Web服务的客户端授权

时间:2009-02-10 09:28:35

标签: web-services authorization

如何授权客户端(在这种情况下客户端是应用程序)在.NET中使用Web服务,

例如: 我想要第三个应用程序来调用方法但不允许网络中的其他应用程序调用此方法。

我想避免传输层授权并使用基于消息的授权。

2 个答案:

答案 0 :(得分:1)

最简单(也是最“便携”)的事情就是使用HTTP Authentication

答案 1 :(得分:1)

您应该查看WS-Security和WS-Policy标准。最好的方法是让客户端应用程序签署所有请求(使用私钥)并在服务器端检查此签名。

我们使用这样的设置,在WSDL中使用以下WS-Policy定义:

<!--Endpoint Policy-->
<wsp:Policy wsu:Id="Endpoint_policy"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsp:ExactlyOne>
    <wsp:All>

      <sp:AsymmetricBinding
         xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:InitiatorToken>
            <wsp:Policy>
              <sp:X509Token
                 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                <wsp:Policy>
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:InitiatorToken>

          <sp:RecipientToken>
            <wsp:Policy>
              <sp:X509Token
                 sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
                <wsp:Policy>
                  <sp:WssX509V3Token10 />
                </wsp:Policy>
              </sp:X509Token>
            </wsp:Policy>
          </sp:RecipientToken>

          <sp:AlgorithmSuite>
            <wsp:Policy>
              <!-- sp:Basic256/-->
              <sp:TripleDesRsa15 />
            </wsp:Policy>
          </sp:AlgorithmSuite>

          <sp:Layout>
            <wsp:Policy>
              <sp:Lax />
            </wsp:Policy>
          </sp:Layout>

        </wsp:Policy>
      </sp:AsymmetricBinding>

      <sp:Wss10
         xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <wsp:Policy>
          <sp:MustSupportRefKeyIdentifier />
          <sp:MustSupportRefIssuerSerial />
        </wsp:Policy>
      </sp:Wss10>

    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>
<!--End of Endpoint Policy-->

<!--Message Policy1-->
<wsp:Policy wsu:Id="Sign_message_policy"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <wsp:ExactlyOne>
    <wsp:All>

      <sp:SignedParts
         xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
        <sp:Body />
      </sp:SignedParts>

    </wsp:All>
  </wsp:ExactlyOne>
</wsp:Policy>

<!--End of Message Policy1-->

然后,您可以在WSDL的绑定部分中引用这些策略。例如:

  <binding name="ExampleServiceSOAP" type="foobar:ExampleServicePort">
    <!-- WS-Security -->
    <wsp:PolicyReference URI="#Endpoint_policy" />
    <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
    <operation name="getSomething">
      <soap:operation soapAction="getSomething" style="document"/>
      <input>
        <!-- WS-Security -->
        <wsp:PolicyReference URI="#Sign_message_policy" />
        <soap:body use="literal"/>
      </input>
      <output>
        <soap:body use="literal"/>
      </output>
    </operation>
  </binding>
相关问题
最新问题