有没有办法限制对ASMX Web服务的访问，即asmx页面及其WSDL？ [英] Is there a way to restrict access to an ASMX Webservice, i.e. the asmx page and its WSDL?

问题描述

我有一个C＃.net webservice，我需要限制访问。我已经要求我的消费者使用用户名和密码来调用该服务。但是，有没有办法限制对实际的asmx页面和WSDL的访问？我需要通过用户名/密码和IP地址限制对webservice的访问。如果用户没有正确的凭据，我不希望他们知道Web服务中存在哪些web方法。

I have a C# .net webservice that I need to restrict access to. I already require my consumers to use a username and password to call the service. But, is there a way to restrict access to the actual asmx page and the WSDL? I would need to restrict access to the webservice by username/password and IP address. If a user did not have the correct credentials, I would not want them to know what webmethods exist in the webservice.

这可以通过IIS完成吗？我知道我可以通过IIS限制IP地址，但是我还可以使用用户名/密码吗？

Can this be done though IIS? I know that I can restrict IP addresses through IIS, but can I also use usernames/passwords?

在IIS之外是否还有其他方法可以使用C＃ .net？

Is there any other way to do this outside of IIS, maybe using C#.net?

推荐答案

好吧，既然它是ASMX，你可以使用整个ASP.NET运行时堆栈。

Well, since it's ASMX you have the entire ASP.NET runtime stack at your disposal.

申请< location> 您想要保护的资源的标记。假设它是一个ASMX文件，您只需在web.config中执行以下操作：

Apply a <location> tag for the resources you want secured. Assuming it's a single ASMX file you can simply do the following in your web.config:

<location path="MyWebService.asmx">
    <system.web>
        <!-- resource specific options will go here -->
    </system.web>
</location>

第2步 - 验证用户身份

您需要决定如何实际验证用户身份。有几种方法可以实现这一点，并且可以使用多种身份验证标准。您需要选择最适合您的方法。

Step #2 - authenticating your users

You need to decide how you're actually going to authenticate users. There are several ways to do this and several authentication standards you could leverage. You need to pick the approach that's the right fit for you.

如果您使用的是Intranet并使用Windows身份验证，我强烈建议您利用它，因为它确实是最简单的选项来获得设置。但是，如果您的服务是通过互联网访问的，则Windows身份验证不是一个真正的选项，您需要从Web标准中进行选择。其中最简单的是基本身份验证，但您应仅使用此功能因为用户名/密码未加密（仅限base64编码），因此通过SSL。下一步是摘要式身份验证，它不需要SSL，因为用户名/密码是使用MD5哈希发送。最终，您可以使用 SSL v3 ，向您的每位用户颁发特定的客户端证书。 API。

If you're on an intranet and are using Windows authentication I would highly suggest leveraging that because it's truly the simplest option to get setup. However, if your services are being accessed over the internet then Windows authenticatio is not really an option and you need to choose from a web standard. The simplest of those is Basic Authentication, but you should only use this over SSL since the username/password are not encrypted (only base64 encoded). The next step up from that is Digest authentication which doesn't require SSL because the username/password are sent using an MD5 hash. For the ultimate you can go with SSL v3 where you issue a specific client certificate to each user of your API.

现在，您选择哪个安全选项决定了还需要做什么。如果您选择Windows安全性，就像将以下元素添加到我们在步骤1中开始的< system.web> 元素一样简单：

Now, which option you select for security dictates what else needs to be done. If you choose Windows security, it's as easy as adding the following element to the <system.web> element we started with in Step #1:

<authentication mode="Windows" />

其余的安全协议需要更多的工作。 ASP.NET不提供对Basic，Digest或SSL v3的内在支持。从技术上讲，您可以利用IIS为您执行此类身份验证，但它始终会映射到Windows用户。如果这是您的选项，那么只需离开< authentication mode =Windows/> 元素并相应地配置IIS。但是，如果这不是一个选项，要么是因为您根本无法控制IIS / ActiveDirectory，要么需要对自定义用户数据库进行身份验证，那么这意味着您需要连接自定义HttpModule以提供对这些安全性的支持协议。

The remainder of the security protocols are going to require a little more work. ASP.NET doesn't provide intrinsic support for Basic, Digest or SSL v3. Technically you can leverage IIS to do this type of authentication for you, but it's always going to map to a Windows user. If that's an option for you, then simply leave the <authentication mode="Windows" /> element and configure IIS accordingly. If, however, that is not an option, either because you simply have no control over IIS/ActiveDirectory or you need to authenticate against a custom user database, then that means that you need to hook up a custom HttpModule to provide support for these security protocols.

保护资源的最简单方法是基本上说：不要让任何未成功通过某种方式验证此资源的人。这是使用以下授权配置完成的：

The simplest approach to securing the resource is to basically say: "don't let anyone who hasn't successfully authenticated in some way into this resource". This is done using the following authorization configuration:

<authorization>
    <deny users="?" />
</authorization>

如果您只想允许某些用户，您可以更改为请改为：

If you wanted to only allow certain users you could change to do the following instead:

<authorization>
    <deny users="*" />
    <allow users="jdoe, msmith" />
</authorization>

另一种方法是定义角色（组）并简单地将资源锁定为特定角色将要访问资源的用户放入。

Another approach is to define roles (groups) and simply lock the resource down to a special role which you put the users who you want to access the resource into.

<authorization>
    <deny users="*" />
    <allow roles="My Service Users" />
</authorization>

这很好地映射到Windows身份验证，因为你可以设置一个Windows组并让你的MIS团队管理哪个用户使用ActiveDirectory在该组中。但是，该功能对于非Windows身份验证也适用，假设您使用的安全性实现通过其IPrincipal实现公开角色。

This maps well to Windows authentication because you can just setup a Windows group and let your MIS team manage which users are in that group using ActiveDirectory. However, the feature also works just fine for non-Windows authentication assuming the security implementation you've used exposes roles via its IPrincipal implementation.

这篇关于有没有办法限制对ASMX Web服务的访问，即asmx页面及其WSDL？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！