避免自动软件来控制网络服务? [英] avoiding automatic software to control web services?
问题描述
让我们想象一下我建立一个Web服务,并调用这个Web服务的客户端应用程序。
Let's imagine I build a web service, and a client application that call this web service.
有没有什么办法prevent其他软件比我使调用Web服务?
Is there any way to prevent other software than mine to make call to the web service ?
例如,想象一个游戏,玩家可以通过点击一个图标,只提供每小时一次获得一些钱。如果用户连接,良好。如果用户没有连接,他松散的时间窗得到的钱
For example, imagine a game where a player can gain some money by clicking on an icon, only available once per hour. If the user is connected, well. If the user is not connected, he "loose" the time window to get the money.
在一个标准的Web服务+端,这将是非常容易的任何青少年建立一个脚本/假的应用程序,以执行该Web服务。
In a standard web services + client, it would be quite easy for any teenager to build a script/fake app to execute the web service.
我怎样才能避免这种情况? 我知道有没有神奇的解决方案,但至少,我怎么能提高难度编写这样的工具?
How can I avoid that ? I know there is no magic solution, but at least, how can I raise difficulty for writing such tools ?
PS:我正在与微软.Net平台+ SilverLigth,但我觉得这个问题是更广泛的MS TECHNOS
PS: I'm working with Microsoft .Net platform + SilverLigth, but I feel this question is wider that MS technos.
为了澄清,我不问如何添加验证,但是如何避免用户自动调用Web服务。没有prevent用户使用帐户使用其帐户的自动调用;我想要避免的,例如是,有一个假的应用程序,与一个实际的认证,以执行对用户输入的东西,每5秒代替。在游戏中,这可避免农民机器人
to clarify, I don't ask how to add authentication, but how to avoid a user to automate call to the web services. Nothing prevent a user with an account to use its account to automate the calls; What I want to avoid, is for example, to have a fake app, with an actual authentication, to do something every 5 seconds instead, of on user input. In a game, this can avoid farmer robot
推荐答案
WCF Web服务方法可以安全要求进行装饰。这包括RIA服务的Silverlight(这基本上只是WCF服务)。
WCF web service methods can be decorated with security requirements. This includes RIA services for Silverlight (which are basically just WCF services).
您可能需要基本身份验证,甚至可以说,用户必须要使用特定方法的特定角色的成员。
You can require basic authentication, or even that the user must be a member of a specific role to use a specific method.
这并不意味着当然,你的应用程序必须使用的身份验证(即用户必须注册)的。
This does mean of course that your application must use authentication (i.e. the user must log-in).
替代品是提供自己的身份验证系统(例如与令牌),但这仍然需要应用程序(至少)登录到服务第一,以获得新的令牌。
Alternatives are to provide your own authentication system (e.g. with tokens), but this still requires the app (at least) to login to the service first to get a new token.
在回答你的随访,检测机器人通常是电话,或平均持续时间之间的记录持续时间,根本不允许访问,如果在超过极限的情况。 (或者,如果你真的是,取消他们的帐户,或开始返回垃圾数据)
In answer to your followup, robot detection is usually a case of recording durations between calls, or average duration, and simply disallowing access if the limits are exceeded. (or if you are really mean, cancel their account or start returning garbage data)
这篇关于避免自动软件来控制网络服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
