策略,以确保WCF服务,返回的jQuery请求JSON数据 [英] Strategies to secure a WCF service, returning Json data requested by jQuery
问题描述
我有一个很难让我的头围绕这一点,谷歌刚刚是不是有帮助的。
I'm having a hard time getting my head around this, and Google just isn't being helpful.
我在看转换一些旧的code使用了以下技术:ASP.NET,WCF,jQuery的
I'm looking at converting some legacy code to use the following technologies: ASP.NET, WCF, jQuery.
的ASP.NET转换不是一个问题,也没有正在访问数据的WCF服务,在服务器侧
The ASP.NET conversion isn't an issue, nor is accessing the WCF service for data, on the server-side.
不过,我在与潜在地能够固定服务,这样我可以返回JSON格式的数据,通过jQuery要求在客户端,但其锁定为prevent外部问题访问。
However, what I'm having an issue with is potentially being able to secure the service so that I can return JSON-formatted data, requested via jQuery on the client-side, but lock it down to prevent external access.
对于这个特定的实现,这不是什么大不了的事,自...准阿贾克斯一样的功能已经到位了相当一段时间,没有发生过虐待。
For this particular implementation, it's not that big of a deal, since the ... quasi-Ajax-like functionality has been in place for quite a while, and there hasn't been abuse.
但是,一旦该项目完成后,我想带我学到的东西,并转换另一种形式,这是经常被滥用,并允许有雨衣显示。
But, once this project is complete, I'd like to take what I've learned and convert another form, which is often abused, and allow for a slicker display.
如果我想要做的客户端调用Web服务,是我坚持让我的Web服务开放匿名访问?
If I want to do client-side calls to a Web service, am I stuck making my Web service open to anonymous access?
确保Web界面到用户的特定子集(我看到固定附加功能,登录的用户没有任何问题)的短,是否有在这种情况下保护Web服务的任何其他策略?我只是忽视的东西明显?
Short of securing the Web interface down to a specific subset of users (I see no issue with securing the added functionality to logged in users), are there any other strategies on securing a Web service in this scenario? Am I just overlooking something obvious?
推荐答案
需要为服务器端页面,通过AJAX它的调用者的身份验证的会话,既落后HTTPS。
Require an authenticated session for both the server-side page and its caller via ajax, with both behind HTTPS.
另一个策略是使用在最后一页加载过程中绑定到会话,以确认该会议本身一直没有高劫持的令牌。这是当客户端加载页面完成。服务器跟踪什么的下一个标记必须确认有效的请求。
Another strategy is to use a token that is bound to the session during the last page load to confirm that the session itself has not been high-jacked. This is done when the client loads the page. The server tracks what the next token must be to confirm a valid request.
这篇关于策略,以确保WCF服务,返回的jQuery请求JSON数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
