对Web服务的访问控制 [英] Access control to web service
问题描述
这是我想实现的:
我的ASP.NET web服务托管在一个名为 // service 的服务器上。我想控制服务器和应用程序对Web服务的访问。我的意思是,如果我有两个ASP.NET web应用程序(app1和app2)托管在服务器 // web1 ,我只想要 // web1 / app1 以便能够调用Web服务。我知道我可以授予对 // web1 的IP地址的访问权限,但这将允许 // web1 / app1 和 // web1 / app2 访问Web服务。
My ASP.NET web service is hosted on a server called //service. I want to control access to the web service by server and by application as well. What I mean here is if I have two ASP.NET web applications (app1 and app2) hosted on a server called //web1 and I only want //web1/app1 to be able to call the web service. I know that I can grant access to the IP address of //web1 but that would allow both //web1/app1 and //web1/app2 access to the web service.
我正在考虑使用SSL证书,因为我不希望Web应用程序处理登录/密码。在 // service 上,我将授予对 // web1 的IP的访问权限,并将客户端证书从 // web1 映射到Windows帐户并且只允许来自 // web1 的应用访问。但是如何进一步控制只访问 // web1 / app1 ?
I am thinking about using an SSL certificate as I don't want the web application to handle the login/password. on //service, I will grant access to the ip of //web1 and map a client certificate from //web1 to a windows account and this will allow only applications from //web1 to access. But then how do I further control the access to only //web1/app1?
推荐答案
您可以使用标准 HTTP验证,以控制哪些应用程序可以访问您的Web服务。
You can use standard HTTP Authentication to control which applications have access to your web service.
凭据在授权标题与每个请求。每个Web服务客户端(即// web1 / app1)都应该有自己的凭据,因此如果// web1 / app2尝试连接到Web服务而不提供可识别的凭据,则将被拒绝访问。
Credentials are passed in the Authorization header with each request. Every web service client (i.e. //web1/app1) should have its own credentials, so if //web1/app2 tried to connect to the web service without providing recognized credentials, it would be denied access.
我建议使用SSL加密所有流量,以使身份验证信息和其他敏感数据安全。
I recommend using SSL to encrypt all traffic, so that authentication information and other sensitive data is secure.
这里有几篇文章有用:
- HTTP Security and ASP.NET Web Services (see Authentication section)
- Authentication in ASP.NET Web Services
祝你好运!
这篇关于对Web服务的访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
