WebService的几种验证方式

1.1????? WebService设计

1.1.1?? 传输基本参数

1.1.2?? 传输数据集合

（1）???? 数组

（2）???? DataSet

1.2????? WebService异常处理

1.3????? WebService性能

1.4????? WebService认证

?请参考WebService认证学习报告

1.4.1?? 各种认证方式

1.4.1.1????? Windows认证

（１）?? 配置IIS中WebService文件的权限为集成Windows认证

（２）?? 设置Web.Config

<authentication mode= "Windows">

</authentication>

?

?

1.4.2?? 跟踪用户访问

1.5????? WebService调用

1.5.1?? Windows认证

（１）?? NT认证使用时，Credentials必须指定System.Net.CredentialCache.DefaultCredentials

当设置为default时,客户端根据服务端配置决定采用NTLM认证还是其他的安全认证

（２）?? 实例化WebService对象

（３）?? 添加WebService认证信息

（４）?? 调用WebService方法

??????????? LocalTest.GIISService localTest = new LocalTest.GIISService();

??????????? CredentialCache credentialCache = new CredentialCache();

??????????? NetworkCredential credentials = new NetworkCredential("XuJian","password","Snda");

??????????? credentialCache.Add(new Uri("http://localhost/GIIS/ GIISService.asmx"),

??????????????????????????????? "Basic",credentials);

??????????? localTest.Credentials = credentialCache;

??????????? string tt = localTest.Hello("ssssssss");

1.6????? GIIS中WebService认证实现

该部分为本次GIIS中实现的认证方式，考虑到相关配置、维护性，不涉及其他认证方式的处理

1.6.1?? 实现方式

?SOAP Header + DES加解密 + Windows认证

1.6.2?? 实现原理

（１）?? SOAP Header

SOAP包括四个部分： SOAP封装(envelop)，定义描述消息

SOAP编码规则

?????????????????????????????????? SOAP RPC调用和应答协定

?????????????????????????????????? SOAP绑定，底层协议交换信息

其中envelop由一个或多个Header和一个Body组成，Header元素的每一个子元素称为一个SOAP Header

（２）?? DES对称加解密

通过Client端传输过来的已加密编码，在客户端进行解码分析，实现认证，认证的user信息来自于GIIS的系统登录用户列表

对编码和解码的字节类型存储在Web.Config文件中，要保持一致并对称，且字符长度需设为8位

（３）?? 集成Windows认证

作为域用户可以通过该方式来调用、处理WebService，但非域用户看通过我们自定义的SOAP Header方式来验证

1.6.3?? 实现步骤（SOAP）

（１）?? 设置.asmx文件的访问权限为“集成Windows认证”，不允许匿名访问

（２）?? 创建WebService认证类CredentialSoapHeader.cs，继承SoapHeader

*调用者的信息从系统维护的WscUser表中获取

namespace XXX.WebService

{

??? public class CredentialSoapHeader : System.Web.Services.Protocols.SoapHeader

??? {

??????? #region -- Private Attribute --

??????? private string m_UserID = string.Empty;

??????? private string m_Password = string.Empty;

??????? #endregion

?

??????? #region -- Private Attribute --

??????? /// <summary>

??????? /// user id

??????? /// </summary>

??????? public string UserID

??????? {

??????????? get

??? ????????{

??????????????? return m_UserID;

??????????? }

??????????? set

??????????? {

??????????????? m_UserID = value;

??????????? }

??????? }

?

??????? /// <summary>

??????? /// user password

??????? /// </summary>

??????? public string PassWord

??????? {

??????????? get

??????????? {

??????????????? return m_Password;

??????????? }

??????????? set

??????????? {

??????????????? m_Password = value;

??????????? }

??????? }

??????? #endregion

?

??????? /// <summary>

??????? /// initial user id and papssword

??????? /// </summary>

??????? /// <param name="userID">user id</param>

??????? /// <param name="password">user password</param>

??????? public void Initial(string userID,?string password)

??????? {

??????????? UserID = userID;

??????????? PassWord = password;

??????? }

?

??????? /// <summary>

??????? /// check user when use web service

??????? /// </summary>

??????? /// <param name="userID">user id</param>

??????? /// <param name="password">user password</param>

??????? /// <param name="message">return message</param>

??????? /// <returns></returns>

??????? public bool IsValid(string userID,?string password,?out string message)

??????? {

??????????? message = "";

??????????? try

??????????? {

??????????????? string userName = Encrypt.DecryptClient(userID);

??????????????? string userPassword = Encrypt.DecryptClient(password);

??????????????? Entity.GiWscuser userAuthority = new Entity.GiWscuser();

??????????????? userAuthority.QueryMode = true;

??????????????? userAuthority.Active += true;

??????????????? userAuthority.Account += userName.Trim();

??????????????? userAuthority.Password += userPassword.Trim();

??????????????? DataTable dtblUser = userAuthority.Query(

??????????????????? new String[] {userAuthority.Account,userAuthority.Password },false,-1).Tables[0];

??????????????? if (dtblUser.Rows.Count > 0)

??????????????? {

??????????????????? return true;

??????????????? }

??????????????? else

??????????????? {

??????????????????? message = "sorry,you have no access authority for current web service";

??????????????????? return false;

??????????????? }

??????????? }

??????????? catch(Exception ex)

??????????? {

??????????????? message = "sorry,you have no access authority for current web service " + ex.Message;

??????????????? return false;

????????? ??}

??????? }

?

??????? /// <summary>

??????? /// check user authority

??????? /// </summary>

??????? /// <param name="message">message tip</param>

??????? /// <returns></returns>

??????? public bool IsValid(out string message)

??????? {

??????????? return IsValid(m_UserID,?m_Password,?out message);

??????? }

??? }

}

（３）?? 创建DES加解密类，实现明文编码与解码

???? public class Encrypt

???? {?????????????????

???????? private static string ms_Key = System.Configuration.ConfigurationManager.AppSettings["EncryptKey"];

??????? private static string ms_IV = System.Configuration.ConfigurationManager.AppSettings["EncryptIV"];

?

???????? /// <summary>

???????? /// Encrypt a string

???????? /// </summary>

???????? /// <param name="ecryptString">string needs to be encrypted</param>

???????? /// <returns>the encrypted string</returns>

???????? public static string EncryptClient(string ecryptString)

???????? {

????????????? if(ecryptString != "")

????????????? {

?????????????????? DESCryptoServiceProvider cryptoProvider = new DESCryptoServiceProvider();

?????????????????? cryptoProvider.Key = ASCIIEncoding.ASCII.GetBytes(ms_Key);

?????????????????? cryptoProvider.IV = ASCIIEncoding.ASCII.GetBytes(ms_IV);

?????????????????? MemoryStream memoryStream = new MemoryStream();

?????????????????? CryptoStream cryptoStream = new CryptoStream(memoryStream,

?????????????????????? cryptoProvider.CreateEncryptor(),CryptoStreamMode.Write);

?????????????????? StreamWriter streamWriter = new StreamWriter(cryptoStream);

?????????????????? streamWriter.Write(ecryptString);

?????????????????? streamWriter.Flush();

?????????????????? cryptoStream.FlushFinalBlock();

?????????????????? memoryStream.Flush();

?????????????????? return Convert.ToBase64String(memoryStream.GetBuffer(),Int32.Parse(memoryStream.Length.ToString()));

????????????? }

????????????? else

????????????? {

?????????????????? return "";

????????????? }

???????? }

?

???????? /// <summary>

???????? /// Decrypt a string

???????? /// </summary>

???????? /// <param name="decryptString">string needs to be decrypted</param>

???????? /// <returns>the decrypted string</returns>

???????? public static string DecryptClient(string decryptString)

???????? {

????????????? if(decryptString != "")

????????????? {

?????????????????? DESCryptoServiceProvider cryptoProvider = new DESCryptoServiceProvider();

?????????????????? cryptoProvider.Key = ASCIIEncoding.ASCII.GetBytes(ms_Key);

?????????????????? cryptoProvider.IV = ASCIIEncoding.ASCII.GetBytes(ms_IV);

?????????????????? Byte[] buffer = Convert.FromBase64String(decryptString);

?????????????????? MemoryStream memoryStream = new MemoryStream(buffer);

?????????????????? CryptoStream cryptoStream = new CryptoStream(memoryStream,cryptoProvider.CreateDecryptor(),CryptoStreamMode.Read);

?????????????????? StreamReader streamReader = new StreamReader(cryptoStream);

?????????????????? return streamReader.ReadToEnd();

????????????? }

????????????? else

????????????? {

?????????????????? return "";

????????????? }

???????? }

?

（４）?? 在CredentialSoapHeader类中实现用户认证信息的解码与合法性检查，给出异常时的提示信息

见CredentialSoapHeade的代码

（５）?? 在目标Service类中实例化CredentialSoapHeader对象，并指定该对象为WebService方法的修饰

Namespace WebServiceAuthority

{

??? [WebService(Namespace = "http://tempuri.org/")]

??? [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]

??? public class GIISService : System.Web.Services.WebService

??? {

??????? public CredentialSoapHeader myHeader = new CredentialSoapHeader();

??????? /// <summary>

??????? ///?get web service information by authority user

??????? /// </summary>

??????? /// <param name="contents">customize content</param>

??????? /// <returns></returns>

??????? [SoapHeader("myHeader")]

??????? [WebMethod(Description = "authority set for Web Service",EnableSession = true)]

??????? public string HelloWorld(string contents)

??????? {

??????????? string message = "";

??????????? if (!myHeader.IsValid(out message))

??????????????? return message;

??????????? return "Hello World:" + contents;

??????? }

??? }

}

?

1.6.4?? Client端调用方法（SOAP）

（１）?? 添加WebService引用

URL地址为对应的GIIS WebService地址，引用的别名自定义

（２）?? 实例化一个WebService的类对象

LocalService.GIISService localTest = new LocalService.GIISService();

（３）?? 设置Credentials方式

localTest.Credentials = System.Net.CredentialCache.DefaultCredentials;

（４）?? 传递编码后的密文

（５）?? 调用WebService提供的方法

（６）?? 实现代码如下：

????????? ??LocalService.GIISService localTest = new LocalService.GIISService();

??????????? localTest.Credentials = System.Net.CredentialCache.DefaultCredentials;//default credetials

??????????? LocalService.CredentialSoapHeader header = new LocalService.CredentialSoapHeader();//Create SOAP header

??????????? header.UserID = userName;//Set SOAP header user name information

??????????? header.PassWord = userPassword;//Set SOAP header user password information

??????????? localTest.CredentialSoapHeaderValue = header;

??????????? this.Label1.Text = localTest.HelloWorld("ss");

至此已实现GIIS中的WebService验证，如单独采用Windows认证请参见下面的说明