如何避免使用来自未知客户端的 WCF 服务 [英] How to avoid use a WCF service from unknown client
问题描述
我正在开发一个 Windows 窗体应用程序,该应用程序使用由我开发的 WCF 服务,该服务托管在 Internet 付费托管上.
I'm developing a windows forms application that use a WCF service developed by me hosted on internet paying hosting.
在我的 WCF 服务上,我有一些 OperationContracts 来为 Windows 表单客户端提供一些功能.如果我在 Windows 窗体客户端中设置了一个指向我的 WCF 服务的新服务引用,我可以使用该 OperationContracts.到这里没有问题.
On my WCF service i have some OperationContracts to provide some funcionallity to Windows forms client. If i set a new service reference pointing to my WCF service in my Windows forms client i can use that OperationContracts. No problems up to here.
如果有人知道"我的 WCF 服务的地址,那么任何人都可以在他/她的自己的"客户端应用程序中使用我的自己的"WCF 服务.
If someone 'knows' the address to my WCF service, anyone can use my 'own' WCF service in his/her 'own' client application.
使用像 Wireshark 这样的工具来检索 WCF 服务 url 非常简单.
Using a tool like a Wireshark its really simple to retrieve the WCF service url.
所以,我的问题是……有某种保护措施可以避免这种情况吗?我不希望其他客户"使用我自己的 WCF 服务.
So, my question...There is some kind of protection for avoiding that? I don't want that 'other clients' to use my own WCF service.
PS:不能在我的付费主机上使用 SSL 证书.
PS: can not use SSL certificates on my paying hosting.
推荐答案
不能 100% 确定这就是您要查找的内容,即使是我也建议实施某种授权,但您可以通过在服务的配置文件中将 httpGetEnabled 属性设置为 false 来禁用服务的 WSDL:
Not 100% sure this is what you're looking for, and even if it is I'd recommend implementing some kind of authorization as well, but you can disable the WSDL for the service by setting the httpGetEnabled attribute to false in the service's config file:
<behaviors>
<serviceBehaviors>
<behavior name="MyServiceBehavior">
<serviceMetadata httpGetEnabled="false" />
</behavior>
</serviceBehaviors>
</behaviors>
这将禁用 WSDL 的发布(至少据我所知).因此,将服务引用添加到您的应用程序,然后将值设置为false".即使有人嗅探到您的服务地址,他们也无法拉取 WSDL 来生成代理.
This will disable publishing of the WSDL (at least as I understand it). So add the service reference to your application, and then set the value to "false". Even if someone sniffs your service address, they won't be able to pull the WSDL to generate a proxy.
编辑
澄清一下,将上面的属性设置为 false 不会隐藏服务 URL - 它只是禁用 WSDL.任何知道您的服务 URL 但没有有代理的人都需要 WSDL 来生成代理.httpGetEnabled="false" 阻止提供 WSDL,从而阻止生成代理.
To clarify, setting the attribute above to false does not hide the service URL - it simply disables the WSDL. Anybody who knows your service URL but does NOT have a proxy would need the WSDL to generate the proxy. httpGetEnabled="false" prevents the WSDL from being served, thereby preventing generation of a proxy.
由于您无法在托管站点上使用 SSL 证书,因此自定义用户名验证器(甚至使用消息作为传输模式)似乎不是一个选项,因为 WCFWCF 强制使用 UserName 凭据时传输是安全的."(请参阅<wsHttpBinding> 例如),我可以为您看到的唯一其他选项是使用安全令牌服务(STS).
Since you cannot use an SSL certificate on your hosting site, a custom user name validator (even using message as the transport mode) appears to not be an option, because WCF "WCF enforces that the transport is secured when using UserName credentials." (see <message> element of <wsHttpBinding> for example), about the only other option I can see for you would be to use a Security Token Service (STS).
最后一个选择是将服务放在专用网络上,但这可能会破坏您想要完成的工作,具体取决于您的要求.
A final option would be to put the service on a private network, but that might defeat what you're trying to accomplish, depending on your requirements.
另一个最后的选择(我猜这使它不是最后的选择)是转移到一个确实允许您使用 SSL 的托管站点.
Another final option (which makes it not a final option, I guess) would be to move to a hosting site that does allow you to use SSL.
对于 STS,您可以查看 Windows Identity Foundation,与 .NET 4.5 完全集成.如果您使用的是早期版本的 .NET,您可以查看 WCF Security Token服务.
For an STS, you can take a look at Windows Identity Foundation, which is fully integrated with .NET 4.5. If you're using an earlier version of .NET, you can look at WCF Security Token Service.
这篇关于如何避免使用来自未知客户端的 WCF 服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
