.net ASMX 用户名和密码安全
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/770345/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ASMX username and password security
提问by BCS
I have a basic ASMX service that I'm trying to get running (I'd rather use WCF but can't get the server to work with it). It runs fine in a no security setup but as soon as I turn on security I get:
我有一个基本的 ASMX 服务,我正在尝试运行它(我宁愿使用 WCF,但无法让服务器使用它)。它在没有安全设置的情况下运行良好,但是一旦我打开安全性,我就会得到:
The HTTP request is unauthorized with client authentication scheme 'Anonymous'. The authentication header received from the server was 'Basic realm="Secured area"'.
HTTP 请求未经授权,客户端身份验证方案为“匿名”。从服务器收到的身份验证标头是“基本领域=“安全区域””。
What I want is a minimalistic ask the user for a name and passwordtype solution.
我想要的是一个简约的询问用户名称和密码类型的解决方案。
Pokeing around the code with intellisense doesn't come up with anything that looks like I need.
用智能感知浏览代码并没有想出任何我需要的东西。
Thislooks like it might be useful but it seems to be WCF so who knows.
这看起来可能很有用,但似乎是 WCF,所以谁知道呢。
I just realized I can make this a live demo:
我刚刚意识到我可以将其作为现场演示:
here is the service: http://smplsite.com/sandbox3/Service1.asmx
这是服务:http: //smplsite.com/sandbox3/Service1.asmx
the username is testappand the password is testpw. I need a command line app that calls functions on that service.
用户名是testapp,密码是testpw。我需要一个命令行应用程序来调用该服务上的函数。
Befor I added security, this line worked in a basic VS project after running Add Web Service Referenceon that URL
在我添加安全性之前,此行在Add Web Service Reference该 URL 上运行后在基本 VS 项目中工作
new ServiceReference1.Service1SoapClient().HelloMom("Bob");
This is my current attempt (That doesn't work)
这是我目前的尝试(那行不通)
class Program
{
private static bool customValidation(object s, X509Certificate c, X509Chain ch, SslPolicyErrors e)
{ return true }
static void Main(string[] args)
{
// accept anything
ServicePointManager.ServerCertificateValidationCallback +=
new RemoteCertificateValidationCallback(customValidation);
var binding = new BasicHttpBinding(BasicHttpSecurityMode.Transport);
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Basic;
binding.Security.Transport.Realm = "Secured area";
// the generated Web Service Reference class
var client = new ServiceReference1.Service1SoapClient(
binding,
new EndpointAddress("https://smplsite.com/sandbox3/Service1.asmx")
);
client.ClientCredentials.UserName.UserName = "testapp";
client.ClientCredentials.UserName.Password = "testpw";
Console.WriteLine(client.HelloMom("Bob"));
}
}
Edit:BTW this is not a website or running in the browser, the accessing code is a C# command line app. Also, the authentication is being done by another IIS plug-in that I don't control.
编辑:顺便说一句,这不是网站或在浏览器中运行,访问代码是C# 命令行应用程序。此外,身份验证是由我无法控制的另一个 IIS 插件完成的。
Edit 2:To be clear; the solution I'm looking for is a purely client side issue.
编辑2:要清楚;我正在寻找的解决方案纯粹是客户端问题。
Edit 3:the access control is via a .haccesstype of system and I like it that way.
I don't want the service code to do any authentication.
编辑 3:访问控制是通过一种.haccess系统实现的,我喜欢这种方式。我不希望服务代码进行任何身份验证。
回答by Moose
Edit:
How about using this:
编辑:
如何使用这个:
MyWebService svc = new MyWebService();
svc.Credentials = new System.Net.NetworkCredential(UserID, pwd);
bool result = svc.MyWebMethod();
OP says this wouldn't work, and now I see that it wouldn't in his situation.
OP 说这行不通,现在我看到在他的情况下不会。
We do something like this:
我们做这样的事情:
public class MyWebService : System.Web.Services.WebService
{
public AuthenticationHeader AuthenticationInformation;
public class AuthenticationHeader : SoapHeader
{
public string UserName;
public string Password;
}
[WebMethod( Description = "Sample WebMethod." )]
[SoapHeader( "AuthenticationInformation" )]
public bool MyWebMethod()
{
if ( AuthenticationInformation != null )
{
if ( IsUserAuthenticated( AuthenticationInformation.UserName,
AuthenticationInformation.Password, ref errorMessage ) )
{
// Authenticated, do something
}
else
{
// Failed Authentication, do something
}
}
else
{
// No Authentication, do something
}
}
}
Note that you supply IsUserAuthenticated().
请注意,您提供 IsUserAuthenticated()。
Then the client calls it like this:
然后客户端这样调用它:
MyWebService svc = new MyWebService();
svc.AuthenticationHeaderValue = new MyWebService.AuthenticationHeader();
svc.AuthenticationHeaderValue.UserName = UserID;
svc.AuthenticationHeaderValue.Password = Password;
bool result = svc.MyWebMethod();
回答by Moose
I'm going to add a fresh answer, because I think this may help:
我要添加一个新的答案,因为我认为这可能会有所帮助:
http://intellitect.com/calling-web-services-using-basic-authentication/
http://intellitect.com/calling-web-services-using-basic-authentication/
I won't duplicate it here, because I didn't do anything but google it.
我不会在这里复制它,因为我除了谷歌之外什么也没做。
回答by Jayesh Modha
Config:
配置:
<binding name="MyBinding" closeTimeout="00:00:30"
openTimeout="00:00:30" receiveTimeout="00:00:30" sendTimeout="00:00:30"
allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647"
textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"
messageEncoding="Text">
<readerQuotas maxDepth="32" maxStringContentLength="2147483647"
maxArrayLength="2147483647" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Basic" realm=""/>
</security>
</binding>
</basicHttpBinding>
While Consuming
消费时
proxy.ClientCredentials.UserName.UserName = userName;
proxy.ClientCredentials.UserName.Password = password;
This worked out just fine for me.
这对我来说很好。
