameBinding = new WSHttpBinding();
userNameBinding.Security.Mode = SecurityMode.Message;
userNameBinding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
svcHost.AddServiceEndpoint(typeof(IService1), userNameBinding, "");
...
string username;
string password;
// Instantiate the proxy
Service1Client proxy = new Service1Client();
// Prompt the user for username & password
GetPassword(out username, out password);
// Set the user’s credentials on the proxy
proxy.ClientCredentials.UserName.UserName = username;
proxy.ClientCredentials.UserName.Password = password;
// Treat the test certificate as trusted
proxy.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
System.ServiceModel.Security.X509CertificateValidationMode.PeerOrChainTrust;
// Call the service operation using the proxy