有没有办法限制对 ASMX Web 服务的访问,即 asmx 页面及其 WSDL? [英] Is there a way to restrict access to an ASMX Webservice, i.e. the asmx page and its WSDL?
问题描述
我有一个需要限制访问的 C# .net web 服务.我已经要求我的消费者使用用户名和密码来调用服务.但是,有没有办法限制对实际 asmx 页面和 WSDL 的访问?我需要通过用户名/密码和 IP 地址来限制对网络服务的访问.如果用户没有正确的凭据,我不希望他们知道网络服务中存在哪些网络方法.
I have a C# .net webservice that I need to restrict access to. I already require my consumers to use a username and password to call the service. But, is there a way to restrict access to the actual asmx page and the WSDL? I would need to restrict access to the webservice by username/password and IP address. If a user did not have the correct credentials, I would not want them to know what webmethods exist in the webservice.
这可以通过 IIS 完成吗?我知道我可以通过 IIS 限制 IP 地址,但我也可以使用用户名/密码吗?
Can this be done though IIS? I know that I can restrict IP addresses through IIS, but can I also use usernames/passwords?
在 IIS 之外有没有其他方法可以做到这一点,也许使用 C#.net?
Is there any other way to do this outside of IIS, maybe using C#.net?
推荐答案
好吧,既然是 ASMX,您就可以使用整个 ASP.NET 运行时堆栈.
Well, since it's ASMX you have the entire ASP.NET runtime stack at your disposal.
为您想要保护的资源应用
Apply a <location> tag for the resources you want secured. Assuming it's a single ASMX file you can simply do the following in your web.config:
<location path="MyWebService.asmx">
<system.web>
<!-- resource specific options will go here -->
</system.web>
</location>
第 2 步 - 验证您的用户
您需要决定实际如何对用户进行身份验证.有多种方法可以做到这一点,并且您可以利用多种身份验证标准.您需要选择适合您的方法.
Step #2 - authenticating your users
You need to decide how you're actually going to authenticate users. There are several ways to do this and several authentication standards you could leverage. You need to pick the approach that's the right fit for you.
如果您在 Intranet 上并使用 Windows 身份验证,我强烈建议您利用它,因为它确实是最简单的设置选项.但是,如果您的服务是通过 Internet 访问的,那么 Windows 身份验证并不是一个真正的选项,您需要从 Web 标准中进行选择.其中最简单的是基本身份验证,但您应该只使用它通过 SSL,因为用户名/密码未加密(仅 base64 编码).下一步是 Digest authentication 不需要 SSL,因为用户名/密码是使用 MD5 哈希发送.最终,您可以使用 SSL v3,您可以在其中向您的每个用户颁发特定的客户端证书.API.
If you're on an intranet and are using Windows authentication I would highly suggest leveraging that because it's truly the simplest option to get setup. However, if your services are being accessed over the internet then Windows authenticatio is not really an option and you need to choose from a web standard. The simplest of those is Basic Authentication, but you should only use this over SSL since the username/password are not encrypted (only base64 encoded). The next step up from that is Digest authentication which doesn't require SSL because the username/password are sent using an MD5 hash. For the ultimate you can go with SSL v3 where you issue a specific client certificate to each user of your API.
现在,您为安全选择的选项决定了还需要做什么.如果您选择 Windows 安全性,只需将以下元素添加到我们在第 1 步开始的 <system.web> 元素中即可:
Now, which option you select for security dictates what else needs to be done. If you choose Windows security, it's as easy as adding the following element to the <system.web> element we started with in Step #1:
<authentication mode="Windows" />
其余的安全协议需要做更多的工作.ASP.NET 不提供对 Basic、Digest 或 SSL v3 的内在支持.从技术上讲,您可以利用 IIS 为您执行此类身份验证,但它始终会映射到 Windows 用户.如果这是您的选择,那么只需保留 <authentication mode="Windows"/> 元素并相应地配置 IIS.但是,如果这不是一个选项,或者因为您根本无法控制 IIS/ActiveDirectory 或者您需要针对自定义用户数据库进行身份验证,那么这意味着您需要连接自定义 HttpModule 以提供对这些安全性的支持协议.
The remainder of the security protocols are going to require a little more work. ASP.NET doesn't provide intrinsic support for Basic, Digest or SSL v3. Technically you can leverage IIS to do this type of authentication for you, but it's always going to map to a Windows user. If that's an option for you, then simply leave the <authentication mode="Windows" /> element and configure IIS accordingly. If, however, that is not an option, either because you simply have no control over IIS/ActiveDirectory or you need to authenticate against a custom user database, then that means that you need to hook up a custom HttpModule to provide support for these security protocols.
保护资源的最简单方法基本上就是说:不要让任何没有以某种方式成功通过身份验证的人进入这个资源".这是使用以下授权配置完成的:
The simplest approach to securing the resource is to basically say: "don't let anyone who hasn't successfully authenticated in some way into this resource". This is done using the following authorization configuration:
<authorization>
<deny users="?" />
</authorization>
如果您只想允许某些用户,您可以改为执行以下操作:
If you wanted to only allow certain users you could change to do the following instead:
<authorization>
<deny users="*" />
<allow users="jdoe, msmith" />
</authorization>
另一种方法是定义角色(组)并将资源锁定到一个特殊角色,您可以将要访问资源的用户放入该角色.
Another approach is to define roles (groups) and simply lock the resource down to a special role which you put the users who you want to access the resource into.
<authorization>
<deny users="*" />
<allow roles="My Service Users" />
</authorization>
这很好地映射到 Windows 身份验证,因为您只需设置一个 Windows 组并让您的 MIS 团队使用 ActiveDirectory 管理该组中的哪些用户.但是,假设您使用的安全实现通过其 IPrincipal 实现公开角色,该功能也适用于非 Windows 身份验证.
This maps well to Windows authentication because you can just setup a Windows group and let your MIS team manage which users are in that group using ActiveDirectory. However, the feature also works just fine for non-Windows authentication assuming the security implementation you've used exposes roles via its IPrincipal implementation.
这篇关于有没有办法限制对 ASMX Web 服务的访问,即 asmx 页面及其 WSDL?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
