启用HTTPS，IIS托管的WCF服务，如何保护它？ [英] HTTPS-enabled, IIS hosted WCF service, How to secure it?

问题描述

我构建了一个相当简单的WCF服务，我在IIS 7.5实例上托管。我已经采取了必要的步骤来保护ssl证书以启用https。我已经解决了所有各种DNS设置，所以我现在可以在给定的Https：//来自世界各地的网址上点击我的WCF。目标是：对将要向服务发送数据的大约5个客户端进行某种客户端/服务器身份验证。获得此服务的最佳方法是什么？此时只有一种方法非常简单。我确信web.config以及代码隐藏会有一些变化。非常感谢的例子。

I have built a fairly simple WCF service, which I host on an IIS 7.5 instance. I have gone about the necessary steps to secure an ssl certificate to enable https. I have resolved all the various DNS settings so I can now hit my WCF at the given Https:// URL from the world at large. The goal is this: Some sort of client/server authentication for the approximately 5 clients that will be sending data to the service. What is the best approach to securing this service? It is very simple at this point with only one method. I'm sure there will be some changes to the web.config as well as the codebehind. Examples greatly appreciated.

这是Web.config

Here's Web.config

<!-- language: lang-xml -->
    <?xml version="1.0"?>
<configuration>

  <appSettings>
    <add key="aspnet:UseTaskFriendlySynchronizationContext" value="true" />
  </appSettings>

  <system.web>
    <compilation debug="true" targetFramework="4.5" />
    <httpRuntime targetFramework="4.5"/>
  </system.web>
  <system.serviceModel>

  <services>
    <service name="wcflistener.Service1">
      <endpoint address=""           
      binding="basicHttpBinding"
      bindingConfiguration="secureHttpBinding"
      contract="wcflistener.IService1"/>

      <endpoint address="mex"
      binding="mexHttpsBinding"
      contract="IMetadataExchange" />
    </service>
  </services>

  <bindings>
    <basicHttpBinding>
      <binding name="secureHttpBinding">
        <security mode="Transport">
          <transport clientCredentialType="None"/>
        </security>
      </binding>
    </basicHttpBinding>
  </bindings>

    <behaviors>
      <serviceBehaviors>
        <behavior>
          <!-- To avoid disclosing metadata information, set the values below to false before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true"/>
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="true"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>

  </system.serviceModel>

  <system.webServer>
    <modules runAllManagedModulesForAllRequests="true"/>
    <!--
    To browse web app root directory during debugging, set the value below to true.
    Set to false before deployment to avoid disclosing web app folder information.
    -->
    <directoryBrowse enabled="true"/>
  </system.webServer>

</configuration>

非常简单的Service1.svc.cs

And the very simple Service1.svc.cs

 [DataContract]
public class Service1 : IService1
{


    public void SampleMethod(DataTable table, string name)
    {
        //sample method logic here
    } 
}

推荐答案

使用WCF，您可以使用多种安全选项，所有选项都有其优缺点：

With WCF, there are several security options available to you, all having their pros/cons:

1. SSL +使用Windows身份验证。 （这通常很难用于互联网托管服务，因为每个人都需要与同一个域控制器通信）


2. SSL +用户名/密码：WCF可以轻松实现这一点，客户端传入用户名/ password和服务可以使用预先配置的值验证值，并允许客户端进一步使用。


3. 基于证书的认证：通常，客户端可以获得服务器证书的公钥，以便他们可以使用它来调用服务。然而，这并不能完全识别客户端。任何人都可以获得你的公钥。


4. 相互证书或2路SSL：这是客户端拥有私钥并为服务提供公钥的时间。反之亦然，即服务将其公钥提供给客户。

1. SSL + Use of Windows Authentication. (this is normally difficult for internet hosted services since everybody needs to talk to the same domain controller)
2. SSL + Username/password: WCF can facilitate this easily, where the client passes in a username/password and the service can verify the values with the pre-configured values and allow the client further.
3. Certificate based Authetication: typically, clients can be given public keys of your server certificate so that they can call the service using that. this however does not identify the client completely. anybody can get your public key.
4. Mutual Certificates OR 2 way SSL: this is when the client has a private key and gives the public key to the service. and vice-versa, i.e. the service gives its public key to the client.

这取决于您需要的身份验证级别。对于极少数客户，用户名/密码就足够了。 （总是存在失去这些的风险）

it depends on what level of authentication you need. for very few clients, username/password is sufficient. (there is always the risk of losing those)

主要客户2路SSL非常安全，因为人们不会轻易丢失私钥。

for major clients 2 way SSL are pretty secure, since people don't lose private keys so easily.

取决于您的选择，可以共享更多代码示例。

depending on your choice, further code samples can be shared.

对于选项＃，请点击此链接。 （您可以在以下步骤中使用您的SSL证书）

For option #, follow this link. (you can use your SSL certificate in the below steps)

http://codebetter.com/petervanooijen/2010/03/22 / a-simple-wcf-service-with-username-password-authentication-the-things-they-don -t-tell-you /

这篇关于启用HTTPS，IIS托管的WCF服务，如何保护它？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！