保护远程AJAX方法调用 [英] Securing a remote ajax method call
问题描述
我有codeD一些JavaScript到一个asp.net应用程序中执行一个Ajax调用。这会触发调用一个URL,在POST发送一些参数的方法。
I have coded some JavaScript to perform an ajax call in an asp.net application. This triggers a method that calls a URL, sending some parameters in the POST.
接收页处理数据,并更新我们的数据库。
The receiving page processes the data and updates our database.
我们将提供这个code给客户,让他们给我们,我们需要他们的结账过程中每笔交易的数据。
We will be providing this code to customers to allow them to send us the data we need in their checkout process for each transaction.
谁能告诉我,如果有一种方法,以prevent未经授权的访问这个网址是什么?否则的不法开发人员可以使用此URL将数据添加到数据库时,他们不应该。
Can anyone tell me if there is a way to prevent unauthorized access to this URL? Otherwise an unscrupulous developer could use this URL to add data to our database when they shouldn't be.
感谢您的指点。
这里的问题是,我将提供code为我们的客户,他们将被添加到他们的网站。所以,我没有他们的执行任何操作要复杂得多增加的code几行到他们的网站的选项。
The issue here is that I will be providing the code to our customers and they will be adding it to their website. So I don't have the option of them performing anything much more complex than adding a few lines of code to their site.
在code不过,需要进行数据的发送到我们的服务器,不知何故安全?
The code though, needs to perform a sending of data to our server, somehow securely?
这是一个不可能的方案,或我需要执行已经发生了处理后的某种审计?
Is this an impossible scenario or would I need to perform some sort of auditing after the processing has occurred?
感谢大家对一些很好的建议。
Thank you everyone for some good suggestions.
推荐答案
您可以使用SOAP传递一个用户名/密码的请求。 SSL应该用于通过线路的数据进行加密。下面是我们使用一些code:
You can use SOAP to pass a username/password with the request. SSL should be used to encrypt the data going over the wire. Here is some code that we use:
这是一类,将认为发送该请求的凭据:
This is a class that will hold the Credentials that are sent with the request:
Imports System.Web.Services.Protocols
Public Class ServiceCredentials
Inherits SoapHeader
Private _userName As String
Public Property UserName() As String
Get
Return _userName
End Get
Set(ByVal value As String)
_userName = value
End Set
End Property
Private _password As String
Public Property Password() As String
Get
Return _password
End Get
Set(ByVal value As String)
_password = value
End Set
End Property
Public Sub New()
End Sub
Public Sub NewUserInfo(ByVal ServiceUser As String, ByVal ServicePassword As String)
Me.UserName = ServiceUser
Me.Password = ServicePassword
End Sub
属性添加到您的Web服务的定义:
Add an attribute to the definition of your Web Service:
<WebMethod()> _
<SoapHeader("CredentialsHeader")> _
Function MyWebMethod(ByVal paremetersPassed as String)
'check permissions here
If PermissionsValid(CredentialsHeader) then
'ok!
.......
else
'throw a permission error
end if
End Function
,然后从那里,只需创建一个函数(在我的例子,PermissionsValid)来检查的权限:
And then from there, just create a function (in my example, PermissionsValid) to check the permissions:
Function PermissionsValid(byval Credentials as ServiceCredentials) as boolean
'check Credentials.Username and Credentials.Password here and return a boolean
End Function
这可能看起来像一堆的工作,但这样一来,当他们发送一个请求,你可以检查它针对数据库或任何你想要的东西。您也可以关闭用户名轻松地在你结束。
This may seem like a bunch of work, but this way, when they send a request, you can check it against a database or whatever else you want. You can also turn off a username easily at your end.
有一个更简单的方法是限制允许打服务页面的IP地址。但是,那么您在使用IP地址的变化等问题。
A simpler way would be to restrict the IP addresses that are allowed to hit the service page. But, then you run into issues with IP addresses changing, etc.
顺便说一句,这在很大程度上是类型化的,像我一样的岗位,所以你可能需要检查在code,以确保它编译。 :)
BTW, much of this was typed as I did the post, so you may need to check over the code to make sure it compiles. :)
这篇关于保护远程AJAX方法调用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
