我如何锁定一个.NET 4.0 WCF数据服务 [英] How do I lock down a .net 4.0 WCF Data Service

问题描述

我已经发表了约2个月WCF数据服务。这是100％已经被黑客入侵。我甚至发现发表在Twitter上的服务！

I've had a WCF Data service published for about 2 months. It's 100% been hacked already. I even noticed the service published on twitter!

幸运的是，我的网站正在开发和用户实体只有约80 beta测试。

Luckily my site was under development and the user entity was only about 80 beta testers.

不过，这是一个pretty的大问题。随着EF导航属性的人的力量可以很容易地编写一个脚本来下载所有的用户数据，并且没有其他人有我珍贵的域数据。我想提供非认证访问并做这样的事情：

Still this is a pretty big problem. With the power of E.F. Navigation properties anyone can easily write a script to download all my user data and my valuable domain data that no-one else has. I want to provide non-authenticated access and do things like:

1. 限制哪些列得到暴露（如用户的电子邮件）
2. 限制要求每天可能的编号（例如10％的请求主机地址）
3. 当有人误用服务通知
4. 限制设置的结果，并扩大在不同实体集选项
5. 的东西我还没有想过

这是否有道理还是我应该放弃WCF数据服务 - 这在理论上听起来不错，但现在我已经得到了他们我不知道，如果他们的发展，而不是生产刚刚好经验（他们种的胖比我期待）。

Does this make sense or should I drop WCF Data Services - which in theory sounded great, but now that I've got experience with them I'm wondering if they are just good for development and not production (they're kind of fatter than I was expecting).

思想超越我的知识和建议，在这里将大大AP preciated。

Thoughts that go beyond my knowledge and suggestions here will be greatly appreciated.

也张贴到彻底的博客文章的例子或视频presentation覆盖地面的任何链接都将是优秀的！

Also posting any links to thorough blog post examples or video presentation that cover ground would be excellent!

推荐答案

我觉得你需要实现一些认证。有没有其他办法，我能想到的锁定的Web服务。这是WCF的优势之一 - 它使实现复杂的认证很容易

I think you need to implement some authentication. There is no other way I can think of to "lock down" a web service. This is one of the advantages of WCF -- it makes implementing complex authentication easy.

这篇关于我如何锁定一个.NET 4.0 WCF数据服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！