最近在项目中遇到WEBSERVICE的安全性问题,本来,按以前的经验(WIINFORM中),可以在服务器端建一个用户表,进行身份验证,但后来发现,这存在安全性问题,所以查找后发现可以利用定义SOAP头进行用户信息绑定进行身份验证,下面就是相关代码,验证通过.
这里是SOAP头定义:
using System;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
public class MyHeader :? System.Web.Services.Protocols.SoapHeader
???? {
???????? private string _UserID=string.Empty;
???????? private string _PassWord=string.Empty;
???????? /// <summary>
???????? /// 构造函数
???????? /// </summary>
???????? public MyHeader()
???????? {
???????? }
???????? /// <summary>
???????? /// 构造函数
???????? /// </summary>
???????? /// <param name="nUserID">用户ID</param>
???????? /// <param name="nPassWord">加密后的密码</param>
???????? public MyHeader(string nUserID,string nPassWord)
???????? {
????????????? Initial(nUserID,nPassWord);
???????? }
????????
???????? #region 属性
???????? /// <summary>
???????? /// 用户名
???????? /// </summary>
???????? public string UserID
???????? {
????????????? get{return _UserID;}
????????????? set{_UserID=value;}
???????? }
???????? /// <summary>
???????? /// 加密后的密码
???????? /// </summary>
???????? public string PassWord
???????? {
????????????? get{return _PassWord;}
????????????? set{_PassWord=value;}
???????? }
?????? #endregion
???????? #region 方法
?????? /// <summary>
???????? /// 初始化
???????? /// </summary>
???????? /// <param name="nUserID">用户ID</param>
???????? /// <param name="nPassWord">加密后的密码</param>
???????? public void Initial(string nUserID,string nPassWord)
???????? {
????????????? UserID=nUserID;
????????????? PassWord=nPassWord;
???????? }
???????? /// <summary>
???????? /// 用户名密码是否正确
???????? /// </summary>
???????? /// <param name="nUserID">用户ID</param>
???????? /// <param name="nPassWord">加密后的密码</param>
???????? /// <param name="nMsg">返回的错误信息</param>
???????? /// <returns>用户名密码是否正确</returns>
???????? public bool IsValid(string nUserID,string nPassWord,out string nMsg)
???????? {
????????????? nMsg="";
????????????? try
????????????? {
?????????????????? //判断用户名密码是否正确
?????????????????? if(nUserID == "admin" && nPassWord == "admin"){
?????????????????????? return true;
?????????????????? }
?????????????????? else
?????????????????? {
?????????????????????? nMsg="对不起,你无权调用此Web服务,可能有如下原因:/n 1.您的帐号被管理员禁用。/n 2.您的帐号密码不正确";
?????????????????????? return false;
?????????????????? }
????????????? }
????????????? catch
????????????? {
?????????????????? nMsg="对不起,你无权调用此Web服务,可能有如下原因:/n 1.您的帐号被管理员禁用。/n 2.您的帐号密码不正确";
?????????????????? return false;
????????????? }
???????? }
???????? /// <summary>
???????? /// 用户名密码是否正确
???????? /// </summary>
???????? /// <returns>用户名密码是否正确</returns>
???????? public bool IsValid(out string nMsg)
???????? {
????????????? return IsValid(_UserID,_PassWord,out nMsg);
???????? }
???????? #endregion
}
服务器部分:
using System;
using System.Web;
using System.Web.Services;
using System.Web.Services.Protocols;
?
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
public class myService : System.Web.Services.WebService
{
??? /// <summary>
??? /// Soap头实例
??? /// </summary>
??? public MyHeader myHeader = new MyHeader();
??????
??? public myService()
??? {
??? }
??? // WEB 服务示例
??? // HelloWorld() 示例服务返回字符串 Hello World
??? // 若要生成,请取消注释下列行,然后保存并生成项目
??? // 若要测试此 Web 服务,请按 F5 键
??? [WebMethod]
??? public string HelloWorld()
??? {
??????? return "Hello World";
??? }
??? [SoapHeader("myHeader",Direction = SoapHeaderDirection.InOut)]
??? [WebMethod(Description = "ddddddd",EnableSession = true)]
??? public string HelloWorld2(string contents)
??? {
??????? string msg = "";
??????? //验证是否有权访问
??????? if (!myHeader.IsValid(out? msg))
??????????? return msg;
??????? return "Hello World:" + contents;
??? }
???
}
其实原理就是定义一个SOAP头后,在客户端调用该头并注入身份信息,这样在网络上即使给截获了.也取不到身份信息.
小东西做完以后就想到了发布,感觉用VS2005的CLICKONCE方便好用,这里就不说了...随便查查就N多?