Web服务令牌认证 [英] Web service token authentication

问题描述

现在，我面临Web服务身份验证的困难.客户端请求Web服务.首先，客户端需要使用用户名和密码登录.然后，服务器将把令牌(随机/日期时间/随机代码)还给您以访问Web服务.客户端可以使用令牌密钥请求Web服务. Web服务需要对令牌进行身份验证，无论令牌是否正确.
现在，以下是我的代码.但是我不知道如何继续从代码项目的Web服务认证文章中添加代码.请帮帮我！

Hi,

Now, I am facing the difficulties with the web service authentication.The client request the web service . Firsty, the client need to login with user name and password. Then, the server will give the token(random/datetime/randomcode) back to access the web service. The client can request the web service with the token key. The web service need to authenticate the token whether it is correct or not.
Now, the following is my code. But I don''t know how to continue add the code from the code projecet''s web service authentication article. Please help me!

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
using System.Text;

namespace AuthWebApplication
{
    using System.Security.Cryptography;

    /// <summary>
    /// Summary description for WebService1
    /// </summary>
    [WebService(Namespace = "http://tempuri.org/")]
    [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
    [System.ComponentModel.ToolboxItem(false)]
    // To allow this Web Service to be called from script, using ASP.NET AJAX, uncomment the following line.
    // [System.Web.Script.Services.ScriptService]
    public class WebService1 : System.Web.Services.WebService
    {
        public WebService1 ()
        {

        //Uncomment the following line if using designed components
        //InitializeComponent();
        }
        //public AuthHeader SoapAuthentication;

        [WebMethod(Description = "A sample Web Method to demonstrate a simple web Service Authentication using SOAP Headers")]
        public string SampleWebMethod(string Username,String Password)
        {

       if (Username == "demo" && Password == "123")
       {
              return Username + " is an Authenticated User to access the Web Method";
       }
      else
     {
           return "Access Denied for " + Username;
       }

}

最好的问候，
Wai Mar Khaing

Best regards,
Wai Mar Khaing

推荐答案

Web服务是否支持会话?那将是最简单的方法，但我不认为它们如此.

最简单的选择就是维护一个有效令牌及其最后使用的列表(因此您可以使它们像Web会话一样过期).当您发行令牌时，将其添加到列表中；每当调用服务操作时(或在后台线程中的计时器上，它都没有多大关系)，请检查是否由于令牌已过期而需要将其从列表中删除；并且显然，如果您提供注销方法，则应该删除已注销的令牌.

如果令牌的生命周期较短，则还可以将其绑定到IP地址，这可以防止会话劫持，但是这意味着动态IP用户可能会丢失其令牌

Do web services support a session? That would be the easiest, but I don''t think they do.

The simplest option is simply to maintain a list of valid tokens and their last use (so you can expire them like web sessions). When you issue a token, add it to the list; whenever a service operation is called (or on a timer in a background thread, it doesn''t really matter much), check if any tokens need to be taken off the list because they''ve expired; and, obviously, if you provide a logout method, the token that is logged out should be removed.

You can also bind tokens to an IP address, if they are designed to be short-lifetime, which prevents session hijacking but means that dynamic IP users might lose their token

这篇关于Web服务令牌认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！