我正在连接ASP.NET应用程序中的WCF服务。我正在使用一个用户名和密码登录,并在邮件头中传递whoevever的实际用户名登录到ASP.NET Web应用程序,如下所示。
using (OperationContextScope scope = new OperationContextScope(myService2.InnerChannel))
{
Guid myToken = Guid.NewGuid();
MessageHeader<string> messageHeader = new MessageHeader<string>(HttpContext.Current.User.Identity.Name);
MessageHeader untyped = messageHeader.GetUntypedHeader("token", "ns");
OperationContext.Current.OutgoingMessageHeaders.Add(untyped);
lblResult.Text = myService2.GetData(1231);
}
我也在使用服务证书,如下所示
<serviceCredentials>
<serviceCertificate findValue="CN=tempCert" />
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
</serviceCredentials>
我担心的是,是否有足够的保护来阻止人们获取存储在邮件标题中的用户名?
ASP.NET配置
<system.serviceModel>
<behaviors>
<endpointBehaviors>
<behavior name="NewBehavior">
<clientCredentials>
<serviceCertificate>
<authentication revocationMode="NoCheck"/>
</serviceCertificate>
</clientCredentials>
</behavior>
</endpointBehaviors>
</behaviors>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpoint" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>
<reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false"/>
<security mode="Message">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
<message clientCredentialType="UserName" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true"/>
</security>
</binding>
</wsHttpBinding>
</bindings>
<client>
<endpoint address="http://localhost/WCFTestService/Service.svc" behaviorConfiguration="NewBehavior" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpoint" contract="WCFTestService.IService" name="wsHttpEndpoint">
<identity>
<certificate encodedValue=""/>
</identity>
</endpoint>
</client>
</system.serviceModel>
并在服务方面
<system.serviceModel>
<bindings>
<wsHttpBinding>
<binding name="wsHttpEndpointBinding">
<security>
<message clientCredentialType="UserName" />
</security>
</binding>
</wsHttpBinding>
</bindings>
<services>
<service behaviorConfiguration="ServiceBehavior" name="Service">
<endpoint address="" binding="wsHttpBinding" bindingConfiguration="wsHttpEndpointBinding"
name="wsHttpEndpoint" contract="IService">
<!--<identity>
<dns value="" />
</identity>-->
</endpoint>
<endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
</service>
</services>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceMetadata httpGetEnabled="true" />
<serviceDebug includeExceptionDetailInFaults="false" />
<serviceCredentials>
<serviceCertificate findValue="CN=tempCert" />
<userNameAuthentication userNamePasswordValidationMode="MembershipProvider"
membershipProviderName="MySqlMembershipProvider" />
</serviceCredentials>
</behavior>
</serviceBehaviors>
</behaviors>
答案 0 :(得分:2)
最大的问题是:您的绑定是否启用了任何类型的传输级别或消息级安全性?你使用什么约束力?
如果您有传输级别的安全性(通常通过使用HTTPS over SSL),那么您将拥有一个我认为非常安全的点对点加密传输通道。
如果您在客户端上使用证书也具有消息级安全性,并且您确实加密了整个消息,那么您也应该是安全的。
它实际上归结为您正在使用的绑定以及您在该绑定上使用的安全设置。向我们展示服务器的配置!
马克