WebService的几种验证方式

发布时间：2020-12-17 01:17:32 所属栏目：安全来源：网络整理

导读：WebService的几种验证方式 1.1 ????? WebService 设计 1.1.1 ?? 传输基本参数 1.1.2 ?? 传输数据集合（1） ???? 数组（2） ???? DataSet 1.2 ????? WebService 异常处理 1.3 ????? WebService 性能 1.4 ????? WebService 认证 ? 请参考 WebService 认证学

WebService的几种验证方式

1.1????? WebService设计

1.1.1?? 传输基本参数

1.1.2?? 传输数据集合

（1）???? 数组

（2）???? DataSet

1.2????? WebService异常处理

1.3????? WebService性能

1.4????? WebService认证

?请参考 WebService认证学习报告

1.4.1?? 各种认证方式

1.4.1.1????? Windows认证

（１）?? 配置 IIS中 WebService文件的权限为集成 Windows认证

（２）?? 设置 Web.Config

</authentication>

1.4.2?? 跟踪用户访问

1.5????? WebService调用

1.5.1?? Windows认证

（１）?? NT认证使用时， Credentials必须指定 System.Net.CredentialCache.DefaultCredentials

当设置为 default时,客户端根据服务端配置决定采用 NTLM认证还是其他的安全认证

（２）?? 实例化 WebService对象

（３）?? 添加 WebService认证信息

（４）?? 调用 WebService方法

??????????? LocalTest.GIISService localTest = new LocalTest.GIISService();

??????????? CredentialCache credentialCache = new CredentialCache();

??????????? NetworkCredential credentials = new NetworkCredential("XuJian","password","Snda");

??????????? credentialCache.Add(new Uri("http://localhost/GIIS/ GIISService.asmx"),

??????????????????????????????? "Basic",credentials);

??????????? localTest.Credentials = credentialCache;

??????????? string tt = localTest.Hello("ssssssss");

1.6????? GIIS中WebService 认证实现

该部分为本次 GIIS中实现的认证方式，考虑到相关配置、维护性，不涉及其他认证方式的处理

1.6.1?? 实现方式

?SOAP Header + DES加解密 + Windows认证

1.6.2?? 实现原理

（１）?? SOAP Header

SOAP包括四个部分： SOAP封装 (envelop)，定义描述消息

SOAP编码规则

?????????????????????????????????? SOAP RPC 调用和应答协定

?????????????????????????????????? SOAP 绑定，底层协议交换信息

其中 envelop由一个或多个 Header和一个 Body组成， Header元素的每一个子元素称为一个 SOAP Header

（２）?? DES对称加解密

通过 Client端传输过来的已加密编码，在客户端进行解码分析，实现认证，认证的 user信息来自于 GIIS的系统登录用户列表

对编码和解码的字节类型存储在 Web.Config文件中，要保持一致并对称，且字符长度需设为 8 位

（３）?? 集成 Windows认证

作为域用户可以通过该方式来调用、处理 WebService，但非域用户看通过我们自定义的 SOAP Header方式来验证

1.6.3?? 实现步骤（ SOAP）

（１）?? 设置 .asmx文件的访问权限为“集成 Windows认证”，不允许匿名访问

（２）?? 创建 WebService认证类 CredentialSoapHeader.cs，继承 SoapHeader

*调用者的信息从系统维护的 WscUser表中获取

namespace XXX.WebService

{

??? public class CredentialSoapHeader : System.Web.Services.Protocols.SoapHeader

??? {

??????? #region -- Private Attribute --

??????? private string m_UserID = string .Empty;

??????? private string m_Password = string .Empty;

??????? #endregion

??????? #region -- Private Attribute --

??????? /// <summary>

??????? /// user id

??????? /// </summary>

??????? public string UserID

??????? {

??????????? get

??? ????????{

??????????????? return m_UserID;

??????????? }

??????????? set

??????????? {

??????????????? m_UserID = value ;

??????????? }

??????? }

??????? /// <summary>

??????? /// user password

??????? /// </summary>

??????? public string PassWord

??????? {

??????????? get

??????????? {

??????????????? return m_Password;

??????????? }

??????????? set

??????????? {

??????????????? m_Password = value ;

??????????? }

??????? }

??????? #endregion

??????? /// <summary>

??????? /// initial user id and papssword

??????? /// </summary>

??????? /// <param name="userID"> user id </param>

??????? /// <param name="password"> user password </param>

??????? public void Initial(string userID,?string password)

??????? {

??????????? UserID = userID;

??????????? PassWord = password;

??????? }

??????? /// <summary>

??????? /// check user when use web service

??????? /// </summary>

??????? /// <param name="userID"> user id </param>

??????? /// <param name="password"> user password </param>

??????? /// <param name="message"> return message </param>

??????? /// <returns></returns>

??????? public bool IsValid(string userID,?string password,?out string message)

??????? {

??????????? message = "" ;

??????????? try

??????????? {

??????????????? string userName = Encrypt.DecryptClient(userID);

??????????????? string userPassword = Encrypt.DecryptClient(password);

??????????????? Entity.GiWscuser userAuthority = new Entity.GiWscuser();

??????????????? userAuthority.QueryMode = true ;

??????????????? userAuthority.Active += true ;

??????????????? userAuthority.Account += userName.Trim();

??????????????? userAuthority.Password += userPassword.Trim();

??????????????? DataTable dtblUser = userAuthority.Query(

??????????????????? new String[] {userAuthority.Account,userAuthority.Password },false,-1).Tables[0];

??????????????? if (dtblUser.Rows.Count > 0)

??????????????? {

??????????????????? return true ;

??????????????? }

??????????????? else

??????????????? {

??????????????????? message = "sorry,you have no access authority for current web service" ;

??????????????????? return false ;

??????????????? }

??????????? }

??????????? catch (Exception ex)

??????????? {

??????????????? message = "sorry,you have no access authority for current web service " + ex.Message;

??????????????? return false ;

????????? ??}

??????? }

??????? /// <summary>

??????? /// check user authority

??????? /// </summary>

??????? /// <param name="message"> message tip </param>

??????? /// <returns></returns>

??????? public bool IsValid(out string message)

??????? {

??????????? return IsValid(m_UserID,?m_Password,?out message);

??????? }

??? }

}

（３）?? 创建 DES加解密类，实现明文编码与解码

???? public class Encrypt

???? {?????????????????

???????? private static string ms_Key = System.Configuration.ConfigurationManager.AppSettings["EncryptKey" ];

??????? private static string ms_IV = System.Configuration.ConfigurationManager.AppSettings["EncryptIV" ];

???????? /// <summary>

???????? /// Encrypt a string

???????? /// </summary>

???????? /// <param name="ecryptString"> string needs to be encrypted </param>

???????? /// <returns> the encrypted string </returns>

???????? public static string EncryptClient(string ecryptString)

???????? {

????????????? if (ecryptString != "" )

????????????? {

?????????????????? DESCryptoServiceProvider cryptoProvider = new DESCryptoServiceProvider ();

?????????????????? cryptoProvider.Key = ASCIIEncoding .ASCII.GetBytes(ms_Key);

?????????????????? cryptoProvider.IV = ASCIIEncoding .ASCII.GetBytes(ms_IV);

?????????????????? MemoryStream memoryStream = new MemoryStream ();

?????????????????? CryptoStream cryptoStream = new CryptoStream (memoryStream,

?????????????????????? cryptoProvider.CreateEncryptor(),CryptoStreamMode .Write);

?????????????????? StreamWriter streamWriter = new StreamWriter (cryptoStream);

?????????????????? streamWriter.Write(ecryptString);

?????????????????? streamWriter.Flush();

?????????????????? cryptoStream.FlushFinalBlock();

?????????????????? memoryStream.Flush();

?????????????????? return Convert .ToBase64String(memoryStream.GetBuffer(),Int32 .Parse(memoryStream.Length.ToString()));

????????????? }

????????????? else

????????????? {

?????????????????? return "" ;

????????????? }

???????? }

???????? /// <summary>

???????? /// Decrypt a string

???????? /// </summary>

???????? /// <param name="decryptString"> string needs to be decrypted </param>

???????? /// <returns> the decrypted string </returns>

???????? public static string DecryptClient(string decryptString)

???????? {

????????????? if (decryptString != "" )

????????????? {

?????????????????? DESCryptoServiceProvider cryptoProvider = new DESCryptoServiceProvider ();

?????????????????? cryptoProvider.Key = ASCIIEncoding .ASCII.GetBytes(ms_Key);

?????????????????? cryptoProvider.IV = ASCIIEncoding .ASCII.GetBytes(ms_IV);

?????????????????? Byte [] buffer = Convert .FromBase64String(decryptString);

?????????????????? MemoryStream memoryStream = new MemoryStream (buffer);

?????????????????? CryptoStream cryptoStream = new CryptoStream (memoryStream,cryptoProvider.CreateDecryptor(),CryptoStreamMode .Read);

?????????????????? StreamReader streamReader = new StreamReader (cryptoStream);

?????????????????? return streamReader.ReadToEnd();

????????????? }

????????????? else

????????????? {

?????????????????? return "" ;

????????????? }

???????? }

（４）?? 在 CredentialSoapHeader类中实现用户认证信息的解码与合法性检查，给出异常时的提示信息

见 CredentialSoapHeade的代码

（５）?? 在目标 Service类中实例化 CredentialSoapHeader对象，并指定该对象为 WebService方法的修饰

Namespace WebServiceAuthority

{

??? [WebService(Namespace = "http://tempuri.org/" )]

??? [WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]

??? public class GIISService : System.Web.Services.WebService

??? {

??????? public CredentialSoapHeader myHeader = new CredentialSoapHeader();

??????? /// <summary>

??????? /// ?get web service information by authority user

??????? /// </summary>

??????? /// <param name="contents"> customize content </param>

??????? /// <returns></returns>

??????? [SoapHeader("myHeader" )]

??????? [WebMethod(Description = "authority set for Web Service",EnableSession = true )]

??????? public string HelloWorld(string contents)

??????? {

??????????? string message = "" ;

??????????? if (!myHeader.IsValid(out message))

??????????????? return message;

??????????? return "Hello World:" + contents;

??????? }

??? }

}

1.6.4?? Client端调用方法（ SOAP）

（１）?? 添加 WebService引用

URL地址为对应的 GIIS WebService地址，引用的别名自定义

（２）?? 实例化一个 WebService的类对象

LocalService.GIISService localTest = new LocalService.GIISService();

（３）?? 设置 Credentials方式

localTest.Credentials = System.Net.CredentialCache.DefaultCredentials;

（４）?? 传递编码后的密文

（５）?? 调用 WebService提供的方法

（６）?? 实现代码如下：

????????? ??LocalService.GIISService localTest = new LocalService.GIISService();

??????????? localTest.Credentials = System.Net.CredentialCache.DefaultCredentials;//default credetials

??????????? LocalService.CredentialSoapHeader header = new LocalService.CredentialSoapHeader();//Create SOAP header

??????????? header.UserID = userName;//Set SOAP header user name information

??????????? header.PassWord = userPassword;//Set SOAP header user password information

??????????? localTest.CredentialSoapHeaderValue = header;

??????????? this .Label1.Text = localTest.HelloWorld("ss" );

至此已实现 GIIS中的 WebService验证，如单独采用 Windows认证请参见下面的说明

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!