使用不带SSL的基本身份验证来保护WCF服务 [英] Secure WCF Service with basic authentication without SSL and all

问题描述

嗨专家，



我是WCF的新手，现在就学习。



我想要保护从客户端发送用户名和密码的基本WCF服务。我在Web上看到的每一个例子都被大量的配置和模糊的错误SSL证书等等所困扰......



也给了我一些正确的配置配置的步骤文件。



我不介意加密凭证，因为它不是安全关键服务。我只需要发送用户名和密码就只需要一般的保护形式，如果它是正确的，服务必须回复别的错误消息，这就是所有..



谢谢你提前。

Hi experts,

I am new to WCF, learning right now.

I want to protect a basic WCF service sending username and password from the client. With every example I saw on the Web i'm stuck behind huge configurations and obscure errors SSL certificates etc...

also give me some proper steps to configure the configuration file.

I do not mind encrypting credential because it won't be a security critical service. I require only a general form of protection by just sending username and password, if it is correct the service has to reply else an error message thats all..

Thanks in advance.

推荐答案

如果您正在进行任何类型的生产就绪服务，那么需要进行身份验证，它确实应该通过SSL。原因是因为即使您加密用户名&密码（无论您是否通过SSL传输，都应该这样做）。如果没有SSL，您就会对MIM攻击敞开大门。从本质上讲，攻击会窃听您的对话，捕获并保存加密的用户名&密码。现在，攻击者无需担心解密所有需要担心的值，即发送加密的用户名&每个后续恶意请求的密码。



如果您在自己的开发服务器上本地测试东西，您可以创建自己的自签名SSL

用于测试目的的证书。



在最基本的水平上你可以做到这一点。



自定义用户名和密码验证器



但是，如果没有使用SSL正确保护，请不要在网上部署内容。也不要尝试自己加密。

If you're doing any type of production ready service, that requires authentication then, it really should be over SSL. The reason being, is because even if you encrypt a username & password (which you should do whether you're transmitting over SSL or not). Without SSL you're wide open for a MIM attack. Essentially, an attack would eavesdrop on your conversation, capture and save the encrypted user name & password. Now the attacker doesn't need to worry about decrypting the values all they need to worry about is sending the encrypted user name & password with every subsequent malicious request.

If you're testing stuff out locally on your own dev server you can create you own self signed SSL
certificate for testing purposes.

At the most basic level you could just do this.

Custom User Name and Password validator

However please don't deploy something on the net without properly securing it with SSL. Also don't try to role your own encryption.

这篇关于使用不带SSL的基本身份验证来保护WCF服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！